IntegratIng rIsk Into performance

Reporting to the board of directors

BUsIness processesInternal business processesThe mission

LearnIng anD groWtHEmployee training

Corporate cultural training

cUstomerCustomer focus

Customer satisfaction

fInancIaLCorporate databaseRisk assessment

Authors:Prof Dr ir Regine Slagmulder, Vlerick Leuven Gent Management School Maria Boicova, Vlerick Leuven Gent Management School

two of the world’s most prestigious accounting bodies, aIcpa and cIma, have formed a joint venture to establish the chartered global management accountant (cgma) designation to elevate the profession of management accounting. the designation recognises the talented and committed management accountants with the discipline and skill to drive strong business performance.

1

Surprisingly, there has been relatively little academic research on what information boards of directors actually receive to fulfil their strategic monitoring role. Furthermore, whereas performance-related reporting benefits from a long-standing research tradition in the management accounting literature, relatively limited attention has been paid to its integration with risk – especially in relation to boards as receivers and users of that information. This project responds to earlier calls for research that extends beyond the use of accounting information for decision making by managers to examine how other actors interface with management accounting.

For a brief summary of the theoretical considerations used to set up this study, please refer to Appendix 1.

objectivesThe main objectives of this research were to:

• Document and analyse how performance and risk are integrated in management reporting to the board of directors.

• Identify leading practices of enhancing performance management with risk, to enable board members to perform their strategic monitoring role.

IntroDUctIon

Since the board of directors holds the ultimate responsibility for the company’s success or failure, board members should be adequately informed about the company’s performance and risks.

research methodologyThe research was based on a multi-case study approach in European companies in a variety of non-financial industries. We focused on non-financial companies because of the idiosyncratic nature of risk management in financial services and the limited availability of case studies in other sectors. Interviews were conducted with the risk and/or audit function, and with at least one member of the board. The purpose was to document the process of risk and performance reporting to the board, and to identify what information actually reaches the board of directors. For each company we also studied the board demographics and other criteria, such as number of board meetings and level of attendance at those meetings, as proxies for board involvement in the company’s strategy process.

• There is an increased awareness by board members of the importance of explicitly considering risks in their decisions.

• Companies have established both separate risk reporting to the board as well as reporting that links risk with performance and strategy.

key concLUsIonss

• There is a tendency to look at risk both from a negative angle (potential threats) and a positive angle (potential opportunities).

IntegRatIng RISk Into peRfoRmance – Reporting to the board of directors2

• The case studies provide evidence of significant variation in companies’ risk reporting practices, both in terms of the content and the structural aspects of risk reporting. The field observations suggest that risk reporting in companies can be put on a continuum, with limited reporting at one end of the spectrum and elaborate reporting at the other. (Note that the extreme case of zero reporting was not observed in practice, because a minimum level of risk reporting to the board is mandatory in most European countries.)

• We observed that boards generally seem to be very aware of the importance of considering risks in their decisions and in their performance evaluations. Board members tend to perform their own implicit assessment of strategic risks when they discuss new strategic initiatives. Such board risk assessments are usually not formalised, but are part of the regular discussions on long-term strategy and potential uncertainties related to that strategy.

• With respect to integration of risk and performance in strategic decision making, we found that it is common practice by management to identify and report risks to the board as a part of M&A proposals, business development plans, or strategic reviews. Such integrated reporting typically comes on top of the specialised reporting that focuses specifically on (operational) risks.

• Through the involvement of the internal auditor in risk management, the integration between risk and performance is achieved also in the audit reports that go to the board of directors. On the board side it is the audit committee that is most frequently in charge of the risk management, which also adds to an integrated view on both risk and performance.

• In most companies, we observed that risks are viewed not only in a negative light (ie, as a threat), but also from a positive perspective (ie, as value-creating opportunities).

The reporting on risks is thus closely intertwined with reporting on potential opportunities, in this sense providing a close integration between risk and performance.

“In our dashboard risk we have the orange-red part and the green-greener part, and when we do our risk assessments we always work on both parts. We clearly have more risks listed than opportunities, but there are frequently opportunities in the dashboard where people can improve even more than planned.”

– Risk officer

• To ensure that the integration with performance is achieved even in the presence of separate risk reporting, it is considered good practice to align the timing of risk reporting with that of budgeting and strategic planning, which provides for relevant progress reports at regular intervals.

In order to contextualise the research findings, we explicitly asked all interviewees about their company’s risk appetite. More specifically, we wanted to investigate whether the company had a defined risk appetite and how it was approved. Some practitioner reports1 emphasise that “designing risk management without defining your risk appetite is like designing a bridge without knowing which river it needs to span.” Such a stance suggests that defining the company’s risk appetite is actually a crucial first step. However, observed practice shows a less categorical position. Whereas risk management procedures are in place in all companies we studied, the formal definition of risk appetite remains a fairly rare practice.

Overall, our field study observations demonstrated a continuum in terms of levels of definition and approval of risk appetite, ranging from no definition at all to some attempts at formal definitions by the board of directors – with most companies being at the lower end of the spectrum. In those companies

maIn fInDIngs anD tHeIr ImpLIcatIons for practIcaL appLIcatIon

the main findings from the research can be summed up as follows:

3

that favoured a more integrated view on risk, the attitude towards formalisation of risk appetite remained fairly reserved. One potential reason could be that companies might prefer to stay flexible and adjust their risk appetite based on the particular project and/or strategic initiative at hand, and as a consequence avoid too much ex ante formalisation. In any case, our research findings seem to hold irrespective of the level of the definition and formalisation of risk appetite.

For the management accounting professional dealing with risk reporting to the board, we can conclude that the design of the management reporting has to be aligned with the expectations of the board. It is no longer sufficient to provide reporting that solely focuses on performance, while ignoring the risks that may affect the company’s results. Although this does not necessarily mean that large amounts of extra information need to be produced, it definitely signifies that the scope and quality of board level information has to increase. Some companies address this issue by explicitly redesigning the way they present the information to the board members, whereas others limit themselves to shifting the tone and emphasis in their reporting. In any case, the fact that board members become increasingly aware of the importance of considering risks in their decisions, provides a strong signal to practising accountants and controllers to enhance their reporting with relevant risk information.

4 IntegRatIng RISk Into peRfoRmance – Reporting to the board of directors

concLUsIon

Firstly, we indeed observed an increased general awareness by board members of the importance of considering risks in their decisions, which is usually attributed to the current economic crisis. However, most of the board members we interviewed noted that they had always been very aware of the risks inherent in the business and had already been taking them into account. It seems that what was previously done in a more implicit manner, has simply received greater attention and been subjected to increased formalisation.

“talking about risk for me is not something new; it has always been a part of the on going management control in the company.”

– Board member

Another interesting lesson learned concerns the observed tendency to look at risk from a negative angle (as potential threats) as well as from a positive angle (as potential opportunities). This means that companies not only follow the compliance requirements, but also consider risk management to make an important contribution to the strategy process. Such a holistic approach, where both the negative and the positive side of risk are taken into account in decision making, significantly enhances the quality and breadth of strategic decisions taken by companies.

Finally, we observed that companies establish both separate risk reporting to the board as well as integrated reporting that links risk with performance and strategy. The separate, specialised risk reporting seems to be a rather recent trend. The integrated reporting, and more specifically the integration of risk into performance, and even more specifically strategy, has been common practice in successful companies for quite a long time. Recently, however,

this integrated reporting has become somewhat more prominent, fuelled by expectations from various stakeholders.

While the integrated reporting does not specifically focus on risks, and might thus be somewhat skewed towards a positive outlook, we concluded that such an approach enables the recipient to see the “big picture”. The fact that integrated reporting provides risk information in the context of other types of information on performance, strategy and operations, adds to a more in-depth understanding of how the business is doing. In contrast, while separate risk reporting zooms in specifically on the risk aspects of the business, it has the propensity to be much more compliance driven. Our respondents emphasised that specialised risk reporting tends to lead the company into a compliance trap, with the whole risk management turning into a “box-ticking exercise”. The above considerations drive our preference towards integrated reporting as a superior approach towards risk reporting to the board, as it allows to break through functional silos in the company and put the information in perspective, thus enabling more effective decision making.

In our research we did not detect a single best practice of integrating risk and performance reporting. Nevertheless, some of the practices observed in companies show that there is definitely value to such integration:

• An update on risks and trends was included in the yearly overview of the control environment, investments and key performance indicators (providing links with different risks).

• Strategic site reviews were produced, containing information on such strategic issues as resources, utilisation, health and safety, community, number

the main lessons learned from this research are that (1) even though the increased attention to the formalisation of risk management in companies seems to be a recent trend, it is only partly to be attributed to the economic crisis; (2) there is a tendency to look at both the negative and the positive side of risk; and (3) companies establish both separate and integrated reporting to the board on risk.

5

of complaints, staffing and risks gathered per site and reported in a consolidated way.

• Integrated reports were sent to the board on the company’s aggregate exposure both on the asset side and the liability side to the financial markets, reflecting “the big risk questions”.

“to integrate the notion of risk into our planning and budgeting cycle, we request our country managers to present no more than ten slides during the annual budget presentations, but one of those slides has to explicitly focus on risk.”

– Senior Vp

• Performance reporting to the board was benchmarked against the company’s strategic perspective, the attainment of planned results, and in comparison with industrial and budget forecasts (with explicit consideration of risks) or, alternatively, was presented in the context of general trends in the sector and in comparison to the relevant information available about competitors (which also implicitly included risk elements).

• While we have not directly observed the pure scenario planning and budgeting in our case companies, some elements of this approach were witnessed in at least half of our sample. Scenario planning and budgeting are part of the strategic reflection loop, where managers have to come up

with draft performance objectives and then think over potential threats to the realisation of those objectives. The specialty of this approach lies in that it has to answer the “what if…?” question and further calculate the estimates accordingly, taking into account all the uncertainty elements. Possible tools that can be used for this exercise are decision trees or Monte Carlo simulation to calculate, eg the best, the worst and the “seemingly realistic” scenario. From the board perspective, the scenario planning and budgeting approach gives a more solid input for further board discussions on potential strategy and risks, which in its turn contributes to improved decision making.

To conclude, there is a range of ways how the integration of risk and performance information, as well as strategic information, can be achieved in practice. Risk-enhanced performance management must evolve from an ad-hoc event under pressure of the economic downturn, to a continuous process that must be embedded within the company’s governance processes. Unfortunately, many companies’ efforts in the area of performance and risk management seem to focus too much on meeting regulatory requirements (“ticking the boxes”) and not enough on how to integrate performance and risk management for more effective strategic decision making. The lessons learned from this research allowed us to provide some initial recommendations to management accounting professionals faced with the challenge of designing (or re-designing) risk reporting to the boards of their companies.

fIgUre 1: risk assessment

exceptional

alm

ost

impo

ssib

leUn

likel

yfa

irly

lik

ely

Hig

hly

prob

able

alm

ost

certa

inpr

obab

le

exceptionalSignificantSignificant moderate moderatenegligiblenegligible

Impact

Occ

urre

nce

Increasing opportunity Increasing threat

6 IntegRatIng RISk Into peRfoRmance – Reporting to the board of directors

references and further reading• CIMA (2003), Performance Reporting to Boards:

A Guide to Good Practices, CIMA report, London.

• CIMA (2006), Risk and management accounting: best practice guidelines for enterprise-wide internal control procedures, CIMA Research executive summary series, London.

• Van der Stede, W.A. (2009), Enterprise governance: Risk and performance management through the business cycle, CIMA Management, 83(3), pp. 24-27.

• Woods, M. (2010) Reporting and managing risk: A look at current practice at Tesco, RBS, local and central government, CIMA Research Executive Summary series, Vol 6, issue 8, London.

footnotes1 E&Y, 2010 Risk appetite: the strategic balancing act.

2 Johanson, D. (2008), Corporate governance and board accounts: exploring a neglected interface between boards of directors and management, Journal of Management and Governance, Springer, 12(4), pp. 343-380.

7

appendix

appendix 1 – theoretical foundations of the researchWhile the availability of accurate and relevant information is recognised as an integral part of efficient board governance ( Johanson, 2008),2 researchers’ understanding of management reporting systems with respect to the board and the conditions influencing their design is relatively limited. This is surprising, given that the design of companies’ internal reporting systems has been widely studied in the management accounting literature.

In contrast with companies’ comprehensive reporting on financial (and non-financial) performance, their management information systems are seen as requiring significant improvement when it comes to risk. While board members are not expected to be involved in the day-to-day risk management, they are assumed to know what inherent and emerging risks may negatively impact on the company’s performance. Despite the fact that risk management has recently attracted increased boardroom attention, little is known about whether and how companies integrate performance and risk into their reporting to the board.

A common assumption in the management accounting literature is that there is no one-size-fits-all approach to internal reporting, and that the specific approach adopted by any given company is dependent on a number of contingency factors. For example, among the reasons behind variations in sophistication of performance and risk reporting to the board might be such variables as company size, industry, type of control, or level of board involvement in the strategy process, leading to different information requirements.

In sum, the extant literature has extensively covered topics related to internal reporting for managerial use on the one hand, and elements of board effectiveness on the other, but there are few studies that combine the two research areas. Given the board’s strategic monitoring role and the importance of considering both performance and risk in board-level decision making, investigating the content and process of board reporting constitutes an interesting research theme.

appendix 2 – overview of the case studies findingsIn each of the companies studied during the first, exploratory phase of the research, we observed that the companies established separate reporting and also frequently separate reporting lines to deal with risk. All companies established a risk management system at the company level that was the source of input for the subsequent risk information flow. In all cases, the management team was actively involved in the risk assessment exercise and was generally held responsible for managing risks in their respective business unit, country or region. This was considered to be an integral part of doing business.

However, in all of the companies we studied there was also a clear separate reporting line up to the board on identified risks. In most cases the risks reported were limited to the top ten or top 15 risks and were mostly operational in nature. The risks were duly aggregated and those that reached the board were truly ‘global’ in the context of the company. The remaining risks were assumed to be treated at the relevant management level.

We observed that all companies had a separate function to assist the management with risk assessment and who aggregated the information for subsequent reporting to the board. In the three publicly listed companies in the sample, the reporting went to the audit committee of the board, while in the case of a privately held company the reporting to the board was done by the executive management. The internal auditor was involved in risk management in two out of three cases we studied. In one company it was the internal auditor who facilitated risk assessment in the company, while in the other the internal auditor was assisted by the head of risk and insurance, who actually did the consolidation of the information.

Besides the establishment of a separate risk reporting, companies also seem to integrate risk into existing performance reporting to the board. We identified the following leading practices vis-à-vis integrating risk and performance:

8 IntegRatIng RISk Into peRfoRmance – Reporting to the board of directors

• One company introduced an update on risks and trends in the yearly overview of the control environment, investments, key performance indicators and follow up on them by the internal auditor. The goal was to give board members an overall perspective on performance and risks of the company.

• An assessment of the inherent risks was integrated into the CEO’s annual presentation to the board during the strategy day. The evolutions in customers, infrastructure, financial targets and the proposed initiatives, as well as the risks inherent in the proposed strategy, were identified, reported and further discussed.

• The notion of risk was integrated into the companies’ planning and budgeting cycle, for example by including one slide that explicitly focused on risk in the annual budget presentations by the country managers.

• One of the companies introduced strategic site reviews, where information on reserves, resources, utilisation, health and safety, community, number of complaints, staffing and risks was gathered per site and reported in a consolidated way. This review thus forced the management to go to the plant level once a year and talk strategically about the risks of the business.

• One company shifted the way in which the information was presented to the board (eg, instead of information on “20 years of reserves”, the board of directors started to receive a report that “85% of earnings were protected by reserves that the company had for more than 20 years; and 2% of earnings were at risk in the property that the company owns”). This created a better insight into the company’s risk exposure for the board.

• Risk information was explicitly integrated into the reporting on new strategic initiatives by the CEO to the board.

In phase two of the research we expanded the initial sample with three large European companies from different countries. All three companies are publicly listed global multinationals. As with the first companies, we noted that there is neither a single approach to organising risk reporting to the board nor a single integration path with performance reporting. The leading practices vis-à-vis integrating

risk and performance different from the ones we already identified in phase one, include the following:

• The companies introduced a combination of different risk-related metrics in their performance related compensation. These were primarily internal financial metrics (such as real internal growth (RIG), organic growth, EBIT or working capital employment), but they also included external perception metrics (such as reputational risks, customer satisfaction); environmental metrics (such as water consumption, GHG emissions); and social measures (such as safety and health figures).

• They provided integrated reports to the board on the company’s overall asset and liability management (the aggregate exposure both on the asset side and the liability side to the financial markets, reflecting “the big risk questions” such as: what if the euro falls apart or another Lehman bank goes under).

• Risk elements were also integrated in the discussions and subsequent reports of the various internal cross-functional ad hoc committees and working groups.

• The information on performance provided to the board was usually an evaluation in terms of the strategic perspective, as well as in terms of the attainment of planned results and in comparison with industrial and budget forecasts, in which risk elements were implicitly included. The information was also presented in the context of general trends in the sector and in comparison to the relevant information available about competitors (which also implicitly covered competition risk and reputation risk).

• Integration with performance was also achieved at the moment of risk assessment, where the focus is on risks that directly affect the company’s key value drivers.

• Articulating risk assessment within the budgeting process was compulsory in some companies and had to be done ahead of the budget submission. It was mandatory to execute the four steps (identification, assessment, response and monitoring) for the major risks as part of the budget process.

9

• In most companies a formal risk assessment was included in the analysis for all investment projects beyond a certain amount, for discussion and approval by the investment authorisation committee.

• In the monthly performance reports from the segments, the risk indicators for the highly volatile risks, as well as an analysis of all significant events that arose in the interim, were included and analysed from a risk management perspective (ie, root cause analysis, corrective actions decided and direct financial consequences).

acknowledgementsWe are grateful to CIMA’s General Charitable Trust for funding this research project.

researchers’ names and contact detailsProf Dr ir Regine Slagmulder, Full Professor and Senior Partner Chair of the Competence Center Accounting & Finance Vlerick Leuven Gent Management School Reep 1 BE-9000 Gent, Belgium T. +32 9 210 9714 E. regine.slagmulder@vlerick.com

Maria Boicova Research Associate Vlerick Leuven Gent Management School Reep 1 BE-9000 Gent, Belgium T. +32 9 210 9228 E. maria.boicova@vlerick.com

abstractPerformance and risk management are two sides of the same coin. Although they have traditionally used separate information flows originating from different organisational functions, there is a tendency to link them, for example by integrating risk indicators into the company’s performance scorecard. This research investigates companies’ practices with respect to performance and risk reporting to the board of directors. Despite the board’s critical role in strategy, there has been limited research on what risk and performance information board members receive and how it is used in their strategic decisions. We analyse the content and flow of performance and risk information to the board on the basis of practices employed in several leading European companies.

Distribution of this material via the internet does not constitute consent to the redistribution of it in any form. No part of this material may be otherwise reproduced, stored in third party platforms and databases, or transmitted in any form or by any printed, electronic, mechanical, digital or other means without the written permission of the owner of the copyright as set forth above. For information about the procedure for requesting permission to reuse this content please email copyright@cgma.org

The information and any opinions expressed in this material do not represent official pronouncements of or on behalf of AICPA, CIMA, the CGMA designation or the Association of International

Certified Professional Accountants. This material is offered with the understanding that it does not constitute legal, accounting, or other professional services or advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The information contained herein is provided to assist the reader in developing a general understanding of the topics discussed but no attempt has been made to cover the subjects or issues exhaustively. While every attempt to verify the timeliness and accuracy of the information herein as of the date of issuance has been made, no guarantee is or can be given regarding the applicability of the information found within to any given set of facts and circumstances.

© 2012, Chartered Institute of Management Accountants. All rights reserved.

Africa office address: 1st floor, South West Wing 198 oxford Road, Illovo 2196 South africa postal address: po Box 745, northlands 2116 t. +27 (0)11 788 8723 f. +27 (0)11 788 8724 johannesburg@cimaglobal.com

Europe 26 chapter Street London SW1p 4np United kingdom t. +44 (0)20 8849 2251 f. +44 (0)20 8849 2250 cima.contact@cimaglobal.com

cIma has offices in the following locations: australia, Bangladesh, Botswana, china, ghana, Hong kong SaR, India, Ireland, malaysia, nigeria, pakistan, poland, Russia, Singapore, South africa, Sri Lanka, Uae, Uk, Zambia, Zimbabwe.

american Institute of cpas 1211 avenue of the americas new York, nY 10036-8775 t. +1 2125966200 f. +1 2125966213

chartered Institute of management accountants 26 chapter Street London SW1p 4np United kingdom t. +44 (0)20 7663 5441 f. +44 (0)20 7663 5442

978-1-85971-769-1 (print)

www.cgma.org

november 2012

the association of International certified professional accountants, a joint venture of aIcpa and cIma, established the cgma designation to elevate the profession of management accounting globally.

South East Asia and AustralasiaLevel 1, Lot 1.05 kpmg tower, 8 first avenue Bandar Utama 47800 petaling Jaya Selangor Darul ehsan malaysiat. +60 (0) 3 77 230 230/232 f. +60 (0) 3 77 230 231 kualalumpur@cimaglobal.com

Middle East, South Asia and North Africa356 elvitigala mawatha colombo 5 Sri Lankat. +94 (0)11 250 3880 f. +94 (0)11 250 3881 colombo@cimaglobal.com

North Asia Unit 1508a, 15th floor, aZIa center 1233 Lujiazui Ring Road pudong Shanghai, 200120 chinat. +86 (0)21 6160 1558 f. +86 (0)21 6160 1568 infochina@cimaglobal.com