ICSA Subsidiary Governance Conference

Assessing corporate culture at subsidiary level

Richard Sheath

12 October 2016

Culture: core questions for the Board (1)

WHERE DO WE WANT TO GET TO?

Is there a governance structure that supports oversight and

strategic leadership around culture?

Working out where we

need to get to

Looking at what we’re

doing as a board

1

Culture: core questions for the Board (2)




HOW CAN WE BE SURE IT IS COMING TOGETHER?

How do we build evidence so we can know are where we

need to be?


need to get to


doing as a board

Assessing what management are doing to embed

the right behaviours

Building a picture of

behaviours

Looking into the

organisation

1

Culture: core questions for the Board






need to be?


need to get to


doing as a board

What do we want to

achieve and why?

What role do we need to

play?

How does this fit with

executive responsibilities?

What governance structure

needs to be in place?

How do we…

• currently exercise

oversight?

• provide leadership on

behaviours?

• discuss the strategic

imperatives &

implications?

• consider behaviour as

part of our decision-

making?

• communicate our

objectives and

concerns?

• assess behaviour roots

of

performance/problems?

What are the gaps: where

we are and want to get to?

Assessing what management are doing to embed

the right behaviours

Building a picture of

behaviours

Looking into the

organisation

How do we get a view of the executive approach/actions?

How do executives manage behaviours downwards?

How does our incentive approach align?

How can we see the way cultural diversity is tackled?

How do they see what people are doing day to day?

What is the process for tackling problems?

How do we know what’s

going on inside?

How do management give

the Board insight?

How is the behaviour angle

covered in reporting?

What is used to provide us

with assurance/evidence?

How do we assess the

risks?

How do we see/discuss the

known problems?

Thinking through what

surveys are covering

Getting a view of:

• how far expectations are

understood

• how people see/react to

day-to-day behaviours

• perceptions of manager

• messages/actions

• comparison of executive

& manager behaviours

• views on what needs

escalating and how 1

Extending out to subsidiary culture






need to be?

STRATEGIC

The same questions apply…

… but the context is different

ORGANISATIONAL

How far do we want the same “culture”?

How far is the same culture achievable?

What are the risks?

How is the risk appetite being applied?

What is the environment?

What is the organisational context?

What is the group/subsidiary relationship?

How is control exerted?

How does governance oversight work?

How do information/messages flow?

2

Putting it in context

STRATEGIC

The Environment

The context is different…

ORGANISATIONAL

Group/Subsidiary

3

But then follow the same basic steps…

Reach a consensus on the need

4

Basic steps (2)

Make sure you know what you’re aiming at - for the Group and each subsidiary

5

Basic steps (3)

Recognise diversity – and work out how much you want

6

Basic steps (4)

Determine what style of leadership you expect to see at group and subsidiary levels

7

Basic steps (5)

You’ve limited reach and line of sight: so understand what management are doing

8

Basic steps (6)

Make sure executives and management are on board – at Group and subsidiary levels

9

Basic steps (7)

Think through the group relationships and how they are understood

10

Basic steps (8)

Think through the language and communication angles

11

Basic steps (9)

Work out how you are going to build the picture

12

And only then start assessing…

13

Get out there…

There’s no substitute for getting out there: site visits are a core source of insight and comfort

14

Use what you’ve got

PUTTING TOGETHER A PICTURE THROUGH A “CULTURE & BEHAVIOUR” LENS

EXTERNAL

INDICATORS

HR

REPORTING

CUSTOMERS

INTERNAL CONTROL

INDICIATORS

STAFF

FEEDBACK

SUPPLIERS

INVESTORS

COMMUNITY

NPS

Net Promoter Score

COMPLAINTS

SOCIAL MEDIA

ABSENTEEISM

TURNOVER

EXIT INTERVIEWS

TRAINING

CONTRACT STAFF

MEDIA

WHISTLEBLOWING

COMPLIANCE BREACHES

AUDIT REPORTS

SAFETY

HEALTH

ENVIRONMENT

PUT TOGETHER…WHAT ARE THESE INDICATORS SUGGESTING?

MORALE & MOTIVATION

WHAT IS EXPECTED?

WHAT DO I SEE?

HOW WE TREAT PEOPLE?

TAKING RISKS

MAKING DECISIONS

What are the surveys

actually covering?

15

And apply it to subsidiaries in the same way…

…but…

• Put it in context

• Work out with management

how to distil the picture

• Understand how

management are using the

picture/indicators

• Link to the relative risks for

each subsidiary (financial,

regulatory, reputation…)

Build the same picture… And when it comes to surveys…

• Watch the language and relevance

• Work out how you’re going to use the data

16

© Independent Audit Limited 2016

CONTACT:

Richard Sheath: +44 (0)20 7220 6583 | [email protected]

4 Bury Street | London | EC3A 5AW | +44 (0)20 7220 6580 | www.independentaudit.com

Registered in England number 4373559 Registered Office One Glass Wharf Bristol BS2 0ZX

Roseanna Rowett

Case study: Intertek Group plc

v1.0

Ida Woodger

12 October 2016

2

Our Heritage

1996: Inchcape

divests testing

business to

Charterhouse

Development Capital

1885: Caleb

Brett, cargo

certification

business

founded

1896: Lamp Testing

Bureau founded, later

renamed ETL

1973: Labtest

established in

Hong Kong,

initially

focussing on

textile testing

1900 2002

2015: PSI building

and construction

assurance

business acquired

2011: Moody

International

acquired

1925: SEMKO

electrical

safety testing

founded in

Sweden

1988: ETL

Testing

Laboratories

acquired

1984-87:

Caleb Brett

acquired

1992: Warnock

Hersey acquired

1994: SEMKO

acquired

1888: Milton

Hersey establishes

a chemical testing

laboratory in

Montreal, Quebec

1996-021970

Intertek Group plc

listed on the LSE

Intertek develops into an international testing business

through acquisition and organic growth

2002: Intertek

listed on the

London Stock

Exchange

2009: Intertek

enters the

FTSE 1001987: “Inchcape Testing Services”

formed

Intertek’s pioneering founders

1911: Moody

International, Oil

and Gas testing

and certification

business

1880

1927: Charles

Warnock

Company

formed in

Montreal,

Canada to

inspect steel

products

1989: Intertek

enters China

3

What We Do

What We Do EverydayWhich Economic

SectorsWhere

Assurance

Testing

Inspection

Certification

Products

Trade

Resources

100+ countries

1,000+ laboratories

40,000+ people

4

Our subsidiaries

33joint-ventures

80branches

312wholly-owned

subsidiaries

5

Our group structure

Intertek Group plc

UK entity 1

Middle East & Africa

ChinaSouth and South East Asia (50%)

UK entity 2

Russia, Europe &

Central AsiaAustralasia

North America

South and South East Asia (50%)

6

Our Company Secretariat support structure

Group Company Secretary

Regional Co Sec – North America

Regional Co Sec – MENAP & SE

Asia

Regional Co Sec – China

Company Secretarial Admin

Assistant

Deputy Company Secretary

Company Secretarial

Trainee

Assistant Company Secretary

Company Secretarial Assistant

7

Our subsidiary governance framework

Centrally managed – from London HQ

Locally managed – in country of incorporation

Assistance from external local legal and accountancy firms as well as the Group’s Auditor

8

Centrally managed components

Core Controls

Framework

Policy on Subsidiary and Joint-venture

companyboards

Parental guarantee guidelines

Group-wide Authorities

Cascade

Blueprint Oneworld database –master data

Incorporations, liquidations

andrestructuring

8

Our core controls

Guidelines on Powers of Attorney

9

Regular catch

up meetings

and to-do list

Online sharing

platform

Templates &

procedures

Sharing the

loadRecord keeping Handovers

Communication and management tools

10

In practice

Event / Project

Legal paperwork required

Internal approvals

Local points of contact

Key Co Sec considerations

Director and

shareholder

meetings01

Assistance in the DD process

Funding and paperwork

Closing & Integration

Change of

personnel02

Accuracy of Blueprint data

Verification material available for audit

Changes throughout the yearAnnual Report03

Leaver and appointment procedure

Consider share ownership – ESS and those held on trust

Resulting board structure changes

Treasury and

tax projects04

Minutes and resolutions

Verification process – officers, share capital, company information

Reconciliation of accounts - local books vs centrally held accounts (Cognos)

Acquisitions05

11

Take away points

03 Don’t be a bureaucrat

02

01Good communication

is essential

Have a clearly defined

strategy

Competition issues for subsidiaries and boards

Parents mind your children

Nicole Kar

October 2016

1

Agenda

> Application of competition law and risks to companies

> Parental liability

> Managing and mitigating risks

> What does this mean for boards?

2

Competition law – a primer

3

The basic rules

Law prohibits Who?

Abuse of dominance Undertakings

Restrictive

agreements/collusion

Undertakings (and in the UK, Austria,

Germany, Ireland) individuals

4

The smoke filled chat room

> Recent investigations have seen competition authorities push the

limits of antitrust and new regulators like the FCA take on antitrust

powers and consider requiring expansive mandatory self reporting of

competition breaches

> Focus is now beyond the classical “smoke filled room” and looks e.g.

to different fora; collusion on non price parameters; and pure

information exchange (e.g. price signalling),

5

Information exchange: Good, Bad, Ugly

Good Bad Ugly

> Historical data > Future price/volume

data or future

strategic intentions

> Current data which

discloses intended

conduct

> Aggregated/

anonymised data

> Disaggregated,

company specific

data

> Systemised, frequent

exchanges

> Exchanges in public

(i.e. the customer has

equal access)

> In private > Partly in private/partly

in public – not

genuinely public

> Increases

transparency for

consumers/consumer

benefits

> Highly concentrated

market (few players)

> Covers a broad part of

the market which is

concentrated

6

Competition risks

Fines

Damages

claims Damages

claims

Imprisonment

Negative

commercial

impact Disciplinary

action

Procedural

costs

Reputational

damage

Company

risks

Personal

risks

Director

disqualification

7

Cartel fines in the last 25 years

344 271

3157

7969

8700

4332

127

1419

938

2332

3363

2750

264

1061

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-to date

EU

US

China

Million (EUR)

Comparatively

higher than in the

previous period

8

Liability for individuals/board members in the UK

> Criminal cartel offence: no dishonesty requirement as of April 2014; is jury trial appropriate? “not in usual spectrum of fraud cases”

> Director disqualification: personal involvement; knowledge of conduct and failure to take action; where “ought to have known”

> Claiming damages from directors and employees? Safeway v Twigger: attempt to recover fines against individuals (really D&O insurance). Failed as against public policy

Advice for Directors: Insist on compliance programme and training in high risk areas (e.g sales team in industrial companies), query anomalies.

Advice for companies: assess risk levels and tailor compliance programmes accordingly; do audits to monitor compliance; clean up conduct found.

9

Parental liability

10

Concept of parental liability

> In the EU, a parent company can be held jointly and severally liable for the conduct of its subsidiaries (in the broadest, not just accounting sense) (single economic entity doctrine)

> The parent does not need to be involved or aware of the subsidiary’s participation in the infringement

> Parental liability arises when parent and subsidiary constitute a “single undertaking” in the economic sense (the underlying legal structure is not decisive)

> The European Commission must in principle prove on the facts that the parent exercised decisive influence over the commercial policy of the subsidiary to show that they are a single undertaking (except if the parent has – almost - 100% shareholding)

11

The Akzo (rebuttable?) presumption

Shifts the Commission’s burden to prove that parent/subsidiary are a

single economic entity, but:

> The Commission must prove that the conditions to apply the

presumption are met

> The parent company must hold (almost) 100% of the subsidiary’s

capital

> The Commission must identify unequivocally the addressees of the

potential fine sufficiently early in the investigation (the statement of

objections)

> In such cases the presumption becomes, in practice, impossible to

effectively rebut

12

Outside Akzo

When the parent does not have (effectively) a 100% shareholding, the

Commission must prove that the parent exercised actual decisive

influence over the subsidiary’s commercial policy, which involves the

unity of market conduct of the subsidiary and its management

> Market conduct/commercial policy includes strategic decisions and

operational matters

> May be triggered at much lower levels of control (e.g. joint control

and minority interests), relevant factors include actual control of the

subsidiary’s board, management overlaps and reporting mechanisms

> PE investors can also be held liable if they did not act as a purely

financial investor

13

Goldmans/Power Cables

> Commission decision in 2014 finding the Goldman Sachs Group, Inc.

(GS) liable for the participation of one of its portfolio companies,

Prysmian, in the Power Cables cartel (Euro 37.3m)

> GS had exited when the investigation started (and the infringement

started before it purchased it)

> GS appealed the decision (ongoing proceedings before the EU General

Court)

> Two clearly differentiated periods for GS, but the Commission held it

liable throughout both periods

> 2005-2007: GS shareholding far below 100% for most of the period

> 2007-2009: GS minority shareholder

14

The Impact of Brexit

> Still a lack of clarity, but “hard” Brexit now seems likely (‘Great Repeal Bill’ to bring about a “fully independent, sovereign country” without being bound by ECJ law)

How might Brexit impact the CMA’s position towards parental liability?

> If the ECA 1972 is repealed, and the CMA is no longer bound by the European Courts’ jurisprudence (s 60 Competition Act), will it change its stance on parental liability?

> Unlikely. There are strong public policy reasons (e.g. deep pockets, deterrence, effectiveness of enforcement, recidivism uplift) for the CMA to maintain the approach taken by the EU

More generally, CMA has criminal powers and may be expected to enforce these actively without needing to think about interaction with EU law

15

Managing and mitigating risks

16

Acquiring new entities or businesses

> Pre-acquisition: due diligence should cover antitrust issues (may be

difficult in an auction), identify industry hot spots and interview

management. Easier when you are already active in the industry.

> Limiting risks by structuring acquisition (ideally, you will want full

recourse)

> Asset deal: selling entity should not disappear, share deal: not to

merge entity within acquirer

> Consider making the seller seek leniency prior to signing

17

Group companies’ compliance

> You will likely be liable for (indirect) subsidiaries, joint ventures and

even minority investments’ conduct if there is control

> Do I want to know? TYPICALLY YES

> Effective compliance programmes, identify risk areas, but rolling

out compliance programme can be seen as control!

> Any doubts/suspicions: do an audit

> If passive JV partner, ensure that there is no suggestion of control

(e.g. water down your rights)

> Consider “remedial/clean up” action e.g. application for

immunity/leniency

18

Acquiring new entities or businesses cont.

> Use robust warranties and indemnities to cover possible fines

and/or damage claims

> But enforceability of indemnity clauses may be challenged in the

UK on the basis of the ex turpi causa maxim

> Minority investment

> Carve-out infringing company/business if have knowledge

In any event, the Commission is pushing the boundaries and the

options are becoming more limited

> Act early post-acquisition: address antitrust at first board meeting,

end infringement, implement effective compliance programme

19

Disposals

> When selling a group company or an interest options include:

> Clean up conduct before the sale (seek immunity if appropriate)

> Limiting warranties and indemnity exposure (ideally, you want to

walk away with clean hands)

> Beware of asset sales due to residual corporate liability

> Escrow account to cover potential liability

> Record of non-involvement and compliance efforts

20

Conclusions

21

What does this mean for boards?

> Compliance fatigue: stream competition risk assessment and

controls with other risk areas facing the business (ABC, sanctions,

etc.) but don’t ignore competition law.

> Ensure compliance programmes and training is fit for purpose and

revisited regularly (e.g with M&A, with expansion into new

geographic areas; when new teams are hired from competitors)

> Consider contractual protections in acquisitions and limit exposure

when disposing of group companies or businesses

22

Contact

Nicole Kar

Partner, National Practice Head

Competition Antitrust, London

Tel: +44 20 7456 4382

[email protected]

Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to

refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-

members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers

or European lawyers.

Please refer to www.linklaters.com/regulation for important information on our regulatory position.

http://www.linklaters.com/regulation

Health and Safety – Subsidiary Governance

Health and Safety: Risk & Liability Review

Ann Metherall CEng FICE

Partner


24/07/15


Offence Starting

Point*

Range*

Corporate

Manslaughter

Act

£7.5m £4.8 - £20m

Health &

Safety at

Work Act

£4m £2.6 - £10m

*assumes very high culpability and a turnover greater than £50m


How can the firebreak be undermined?

• H&S obligations

• Cases of

• Chandler v Cape [2012]

• Thompson v Renwick [2014]

• R v CAV Aerospace [2015]

• Risk Factors

• Practical Steps

Purpose of limited liability

subsidiaries?

Tax? Firebreak?


Health & Safety Obligations/Consequences

Corporate Manslaughter

Duty of care based on

negligence principles

HSWA

“organisations must ensure safety so far as

reasonably practicable

s.2 s.3

Everyone else affected by

“scope of undertaking”

Factual question

Employees

Gross breach caused

substantially by the way

senior management

organises its business

Corporate Manslaughter

creates no new obligations

just increases the

consequences


Chandler v Cape plc

[2012]

• Claimant employed by a cape

subsidiary

• Exposed to asbestos dust

• Cape plc accepted subsidiary failed

in its duty of care

• Subsidiary dissolved

• Claim against Cape plc

• Group Medical Advisor and

scientific officer

• Board discussion on aspects of

production

• Cape knew its subsidiary

arrangements were defective

Court of Appeal found for claimant

because of its knowledge of the

condition and asbestos risk meant it

had a duty of care to advise the

subsidiary what to do or to ensure

steps were taken


Pure holding

company may

reduce risk

Factual and

what does

the parent

say in its

safety

management

system?

Audits increase

and reduce risk.

Ignoring warnings

from subsidiary

increases risk

Centralised

advice and

medical support

and practice of

intervention

generally

Parent ought

to have

foreseen

subsidiary

would rely

on it

Risk

Factors

Business of

parent &

subsidiary

are the

same

Parent has or

ought to have

had superior

H&S

knowledge

Parent knew or

ought to have

known system

of work unsafe


Chandler v Cape plc

[2012]

Thompson v The

Renwick Group plc

[2014]


subsidiary



in its duty of care




scientific officer


production








steps were taken

• Claimant employed by a Renwick

subsidiary

• Exposed to raw asbestos

• Subsidiary had no EL insurance or

assets

• Claim against parent company

• No group directors on subsidiary

board and subsidiary run by an

“unconnected director”

Applying factors in Chandler, Court of

Appeal found not liable on facts


Mere

appointment

of subsidiary

director not

enough

Appointment of

directors

Co-operation

between subsidiary

without parent

control ok. Problem

if parent controls

key element e.g.

delivery/finance

Sharing resources

Avoid assets and

paperwork asserting

work done or

decisions made on

behalf of parent

Corporate

branding

Pure holding

company

reduces risk

What does

the Group

say it does in

its safety

policy and

management

system?

Audits both

increase and

reduce risk.

Ignoring warnings

from subsidiary

increases risk

Centralised

advice and

medical support

Parent ought

to have

foreseen

subsidiary

would rely

on it

Risk

Factors

Business of

parent &

subsidiary

are the

same

Parent has or

ought to have

had superior

H&S

knowledge

Parent knew or

ought to have

known system

of work unsafe


Chandler v Cape plc

[2012]

Thompson v The

Renwick Group plc

[2014]

R v CAV Aerospace

[2015]


subsidiary



in its duty of care




scientific officer


production








steps were taken

• Claimant employed by a Renwick

subsidiary

• Exposed to raw asbestos

• Subsidiary had no EL insurance or

assets

• Claim against parent company

• No group directors on subsidiary

board and subsidiary run by an

“unconnected director”

Applying factors in Chandler, Court of

Appeal found not liable on facts

• Fatally injured person employed by

CAV subsidiary

• Killed when stack of metal billets

collapsed

• Corporate manslaughter and HSWA

prosecution of CAV A

• Cases of Chandler and Thompson

considered when establishing duty of

care

• CAV A treated CAV C as supplier but

did not give it control (no FD and

purchasing and stock control

governed by CAV A)

• Ignoring warning of near misses was

most aggravating feature

Convicted of both offences

Fined £600,000


Mere

appointment

of subsidiary

director not

enough

Appointment of

directors

Co-operation

between subsidiary

without parent

control ok. Problem

if parent controls

key element e.g.

delivery

Sharing resources

Avoid assets and

paperwork asserting

work done or

decisions made on

behalf of parent

Corporate

branding

Conflict of

interest/direction

and control

Pure holding

company

reduces risk

What does

the Group

say it does in

its safety

policy and

management

system?

Audits both

increase and

reduce risk.

Ignoring warnings

from subsidiary

increases risk

Centralised

advice and

medical support

Run as a

business

division - no

separate

financial function

Parent ought

to have

foreseen

subsidiary

would rely

on it

Risk

Factors

Business of

parent &

subsidiary

are the

same

Parent has or

ought to have

had superior

H&S

knowledge

Parent knew or

ought to have

known system

of work unsafe

Lack of

independence

Overlap of

directors


A question of risk

Increased control may mitigate

risk of safety failures

But increase exposure if

something goes wrong

May be tainted anyway?


• How likely are CM prosecutions? Does it

matter?

• Rarely can Parent avoid any scrutiny

• Identify where in the organisation safety

management decisions should be taken

• Robust on how decisions are recorded

• Does the safety management system

reflect the reality?

• Check terms of reference for oversight

committees

• How are decisions in JVs and SPVs taken?

• Robust and independent audit of subsidiary

• Follow through on actions and do not

leave recommendations hanging

• Acquisitions

• Check how business fits into safety

management structure

• Does company come with the

competence to run it?

There was no clear and realistic thought given

to the relationship between CAV A and CAV C

particularly at the level of senior management

and above.

Practical Steps


Ann Metherall

Partner

T: +44(0)117 902 6629 M: +44(0)7980 984 071

E: [email protected]

Governance | Risk Management | Assurance © 2016 AndersonRisk


Risk Culture vOrganisational CultureRichard Anderson, Director, AndersonRisk


My agenda for today

• Why is risk culture important to business?

• Who has been talking about a “risk” culture?

• VW – a case study

• FRC, IIA, CIMA, CIPD, CVF – what are they saying?

• What do I think?

• A possible approach…

• Wrap up and questions


Why is risk culture important to business?

© Richard Anderson Photography | www.raphoto.me


Why is risk culture important to business?

Five reasons: because of…

• People

• 300 years of failure

• Risk appetite

• Extended enterprise

• Societal impact


Human nature is …

Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?

The way we live …

“superiors” tell “inferiors” … or … “equals” negotiate the “rules”

Prescribed/In-equal … versus … Prescribing/Equal

Tell or Negotiate? T or N? Which way does it work?

People


Fatalist

Individualist

Egalitarian

Hierarchist

Richard Branson

Philip Green

EntrepreneurGreenpeace

Environmentalist

Prince Charles

Typical Government

Chief Scientist

What will be will be

I C

Tell

Negotiate

People


300 years of failure

The South Sea

Bubble (1720)

Volkswagen

(2015)

Savings & Loans

(1986 - 1995)Polly Peck (1990)

Maxwell

(1991)

Marconi

(2006)

Banking Crisis

(2008)

BP

(2010)

HSBC

(2012)

Wal-Mart

(2012)

Tesco

(2014)

Enron and .com

Bubble (2001)



The South Sea

Bubble (1720)

Volkswagen

(2015)

Savings & Loans

(1986 - 1995)Polly Peck (1990)

Maxwell

(1991)

Marconi

(2006)

Banking Crisis

(2008)

BP

(2010)

HSBC

(2012)

Wal-Mart

(2012)

Tesco

(2014)

Enron and .com

Bubble (2001)

COSO Internal Control I & II

COSO ERM I & II (almost)

Cadbury to Corporate Governance Code

CoCo

King I, II & III



The South Sea

Bubble (1720)

Volkswagen

(2015)

Savings & Loans

(1986 - 1995)Polly Peck (1990)

Maxwell

(1991)

Marconi

(2006)

Banking Crisis

(2008)

BP

(2010)

HSBC

(2012)

Wal-Mart

(2012)

Tesco

(2014)

Enron and .com

Bubble (2001)

And the next disaster is

being incubated right now…


LevelPropensity to

take risk

Propensity to

exercise control

Strategic

Tactical

Project/

Operational

Measurement

Stakeholder

Value

Risk Metrics

Control

Metrics

Risk Taking

Exercising

Control

Dele

gation

Escalatio

n

Risk Appetite


LevelPropensity to

take risk

Propensity to

exercise control

Strategic

Tactical

Project/

Operational

Measurement

Stakeholder

Value

Risk Metrics

Control

Metrics

Risk Taking

Exercising

Control

Dele

gation

Escalatio

n

But any model of Risk Appetite makes

heroic assumptions about the ability of

the people in the organisation to cope

within the ranges it sets…

Risk Appetite


Joint Endeavour

Ou

tcom

es

Multiple Economies in Multiple Societies

The e

xte

nded

en

terp

rise


Joint Endeavour

Ou

tcom

es

Customer 1

Customer 2

Customer 3

IP OwnerRegulator

Sub-Contractor 1

IT Outsource Provider

Government

Supplier 1

Supplier 2

AgentsPrime

Contractor


The e

xte

nded

en

terp

rise

Sub-Contractor 2

Labour


Joint EndeavourO

utco

mes

Extent of Shared Values

Allo

cation

of

Incen

tives

Relative Power

Reg

ula

tory

In

flu

enceT

he e

xte

nded

en

terp

rise



Joint EndeavourO

utco

mes

Extent of Shared Values

Allo

cation

of

Incen

tives

Relative Power

Reg

ula

tory

In

flu

enceT

he e

xte

nded

en

terp

rise


Culture is KING in

managing across the

Extended Enterprise…


Because the societal impact of failure is

leading to breakdowns in society as

witnessed in BREXIT and the rise of

nationalism and protectionism versus

free trade and globalisation

Societal impact


Who has been talking about risk culture?



The commentators

Organisation Title Pages Culture Risk Culture

DoJ (2010) Bribery Act 43 7 (16%) Nil (0%)

NAO (2011) Managing Risk in Government 18 4 (22%) Nil (0%)

IRM (2012)Risk Culture – resources for practitioners

114 893 (783%) 344 (302%)

FRC (2014) Risk Management etc 28 20 (71%) Nil (0%)

FSB (2014) Guidance […] on Risk Culture 14 100 (714%) 70 (500%)


• The board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed within the organisation and with external stakeholders.

• The board must determine its willingness to take on risk, and the desired culture within the company.

• The board has ultimate responsibility for RM…, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded.

• Training and communication assist in embedding the desired culture and behaviours in the company. To build a company culture that recognises and deals with risk, it is important that the RM and IC systems consider how the expectations of the board are to be communicated to staff and what training may be required.

The FRC


• “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”

• “Those at the top of an organisation

are in the best position to foster a

culture of integrity where bribery is

unacceptable. The purpose of this

principle is to encourage the

involvement of top-level

management in the determination

of bribery prevention procedures. It

is also to encourage top-level

involvement in any key decision

making relating to bribery risk

where that is appropriate for the

organisation’s management

structure.”

Department of Justice

Principle 2 - Top-level commitment


• “An anticipatory and strategic

approach to supervision rests,

among other things, on the ability

to engage in high-level sceptical

conversations with the board and

senior management on the

financial institution’s risk appetite

framework, and whether the

institution’s risk culture supports

adherence to the board-approved

risk appetite.”

• “Culture can be a very complex issue

as it involves behaviours and

attitudes. But efforts should be made

by financial institutions and

supervisors to understand an

institution’s culture and how it affects

safety and soundness. While various

definitions of culture exist,

supervisors are focusing on the

institution’s norms, attitudes and

behaviours related to risk

awareness, risk taking and risk

management, or the institution’s risk

culture.”

FSB


The FSB’s top four indicators of the risk culture

•Tone from the top;

•Accountability;

•Effective communication and challenge; and

• Incentives.


IRM Risk Culture Framework

RiskCulture

OrganisationalCulture

Behaviours

PersonalEthics

PersonalPredispositionto

Risk

IRM’s risk culture framework looks at component parts making up an organisation’s risk culture

• How will I react?

• How will I respond in recognition of other competing needs?

• What will I do?

• What will we do?

• Our overall risk culture


Risk culture aspects model

Risk Culture

Tone at the Top

Ris

k

Leaders

hip

Dealin

g w

ith

Bad N

ew

s

GovernanceA

ccounta

bility

Tra

nspare

ncy

Decisions

Ris

k In

form

ed

Decis

ions

Rew

ard

Competency

Ris

k

Resourc

es

Ris

k S

kills



VW: a case study


Objectives

• To be the biggest car manufacturer in the world

• To move motorists across to diesel engines as requested by the EU

• To demonstrate compliance with Californian air quality requirements


Core personal values

1. Social responsibility: Innovative employment models and social involvement.

2. Sustainability: Human rights, labour standards, environmental protection: there are many facets to sustainability.

3. A spirit of partnership: Equality and humanity: fairness is important to us.

4. "Pro Ehrenamt" volunteering initiative: Have you ever thought about becoming a volunteer? There are many ways to get involved - and there's one near you.


Sustainability

“We aim to be the world’s most successful, fascinating and sustainable automobile manufacturer. For the Volkswagen Group, sustainability means that we conduct our business activities on a responsible and long-term basis and do not seek short-term success at the expense of others. Our intention is that everyone should profit from our growth – our customers and investors, society and, of course, our employees. In this way, good jobs and careful treatment of resources and the environment form the basis for generating lasting values.”


Global Compact

• Since 2002, Volkswagen has been involved in one of the largest and most

important CSR initiatives in the world

• This sets out the Ten Principles of human rights covering working standards,

environmental protection and combating corruption

• “Together with 12,000 companies from over 170 countries, Volkswagen works in

diverse international CSR projects towards making the global economy more

sustainable and fairer. An annual progress report documents our projects.”


Failing to live up to their standards

• Emitting larger amounts of NOx than allowed was not in line with looking after the Human Rights of communities where their cars were sold;

• Lying to regulators by installing this software is fundamentally corrupt when you define corruption as “the abuse of entrusted power for private gain”; and

• Clearly the engineering solution was not consistent with environmental protection.


Where they failed

1. Values

2. Silos

3. Layering

4. Short-termism

5. Control v Risk

6. Obstruction

7. Black holes


FRC, IIA, CIMA, CIPD, CVF – what are they

saying?© Richard Anderson Photography | www.raphoto.me


The Culture Coalition

Organisation Title Pages Culture Risk Culture

FRC (2016) Corporate Culture and the role of boards 62 435 (702%) 7 (11%)

IIA (2016) Organisational Culture 27 366 (1,355%) 31 (115%)

CIMA (2016) Rethinking the Business Model 38 5 (13%) 0 (0%)

CIPD (2016) A Duty to Care 38 381 (1,002%) 0 (0%)

CVF (2016) Governing Culture, Risk & Opportunity 30 130 (433%) 0 (0%)


FRC guidance on culture: a missed opportunity62 pages of platitudes:

• How chairmen and chief executives are vital to the culture;

• How non-executive directors should probably be involved, but poor individuals, they find it hard;

• How culture is so very important, but it really is difficult;

• How important it is for directors to exhibit their corporate values;

• How hard pressed heads of internal audit want to do work in this area, but their boards are not ready


My conclusions on the FRC report

So rather than see some wishy-washy platitudes with “suggested” topics for boardrooms to discuss, when they get round to it, it is time for the FRC to commission first class research from people who have genuinely thought about the subject – both academics and practitioners. And then we can talk constructively about the importance of culture versus risk culture and just how we can measure and manage both of them.


And the others

• CIIA: only about assurance. Little about managing the culture or risk culture and no reference to the differences

• CIMA: seem to have forgotten the topic

• CIPD: NOTHING about risk culture

• CVF: Ditto


The risk…

The participants in the FRC’s Culture project, led by the FRC have let directors wriggle off the hook and substantially to ignore Organisational Culture (because they only spoke in platitudes) and totally to ignore Risk Culture which barely gets a mention.


What do I think?



Risk v Organisational CultureUnlike some, I firmly believe that there is a major difference between the “Culture” of an organisation and the “Risk Culture”. I also think that the two elements are entirely measurable by looking at the conversations and risk conversations (the cultural DNA) in the organisation

Culture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.

Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”


My model of risk management has now changed…

Traditionally I see risk management as a trade off between two pairs of tensions:

1. Taking more managed risk – v – Avoiding pitfalls

AND

2. Performance culture – v –Corporate ethics and behaviours

I now add a third pair of tensions

3. Allowing the needs of today to dominate because of the corporate culture – v –Allowing the needs of tomorrow to dominate because of the risk culture


In summary, I think that…

• Organisational Culture and Risk Culture are different

• Both are vital to retaining and growing long term sustainable value

• The Risk Culture is poorly understood but ignoring it is potentially very dangerous

• VW, the GFC, HSBC, and LIBOR show that problems STILL exist

• We MUST demonstrate to boards why this is important

• We MUST develop practical approaches to managing Risk Culture


A possible approach…



Assessing the Risk Culture: three traditional steps

Desk Top

ResearchSurveys

Interview

s

But…

not often that

much policy

worthy of

review in

terms of risk

culture

But…

Most surveys

suffer from

groupthink and

you can’t

move beyond

it

But…

Most senior

people will give

the right answer

anyway so you

learn little


So we have introduced a fourth step

Desk Top

ResearchSurveys

Interview

s

Conversations in Risk


Conversations in risk management

You

CFO CEO

Suppliers Clients

CMOBack

Office


0%

25%

50%

75%

Productionand Projects

Sustainabilityand HSE

Drilling Exploration &New Business

Finance Other

Production and Projects

In this organisation, there were six

organisational departments. “Production

and Projects” talked a lot about risk, but

73% of their conversations were WITH

THEMSELVES: they were not dealing with

risk by talking to other experts in the

organisation… About 22% were with their

“Sustainability and HSE” department.


Sustainability and HSE

But the “Sustainability and HSE”

department was not listening because less

than 10% of their risk discussion were with

Production and Projects and a whopping

72% were WITH THEMSELVES. This

organisation was HOPELESSLY silo’ed

and they did not recognise it

inthemsleves. They needed to work

together because of the economic

environment, but their risk culture was

shot to pieces and the business was

following downhill.0%

25%

50%

75%

Productionand Projects

Sustainabilityand HSE

Drilling Exploration &New Business

Finance Other


Three states for a conversation

UnmatchedPartially

Matched

Completely

Matched

The Desired Direction of Travel


UnmatchedPartially

Matched

Completely

Matched

% % %

Three states for a conversation


This diagram,

straight from our

system, shows all of

the participants in

the exercise and

(rather

depressingly) shows

that none of the

conversations was

matched. They had

a lot of work to do to

turn this round, and

they needed to do

so quickly


This picture simply

illustrates the

richness of the data

showing linkages

between individuals.

Each connection is

based on a set of

data that we

analyse and

summarize to come

to the board level

view. It also

explains why the

underlying data are

actionable…


And where cultures clash…

Issues which any board should want to know about:

• Values: Significant deviations from the board’s values.

• Silos: Especially where an organisation is facing complexity in its

dealings internally or externally.

• Layering: Layered management reporting prevents new issues

being spotted on a timely basis.

• Short-termism: Extrapolation from past behaviours is not

necessarily good enough for dealing with new futures.


And where cultures clash…

Issues which any board should want to know about:

• Control v Risk: Control (or risk control) management instead of

risk management.

• Obstruction: Individually obstructive nodes can be very

dangerous.

• Black holes: Sometimes it is difficult to discern any volume of

conversations about risks.


Wrap up and questions?




Resources:1. IRM Risk Appetite and Tolerance Guidance:

https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf

2. IRM Risk Culture Guidance:

https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf

3. FRC Culture document: https://www.frc.org.uk/Our-Work/Publications/Corporate-

Governance/Corporate-Culture-and-the-Role-of-Boards-Report-o.pdf

4. FSB Risk Culture: http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1

5. AndersonRisk Commentary on Risk Culture:

http://andersonrisk.com/publications/downloads/ (and check my publications on LinkedIn)

6. AndersonRisk board agenda: http://andersonrisk.com/publications/downloads/

7. AndersonRisk blog: http://andersonrisk.com/conversations/


[email protected]

Tel: +44(0)7807 780284

www.AndersonRisk.com

Thank you!
