Risky business: checking internal controls

There has been an explosion of risk management practice in business since the mid-nineties, propelling internal control principles to the heart of organisational governance. Government and regulatory bodies have placed risk management at the top of their agenda with risk-based regulatory organisations assuming a prominent position.

Categories such as ‘reputation risk’ have emerged to characterise a newly visible kind of threat to organisations, as risk management has become much broader in scope.

Since 1995, the year in which Barings bank collapsed and Shell’s reputation was damaged by the disposal of Brent Spar in the North Sea, the amount of literature on risk management has increased dramatically.

The Turnbull report has become a blueprint for thinking in the UK, expanding its influence beyond the intended private-sector audience to become a generic conceptual framework for internal control and risk management.

At the same time, internal control has been elevated from its lowly organisational position to become the basis of thinking for risk-based regulation, accountability and governance.

Societies have no option but to organise themselves in the face of risk, and this has extended the reach of internal control into every aspect of organisational life.

But the rise of internal control is a double-edged sword. While it has the potential to offer huge benefits to business, it should also be a cause for concern. Will organisations tie themselves up in bureaucracy?

Will auditor reporting on these systems actually improve public trust in organisations, or will it be increasingly defensive and uninformative – the managerial equivalent of political spin?

In auditing, the primary risk – that financial statements are materially misstated – is increasingly entangled with a secondary risk – the risk of financial and reputational losses to auditors themselves. Recent preoccupations with practice management, quality control and client-selection processes reflect this.

Changes in the regulatory environment for the accountancy profession, and the emergence of corporate governance codes make the focus on secondary risk management both understandable and rational at the level of the individual firm or practitioner.

But society can only be worse off if the accountancy profession, which has historically been granted a monopoly over audit work, becomes over-preoccupied with risks to itself.

This issue is not confined to accountancy; other agencies traditionally charged with ‘handling’ primary risks on behalf of others, are focusing increasingly on their own risks with a view to avoiding responsibility, blame and financial penalty.

This transformation in the status and scope of internal control amounts to a cumulative project of turning organisations ‘inside out’ and of making their risk-based internal control systems a public and potentially disclosable matter as never before.

While there are considerable practical benefits to sharpening the focus on internal control, there are also inherent dangers. Despite practitioner modesty about such systems, a new expectations gap may be created, as unrealistic images of control are projected. It is well known that such systems tend to emphasise the management of risks that are known and can be measured, at the expense of recognising organisational threats that are unknown or unpredictable.

One ‘known unknown’, to borrow Donald Rumsfeld’s phrase, is reputational risk. Most business people today, when asked about the risk that worries them most, will mention reputation. Yet the idea of reputation risk is itself very young, created in the wake of Shell’s experience of attempting to dispose of the Brent Spar oil rig in 1995.

The most dramatic example from accountancy concerns the demise of the firm Arthur Andersen. The lesson seems to be that the actions of a few employees can bring down an entire organisation, or that the market may have interpreted the actions of the few as a signal about the culture of the whole.

From an accounting point of view, reputational risk turns the concept of materiality upside down. Traditionally thought of in terms of financial magnitude, reputation means that even apparently small events or losses, such as a minor regulatory fine, can have larger repercussions.

Much depends on how and whether certain events are amplified by wider social processes, not least by media and legal systems.

These amplification processes are not normally under the control of most organisations. This means that reputation risk reflects a new sense of vulnerability, a dread factor for senior managers as well as politicians, and has created new demands to make reputation ‘manageable’.

While organisations can do much to mitigate these secondary or reputational risks, they remain hostage to the institutional environment in which they operate.

Ultimately, if everything can potentially threaten reputation, then reputational risk demands the management of everything. The paradox is that this analysis sets organisations on an endless quest for knowing the unknowable.

Michael Power is P.D. Leake professor of accounting at the London School of Economics

  • Michael Power will give the P.D.Leake lecture The Risk Management of Everything at Chartered Accountants Hall, London on 23 June. A book of the same name is published by Demos.

Related reading