Internal controls: the danger zone

In association with KPMG

Consider the following comment: ‘Our operations have significant
environmental and social impacts that need to be managed carefully. We cannot
and should not take on responsibilities that are properly those of governments.
We also cannot stand aloof from major governance and social issues in the
countries where we operate.’

Who spoke those words? A spokesperson for Friends of the Earth? Amnesty
International? No. They were, in fact, delivered by Sir Mark Moody-Stuart, the
chairman of Anglo American, one of the world’s largest mining companies, with a
valuation of over £30bn on the FTSE 100.

Sir Mark was speaking at Anglo American’s annual general meeting, and his
comments on sustainability, climate change, social responsibility and
environmental stewardship formed the cornerstone of his address to shareholders.

A decade ago it would have been unimaginable for a FTSE 100 chairman to touch
on these issues at all, let alone speak in such detail, and at such a crucial
shareholder gathering.

But Sir Mark is not the only company chairman paying more attention to the
social and environmental impacts of doing business. A flick through the annual
report of any significant business will show that good governance and corporate
responsibility are topics that senior executives across the board are grappling
with on a far more regular basis.

Whether it’s how they plan their tax policy, source their materials and
energy, manage the social impacts of their business or communicate with their
shareholders, companies now need to put enterprise risk management (ERM) and
business ethics at the very top of their agendas.

Richard Sharman, advisory partner at
KPMG, says that the higher
priority given to ERM and business ethics, like so many other developments in
the corporate world, have been driven by the fall-out from corporate
catastrophes such as Enron and Worldcom.

He says that stakeholders are now far more tuned in to the risks facing
businesses, both financial and otherwise, and expect companies to manage them in
an ethical way at the highest level.

‘There has definitely been a shift in the way companies operate,’ Sharman
says.‘It is no longer acceptable to focus exclusively on making profits. Yes,
profit is still very important, but businesses can no longer say they will make
profit at any cost.’

It is difficult to find a more topical example of how the business landscape
has changed than the evolution of boardroom attitudes to tax management. Tax
policy can longer be left to the finance department. It is an issue that every
senior executive needs to grapple with and understand.

Dave Hartnett, director general of
HM Revenue & Customs,
has described tax policy as more risky than ever because it can damage
businesses and is complex to understand. He says that tax has become a crucial
element in business decision-making and must be managed accordingly.

Sharman says it has become the responsibility of business leaders to set the
tone for how companies manage the risks that have emerged, including tax. The
company of the future will have to be not only profitable but responsible too.

Few executives are more aware of this than Peter Johnson, financial director
of FTSE 250 housebuilder Taylor Woodrow. A former fund manager with Henderson
and Norwich Union, Johnson has always paid close attention to how businesses are
run and values the contribution of good risk management. ‘In my view, if
businesses are to be successful, they need an industrial strength set of
business processes that manages risks appropriately,’ Johnson says. ‘To that
end, everything around business process, risk management and risk control is a
wholly positive thing.’

So how does a company go about implementing a system to manage the risks it
faces in a business environment that is increasingly complex and under a
spotlight that is ever more intense?

Traditionally, companies could publish a corporate social responsibility
charter in a glossy brochure, but this is no longer good enough. Companies need
to assess their risks thoroughly and then implement a concrete set of governance
procedures and company policies that flow through the entire company and inform
every business decision that is made.

‘An ERM strategy can be compared to the lines around a football pitch. The
lines are the boundaries that a company has set and its employees have to work
within those boundaries,’ Sharman says.

The first step for a company is to develop a risk strategy. What level of
risk does a business want to take on? Does it want to double profit in two years
by chasing every opportunity aggressively? Or is it happy with its current
growth forecasts and prepared to take a more conservative approach to risk?

It is then the responsibility of board members to ensure that an appropriate
risk strategy, backed by specific procedures and controls, is set up and
enforced throughout the business. It is also essential that companies have
procedures to manage changing and evolving risks.

An example of such a strategy is the Sheq (safety, health, environment and
quality) system used by companies such as industrial gases firm BOC and
construction contractor Balfour Beatty. Sheq systems set out measurable
objectives for every part of a business and the conduct of its employees.

Whether it is the quality of product or service a company is providing for
its clients, the impact on the environment of that service, or the safety of
employees, Sheq provides a standard of best practice that can be audited and
monitored by management.

The genuine implementation of such a strategy has become essential for doing
business. ‘Whether a company is borrowing money, obtaining a credit rating,
negotiating with suppliers or dealing with customers, everyone is now aware of a
company’s ethical reputation and corporate responsibility,’ Sharman says. ‘The
fact of the matter is that it takes years of hard work to build up a business,
but just a few days to completely destroy a reputation. It is up to companies to
ensure they are managing their risks to avoid this from happening.’

But ERM is not just about fighting fires, it is also about creating value.
Managing risk effectively can reduce costs, improve efficiency and sharpen
business decision-making skills (see below).

Perhaps the most important contribution an ERM system can make to a business
is to show regulators that they do not need to become involved in ensuring that
companies conduct business as they should. Boards are drowning in regulation,
and coming to grips with the combined code, Sarbanes-Oxley, IFRS and various
government directives have eaten into the time that should be spent on taking a
business forward.

‘ERM is a major attraction for companies, because if they can show they are
run responsibly and prove to governments that they can regulate themselves, then
they avoid regulation. There are two direct benefits from this approach.
Companies can become more transparent and avoid regulatory creep,’ Sharman says.


The following list should give you an idea of just some of the ways in which
implementing an enterprise risk management system can create business value.

Reduced governance risk
Better risk calibration and reporting assists board members when it
comes to meeting their legal and fiduciary duties.

Happier investors
Shareholders like a company that knows what risks it faces and how to manage
those risks. Investors have more confidence in a business that has a grasp of
risks and knows how to manage them than a company that just ignores them.

Cheaper capital
A risk management strategy can stabilise profits and reduce financial perils.
Lenders will be quite willing to lend money to a company at favourable rates if
they know that it has quality earnings and low risk.

Tighter controls
Implementing an enterprise risk management scheme gives key
decision-makers access to a whole new source of information. Companies can
allocate resources and identify risky procedures far more efficiently, and can
improve controls without increasing costs as risk measurement results often
highlight over-controlled risks based on lower than expected exposure results.
Consolidation of disparate risks also creates consistency and reduces costs by
eliminating duplication of processes.

Related reading