subsidiary governance conference
TRANSCRIPT
The ICSA Subsidiary Governance Conference 201612 October, London
Introduction from the Conference ChairPeter Swabey FCIS, Policy & Research Director, ICSA
Assessing corporate culture at subsidiary level
Richard Sheath
12 October 2016
Culture: core questions for the Board (1)
WHERE DO WE WANT TO GET TO?Is there a governance structure that supports oversight and strategic
leadership around culture?
Working out where we need to get to
Looking at what we’re doing as a board
1
Culture: core questions for the Board (2)
WHERE DO WE WANT TO GET TO?Is there a governance structure
that supports oversight and strategic leadership around
culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we need to
be?Working out
where we need to get to
Looking at what we’re doing as
a board
Assessing what management are doing to embed
the right behaviours
Building a picture of
behaviours
Looking into the
organisation
1
Culture: core questions for the Board
1
WHERE DO WE WANT TO GET TO?Is there a governance structure that supports oversight
and strategic leadership around culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?How do we build evidence so we can know are where we
need to be?
Working out where we need to get to
Looking at what we’re doing as a board
What do we want to achieve and why?What role do we need to play?How does this fit with executive responsibilities?What governance structure needs to be in place?
How do we…• currently exercise
oversight? • provide leadership on
behaviours?• discuss the strategic
imperatives & implications?
• consider behaviour as part of our decision-making?
• communicate our objectives and concerns?
• assess behaviour roots of performance/problems?
What are the gaps: where we are and want to get to?
Assessing what management are doing to embedthe right behaviours
Building a picture of behaviours
Looking into the organisation
How do we get a view of the executive approach/actions?How do executives manage behaviours downwards?How does our incentive approach align?How can we see the way cultural diversity is tackled?How do they see what people are doing day to day?What is the process for tackling problems? How do we know what’s going on inside?
How do management give the Board insight?
How is the behaviour angle covered in reporting?
What is used to provide us with assurance/evidence?
How do we assess the risks?
How do we see/discuss the known problems?
Thinking through what surveys are coveringGetting a view of:• how far expectations
are understood• how people see/react
to day-to-day behaviours
• perceptions of manager
• messages/actions• comparison of
executive & manager behaviours
• views on what needs escalating and how
Extending out to subsidiary culture
WHERE DO WE WANT TO GET TO?Is there a governance structure
that supports oversight and strategic leadership around
culture?
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we need to
be?
The same questions apply…
… but the context is different
STRATEGIC ORGANISATIONAL
How far do we want the same “culture”?How far is the same culture achievable?What are the risks?
How is the risk appetite being applied?
What is the environment?
What is the organisational context?
What is the group/subsidiary relationship?
How is control exerted?
How does governance oversight work?
How do information/messages flow?
2
Putting it in context
STRATEGICThe
Environment
The context is different…ORGANISATIONA
LGroup/
Subsidiary
3
But then follow the same basic steps…
Reach a consensus on the need
4
Basic steps (2)
Make sure you know what you’re aiming at - for the Group and each subsidiary
5
Basic steps (3)
Recognise diversity – and work out how much you want
6
Basic steps (4)
Determine what style of leadership you expect to see at group and subsidiary levels
7
Basic steps (5)
You’ve limited reach and line of sight: so understand what management are doing
8
Basic steps (6)
Make sure executives and management are on board – at Group and subsidiary levels
9
Basic steps (7)
Think through the group relationships and how they are understood
10
Basic steps (8)
Think through the language and communication angles
11
Basic steps (9)
Work out how you are going to build the picture
12
And only then start assessing…
13
Get out there…
There’s no substitute for getting out there: site visits are a core source of insight and comfort
14
Use what you’ve got PUTTING TOGETHER A PICTURE THROUGH A “CULTURE & BEHAVIOUR”
LENSEXTERNAL
INDICATORSHR
REPORTINGCUSTOMERS
INTERNAL CONTROL
INDICIATORS
STAFFFEEDBACK
SUPPLIERS
INVESTORS
COMMUNITYNPS
Net Promoter Score
COMPLAINTS
SOCIAL MEDIA
ABSENTEEISM
TURNOVER
EXIT INTERVIEWS
TRAINING
CONTRACT STAFF
MEDIA
WHISTLEBLOWING
COMPLIANCE BREACHES
AUDIT REPORTS
SAFETYHEALTH ENVIRONMENT
PUT TOGETHER…WHAT ARE THESE INDICATORS SUGGESTING?
MORALE & MOTIVATION
WHAT IS EXPECTED?
WHAT DO I SEE?
HOW WE TREAT PEOPLE?
TAKING RISKS
MAKING DECISIONS
What are the surveys actually
covering?
15
And apply it to subsidiaries in the same way…
…but…
• Put it in context
• Work out with management how to distil the picture
• Understand how management are
using the picture/indicators • Link to the relative risks for each
subsidiary (financial, regulatory, reputation…)
Build the same picture… And when it comes to surveys…• Watch the language and relevance • Work out how you’re going to use the data
16
© Independent Audit Limited 2016
CONTACT:Richard Sheath: +44 (0)20 7220 6583 | [email protected]
4 Bury Street | London | EC3A 5AW | +44 (0)20 7220 6580 | www.independentaudit.comRegistered in England number 4373559 Registered Office One Glass Wharf Bristol BS2 0ZX
Panel session: working with foreign subsidiary boardsJohn Mills FCIS, Group Company Secretary, Anglo AmericanBen Mathews FCIS, Group Company Secretary, HSBC
Roseanna Rowett
Case study: Intertek Group plc
v1.0
Ida Woodger
12 October 2016
25
Our Heritage
1996: Inchcape divests testing
business to Charterhouse
Development Capital
1885: Caleb Brett, cargo certification business founded
1896: Lamp Testing Bureau founded, later
renamed ETL
1973: Labtest established in Hong Kong,
initially focussing on textile testing
1900 2002
2015: PSI building and construction
assurance business acquired
2011: Moody International
acquired
1925: SEMKO electrical
safety testing founded in Sweden
1988: ETL Testing
Laboratories acquired
1984-87: Caleb Brett
acquired
1992: Warnock Hersey acquired
1994: SEMKO acquired
1888: Milton Hersey establishes a chemical testing
laboratory in Montreal, Quebec
1996-021970
Intertek Group plc listed on the LSE
Intertek develops into an international testing business through acquisition and organic growth
2002: Intertek listed on the
London Stock Exchange
2009: Intertek enters the FTSE 1001987: “Inchcape Testing Services”
formed
Intertek’s pioneering founders
1911: Moody International, Oil and Gas testing and certification
business
1880
1927: Charles Warnock Company formed in Montreal, Canada to
inspect steel products
1989: Intertek enters China
26
What We Do
What We Do Everyday Which Economic SectorsWhere
Assurance
Testing
Inspection
Certification
Products
Trade
Resources100+ countries
1,000+ laboratories40,000+ people
27
Our subsidiaries
33joint-ventures
80branches
312wholly-owned subsidiaries
28
Our group structure
Intertek Group plc
UK entity 1
Middle East & Africa China
South and South East Asia (50%)
UK entity 2
Russia, Europe &
Central AsiaAustralasia North
AmericaSouth and South East Asia (50%)
29
Our Company Secretariat support structure
Group Company Secretary
Regional Co Sec – North America
Regional Co Sec – MENAP & SE
Asia Regional Co Sec
– ChinaCompany
Secretarial Admin Assistant
Deputy Company Secretary
Company Secretarial
Trainee
Assistant Company Secretary
Company Secretarial Assistant
30
Our subsidiary governance framework
Centrally managed – from London HQ
Locally managed – in country of incorporation
Assistance from external local legal and accountancy firms as well as the Group’s Auditor
31
Centrally managed components
Core Controls
Framework
Policy on Subsidiary and Joint-venture
companyboards
Parental guarantee guidelines
Group-wide Authorities
Cascade
Blueprint Oneworld
database – master data
Incorporations, liquidations
andrestructuring
31
Our core controls
Guidelines on Powers of Attorney
32
Regular catch up meetings and to-
do list
Online sharing platform
Templates & procedures
Sharing the load Record keeping Handovers
Communication and management tools
33
In practice
Event / Project
• Legal paperwork required
• Internal approvals
• Local points of contact
Key Co Sec considerations
Director and
shareholder
meetings
01
• Assistance in the DD process
• Funding and paperwork
• Closing & Integration
Change of personnel02
• Accuracy of Blueprint data
• Verification material available for audit
• Changes throughout the year
Annual Report03
• Leaver and appointment procedure
• Consider share ownership – ESS and those held on trust
• Resulting board structure changes
Treasury and tax
projects04
• Minutes and resolutions
• Verification process – officers, share capital, company information
• Reconciliation of accounts - local books vs centrally held accounts (Cognos)
Acquisitions05
34
Take away points
03 Don’t be a bureaucrat
02
01 Good communication is essential
Have a clearly defined strategy
The Subsidiary Governance Conference 201612 October, London
Competition issues for subsidiaries and boards
Parents mind your children
Nicole Kar
October 2016
37
Agenda
> Application of competition law and risks to companies
> Parental liability
> Managing and mitigating risks
> What does this mean for boards?
38
Competition law – a primer
39
The basic rules
Law prohibits Who?
Abuse of dominance Undertakings
Restrictive agreements/collusion Undertakings (and in the UK, Austria, Germany, Ireland) individuals
40
The smoke filled chat room
> Recent investigations have seen competition authorities push the limits of antitrust and new regulators like the FCA take on antitrust powers and consider requiring expansive mandatory self reporting of competition breaches
> Focus is now beyond the classical “smoke filled room” and looks e.g. to different fora; collusion on non price parameters; and pure information exchange (e.g. price signalling),
41
Information exchange: Good, Bad, Ugly
Good Bad Ugly> Historical data > Future price/volume
data or future strategic intentions
> Current data which discloses intended conduct
> Aggregated/ anonymised data
> Disaggregated, company specific data
> Systemised, frequent exchanges
> Exchanges in public (i.e. the customer has equal access)
> In private > Partly in private/partly in public – not genuinely public
> Increases transparency for consumers/consumer benefits
> Highly concentrated market (few players)
> Covers a broad part of the market which is concentrated
42
Competition risks
Fines
Damages claims Damages
claims
Imprisonment
Negative commercial
impact Disciplinary action
Procedural costs
Reputational damage
Company risks
Personal risks
Director disqualification
43
Cartel fines in the last 25 years
1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-to date0
1000
2000
3000
4000
5000
6000
7000
8000
9000
344 271
3157
7969
8700
4332
127
1419938
2332
3363
2750
264
1061
EU US
China
Million (EUR)
Comparatively higher than in the previous period
44
Liability for individuals/board members in the UK
> Criminal cartel offence: no dishonesty requirement as of April 2014; is jury trial appropriate? “not in usual spectrum of fraud cases”
> Director disqualification: personal involvement; knowledge of conduct and failure to take action; where “ought to have known”
> Claiming damages from directors and employees? Safeway v Twigger: attempt to recover fines against individuals (really D&O insurance). Failed as against public policy
Advice for Directors: Insist on compliance programme and training in high risk areas (e.g sales team in industrial companies), query anomalies.
Advice for companies: assess risk levels and tailor compliance programmes accordingly; do audits to monitor compliance; clean up conduct found.
45
Parental liability
46
Concept of parental liability
> In the EU, a parent company can be held jointly and severally liable for the conduct of its subsidiaries (in the broadest, not just accounting sense) (single economic entity doctrine)
> The parent does not need to be involved or aware of the subsidiary’s participation in the infringement
> Parental liability arises when parent and subsidiary constitute a “single undertaking” in the economic sense (the underlying legal structure is not decisive)
> The European Commission must in principle prove on the facts that the parent exercised decisive influence over the commercial policy of the subsidiary to show that they are a single undertaking (except if the parent has – almost - 100% shareholding)
47
The Akzo (rebuttable?) presumption
Shifts the Commission’s burden to prove that parent/subsidiary are a single economic entity, but:
> The Commission must prove that the conditions to apply the presumption are met
> The parent company must hold (almost) 100% of the subsidiary’s capital
> The Commission must identify unequivocally the addressees of the potential fine sufficiently early in the investigation (the statement of objections)
> In such cases the presumption becomes, in practice, impossible to effectively rebut
48
Outside Akzo
When the parent does not have (effectively) a 100% shareholding, the Commission must prove that the parent exercised actual decisive influence over the subsidiary’s commercial policy, which involves the unity of market conduct of the subsidiary and its management
> Market conduct/commercial policy includes strategic decisions and operational matters
> May be triggered at much lower levels of control (e.g. joint control and minority interests), relevant factors include actual control of the subsidiary’s board, management overlaps and reporting mechanisms
> PE investors can also be held liable if they did not act as a purely financial investor
49
Goldmans/Power Cables
> Commission decision in 2014 finding the Goldman Sachs Group, Inc. (GS) liable for the participation of one of its portfolio companies, Prysmian, in the Power Cables cartel (Euro 37.3m)
> GS had exited when the investigation started (and the infringement started before it purchased it)
> GS appealed the decision (ongoing proceedings before the EU General Court)
> Two clearly differentiated periods for GS, but the Commission held it liable throughout both periods
> 2005-2007: GS shareholding far below 100% for most of the period
> 2007-2009: GS minority shareholder
50
The Impact of Brexit
> Still a lack of clarity, but “hard” Brexit now seems likely (‘Great Repeal Bill’ to bring about a “fully independent, sovereign country” without being bound by ECJ law)
How might Brexit impact the CMA’s position towards parental liability?
> If the ECA 1972 is repealed, and the CMA is no longer bound by the European Courts’ jurisprudence (s 60 Competition Act), will it change its stance on parental liability?
> Unlikely. There are strong public policy reasons (e.g. deep pockets, deterrence, effectiveness of enforcement, recidivism uplift) for the CMA to maintain the approach taken by the EU
More generally, CMA has criminal powers and may be expected to enforce these actively without needing to think about interaction with EU law
51
Managing and mitigating risks
52
Acquiring new entities or businesses
> Pre-acquisition: due diligence should cover antitrust issues (may be difficult in an auction), identify industry hot spots and interview management. Easier when you are already active in the industry.
> Limiting risks by structuring acquisition (ideally, you will want full recourse)
> Asset deal: selling entity should not disappear, share deal: not to merge entity within acquirer
> Consider making the seller seek leniency prior to signing
53
Acquiring new entities or businesses cont.
> Use robust warranties and indemnities to cover possible fines and/or damage claims
> But enforceability of indemnity clauses may be challenged in the UK on the basis of the ex turpi causa maxim
> Minority investment
> Carve-out infringing company/business if have knowledge
In any event, the Commission is pushing the boundaries and the options are becoming more limited
> Act early post-acquisition: address antitrust at first board meeting, end infringement, implement effective compliance programme
54
Group companies’ compliance
> You will likely be liable for (indirect) subsidiaries, joint ventures and even minority investments’ conduct if there is control
> Do I want to know? TYPICALLY YES
> Effective compliance programmes, identify risk areas, but rolling out compliance programme can be seen as control!
> Any doubts/suspicions: do an audit
> If passive JV partner, ensure that there is no suggestion of control (e.g. water down your rights)
> Consider “remedial/clean up” action e.g. application for immunity/leniency
55
Disposals
> When selling a group company or an interest options include:
> Clean up conduct before the sale (seek immunity if appropriate)
> Limiting warranties and indemnity exposure (ideally, you want to walk away with clean hands)
> Beware of asset sales due to residual corporate liability
> Escrow account to cover potential liability
> Record of non-involvement and compliance efforts
56
Conclusions
57
What does this mean for boards?
> Compliance fatigue: stream competition risk assessment and controls with other risk areas facing the business (ABC, sanctions, etc.) but don’t ignore competition law.
> Ensure compliance programmes and training is fit for purpose and revisited regularly (e.g with M&A, with expansion into new geographic areas; when new teams are hired from competitors)
> Consider contractual protections in acquisitions and limit exposure when disposing of group companies or businesses
58
Contact
Nicole KarPartner, National Practice Head Competition Antitrust, LondonTel: +44 20 7456 [email protected]
Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers.
Please refer to www.linklaters.com/regulation for important information on our regulatory position.
Health and Safety – Subsidiary Governance
Health and Safety: Risk & Liability Review
Ann Metherall CEng FICE Partner
Health and Safety – Subsidiary Governance
24/07/15
Health and Safety – Subsidiary Governance
Offence Starting Point*
Range*
Corporate ManslaughterAct
£7.5m £4.8 - £20m
Health & Safety at Work Act
£4m £2.6 - £10m
*assumes very high culpability and a turnover greater than £50m
Health and Safety – Subsidiary Governance
How can the firebreak be undermined?
• H&S obligations
• Cases of
• Chandler v Cape [2012]• Thompson v Renwick [2014]• R v CAV Aerospace [2015]
• Risk Factors
• Practical Steps
Purpose of limited liability subsidiaries?
Tax? Firebreak?
Health and Safety – Subsidiary Governance
Health & Safety Obligations/Consequences
Corporate ManslaughterDuty of care based on negligence principles
HSWA“organisations must ensure safety so far as
reasonably practicable
s.2 s.3
Everyone else affected by “scope of undertaking”
Factual question
Employees
Gross breach caused substantially by the way
senior management organises its business
Corporate Manslaughter creates no new obligations
just increases the consequences
Health and Safety – Subsidiary Governance
Chandler v Cape plc [2012]
• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its duty of care• Subsidiary dissolved• Claim against Cape plc
• Group Medical Advisor and scientific officer • Board discussion on aspects of production• Cape knew its subsidiary arrangements were defective
Court of Appeal found for claimant because of its knowledge of the condition and asbestos risk meant it had a duty of care to advise the subsidiary what to do or to ensure steps were taken
Health and Safety – Subsidiary Governance
Pure holding company may
reduce risk
Factual and what does the parent say in its
safety management
system?
Audits increase and reduce risk.
Ignoring
warnings from subsidiary
increases risk
Centralised advice and
medical support and practice of
intervention generally
Parent ought to have
foreseen subsidiary
would rely on it
Risk Factors
Business of parent &
subsidiary are the same
Parent has or ought to have had superior
H&S knowledge
Parent knew or ought to have known system of work unsafe
Health and Safety – Subsidiary Governance
Chandler v Cape plc [2012] Thompson v The Renwick Group plc [2014]
• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its duty of care• Subsidiary dissolved• Claim against Cape plc
• Group Medical Advisor and scientific officer • Board discussion on aspects of production• Cape knew its subsidiary arrangements were defective
Court of Appeal found for claimant because of its knowledge of the condition and asbestos risk meant it had a duty of care to advise the subsidiary what to do or to ensure steps were taken
• Claimant employed by a Renwick subsidiary• Exposed to raw asbestos• Subsidiary had no EL insurance or assets• Claim against parent company
• No group directors on subsidiary board and subsidiary run by an “unconnected director”
Applying factors in Chandler, Court of Appeal found not liable on facts
Health and Safety – Subsidiary Governance
Mere appointment of
subsidiary director not
enough
Appointment of directors
Co-operation between subsidiary
without parent control ok.
Problem if parent controls key element e.g.
delivery/finance
Sharing resources
Avoid assets and paperwork asserting
work done or decisions made on
behalf of parent
Corporate branding
Pure holding company
reduces risk
What does the Group
say it does in its safety
policy and management
system?
Audits both increase and reduce risk.
Ignoring warnings from
subsidiary increases risk
Centralised advice and
medical support
Parent ought to have
foreseen subsidiary
would rely on it
Risk Factors
Business of parent &
subsidiary are the same
Parent has or ought to have had superior
H&S knowledge
Parent knew or ought to have known system of work unsafe
Health and Safety – Subsidiary Governance
Chandler v Cape plc [2012] Thompson v The Renwick Group plc [2014]
R v CAV Aerospace [2015]
• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its
duty of care• Subsidiary dissolved• Claim against Cape plc
• Group Medical Advisor and scientific officer
• Board discussion on aspects of production• Cape knew its subsidiary arrangements
were defective
Court of Appeal found for claimant because of its knowledge of the condition and asbestos risk meant it had a duty of care to advise the subsidiary what to do or to ensure steps were taken
• Claimant employed by a Renwick subsidiary• Exposed to raw asbestos• Subsidiary had no EL insurance or assets• Claim against parent company
• No group directors on subsidiary board and subsidiary run by an “unconnected director”
Applying factors in Chandler, Court of Appeal found not liable on facts
• Fatally injured person employed by CAV subsidiary
• Killed when stack of metal billets collapsed• Corporate manslaughter and HSWA
prosecution of CAV A
• Cases of Chandler and Thompson considered when establishing duty of care
• CAV A treated CAV C as supplier but did not give it control (no FD and purchasing and stock control governed by CAV A)
• Ignoring warning of near misses was most aggravating feature
Convicted of both offencesFined £600,000
Health and Safety – Subsidiary Governance
Mere appointment of
subsidiary director not
enough
Appointment of directors
Co-operation between subsidiary
without parent control ok.
Problem if parent controls key element e.g.
delivery
Sharing resources
Avoid assets and paperwork asserting
work done or decisions made on
behalf of parent
Corporate branding
Conflict of interest/direction
and control
Pure holding company
reduces risk
What does the Group
say it does in its safety
policy and management
system?
Audits both increase and reduce risk.
Ignoring warnings from
subsidiary increases risk
Centralised advice and
medical support
Run as a business
division - no separate
financial function
Parent ought to have
foreseen subsidiary
would rely on it
Risk Factors
Business of parent &
subsidiary are the same
Parent has or ought to have had superior
H&S knowledge
Parent knew or ought to have known system of work unsafe
Lack of independence
Overlap of directors
Health and Safety – Subsidiary Governance
A question of risk
Increased control may mitigate risk of safety failures
But increase exposure if something goes wrong
May be tainted anyway?
Health and Safety – Subsidiary Governance
• How likely are CM prosecutions? Does it matter?
• Rarely can Parent avoid any scrutiny
• Identify where in the organisation safety management decisions should be taken
• Robust on how decisions are recorded • Does the safety management system reflect the reality? • Check terms of reference for oversight committees
• How are decisions in JVs and SPVs taken?
• Robust and independent audit of subsidiary
• Follow through on actions and do not leave recommendations hanging
• Acquisitions
• Check how business fits into safety management structure
• Does company come with the competence to run it?
There was no clear and realistic thought given to the relationship between CAV A and CAV C particularly at the level of senior management and above.
Practical Steps
Health and Safety – Subsidiary Governance
Ann MetherallPartner
T: +44(0)117 902 6629M: +44(0)7980 984 071E: [email protected]
Thank you
This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content. © Burges Salmon 2016
Governance | Risk Management | Assurance © 2016 AndersonRisk
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk Culture vOrganisational CultureRichard Anderson, Director, AndersonRisk
Governance | Risk Management | Assurance © 2016 AndersonRisk
My agenda for today• Why is risk culture important to business?• Who has been talking about a “risk” culture?• VW – a case study• FRC, IIA, CIMA, CIPD, CVF – what are they saying?• What do I think? • A possible approach…• Wrap up and questions
Governance | Risk Management | Assurance © 2016 AndersonRisk
Why is risk culture important to business?© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Why is risk culture important to business?Five reasons: because of…• People• 300 years of failure• Risk appetite• Extended enterprise• Societal impact
Governance | Risk Management | Assurance © 2016 AndersonRisk
Human nature is …Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?The way we live …
“superiors” tell “inferiors” … or … “equals” negotiate the “rules”Prescribed/In-equal … versus … Prescribing/EqualTell or Negotiate? T or N? Which way does it work?
People
Governance | Risk Management | Assurance © 2016 AndersonRisk
Fatalist
Individualist
Egalitarian
Hierarchist
Richard BransonPhilip GreenEntrepreneur Greenpeace
EnvironmentalistPrince Charles
Typical Government Chief Scientist
What will be will be
I C
Tell
Negotiate
People
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea Bubble (1720)
Volkswagen (2015)
Savings & Loans (1986 -
1995)Polly Peck
(1990)Maxwell (1991)
Marconi (2006)
Banking Crisis(2008)
BP (2010)
HSBC (2012)
Wal-Mart (2012)
Tesco(2014)
Enron and .com Bubble (2001)
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea Bubble (1720)
Volkswagen (2015)
Savings & Loans (1986 -
1995)Polly Peck
(1990)Maxwell (1991)
Marconi (2006)
Banking Crisis(2008)
BP (2010)
HSBC (2012)
Wal-Mart (2012)
Tesco(2014)
Enron and .com Bubble (2001)
COSO Internal Control I & IICOSO ERM I & II (almost)
Cadbury to Corporate Governance CodeCoCo
King I, II & III
Governance | Risk Management | Assurance © 2016 AndersonRisk
300 years of failure
The South Sea Bubble (1720)
Volkswagen (2015)
Savings & Loans (1986 -
1995)Polly Peck
(1990)Maxwell (1991)
Marconi (2006)
Banking Crisis(2008)
BP (2010)
HSBC (2012)
Wal-Mart (2012)
Tesco(2014)
Enron and .com Bubble (2001)
And the next disaster is being incubated right
now…
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk Appetite
Governance | Risk Management | Assurance © 2016 AndersonRisk
But any model of Risk Appetite makes heroic assumptions about the
ability of the people in the organisation to cope within the
ranges it sets…
Risk Appetite
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint Endeavour
Outcom
es
Multiple Economies in Multiple Societies
The
exte
nded
en
terp
rise
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint Endeavour
Outcom
es
Customer 1
Customer 2
Customer 3
IP OwnerRegulator
Sub-Contractor 1
IT Outsource Provider
Government
Supplier 1
Supplier 2
AgentsPrime Contractor
Multiple Economies in Multiple Societies
The
exte
nded
en
terp
rise
Sub-Contractor 2
Labour
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint EndeavourO
utcomes
Extent of Shared Values
Allocation of Incentives
Relative Power
Regu
lato
ry
Influ
enceTh
e ex
tend
ed
ente
rpris
e Multiple Economies in Multiple Societies
Governance | Risk Management | Assurance © 2016 AndersonRisk
Joint EndeavourO
utcomes
Extent of Shared Values
Allocation of Incentives
Relative Power
Regu
lato
ry
Influ
enceTh
e ex
tend
ed
ente
rpris
e Multiple Economies in Multiple SocietiesCulture is KING in
managing across the Extended Enterprise…
Governance | Risk Management | Assurance © 2016 AndersonRisk
Because the societal impact of failure is leading to breakdowns in society as witnessed in BREXIT and
the rise of nationalism and protectionism versus free trade and
globalisation
Societal impact
Governance | Risk Management | Assurance © 2016 AndersonRisk
Who has been talking about risk culture?© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
The commentatorsOrganisation Title Pages Culture Risk Culture
DoJ (2010) Bribery Act 43 7 (16%) Nil (0%)
NAO (2011) Managing Risk in Government 18 4 (22%) Nil (0%)
IRM (2012) Risk Culture – resources for practitioners 114 893 (783%) 344 (302%)
FRC (2014) Risk Management etc 28 20 (71%) Nil (0%)
FSB (2014) Guidance […] on Risk Culture 14 100 (714%) 70 (500%)
Governance | Risk Management | Assurance © 2016 AndersonRisk
• The board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed within the organisation and with external stakeholders.
• The board must determine its willingness to take on risk, and the desired culture within the company.
• The board has ultimate responsibility for RM…, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded.
• Training and communication assist in embedding the desired culture and behaviours in the company. To build a company culture that recognises and deals with risk, it is important that the RM and IC systems consider how the expectations of the board are to be communicated to staff and what training may be required.
The FRC
Governance | Risk Management | Assurance © 2016 AndersonRisk
• “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”
• “Those at the top of an organisation are in the best position to foster a culture of integrity where bribery is unacceptable. The purpose of this principle is to encourage the involvement of top-level management in the determination of bribery prevention procedures. It is also to encourage top-level involvement in any key decision making relating to bribery risk where that is appropriate for the organisation’s management structure.”
Department of JusticePrinciple 2 - Top-level commitment
Governance | Risk Management | Assurance © 2016 AndersonRisk
• “An anticipatory and strategic approach to supervision rests, among other things, on the ability to engage in high-level sceptical conversations with the board and senior management on the financial institution’s risk appetite framework, and whether the institution’s risk culture supports adherence to the board-approved risk appetite.”
• “Culture can be a very complex issue as it involves behaviours and attitudes. But efforts should be made by financial institutions and supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.”
FSB
Governance | Risk Management | Assurance © 2016 AndersonRisk
The FSB’s top four indicators of the risk culture•Tone from the top;•Accountability;•Effective communication and challenge; and
• Incentives.
Governance | Risk Management | Assurance © 2016 AndersonRisk
IRM Risk Culture FrameworkIRM’s risk culture framework looks at component parts making up an organisation’s risk culture• How will I react?• How will I respond in
recognition of other competing needs?
• What will I do?• What will we do?• Our overall risk culture
This is upside down… and probably back to
front... Risk culture and organisational culture are
neither nested, not necessarily the same
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk culture aspects model
Likewise this does not tell you anything about
HOW to manage the culture, or HOW to measure
it. Great conceptually, but hopeless
managerially…
Governance | Risk Management | Assurance © 2016 AndersonRisk© Richard Anderson Photography | www.raphoto.me
VW: a case study
Governance | Risk Management | Assurance © 2016 AndersonRisk
Objectives• To be the biggest car manufacturer in the world
• To move motorists across to diesel engines as requested by the EU
• To demonstrate compliance with Californian air quality requirements
Governance | Risk Management | Assurance © 2016 AndersonRisk
Core personal values1. Social responsibility:
Innovative employment models and social involvement.
2. Sustainability: Human rights, labour standards, environmental protection: there are many facets to sustainability.
3. A spirit of partnership: Equality and humanity: fairness is important to us.
4. "Pro Ehrenamt" volunteering initiative: Have you ever thought about becoming a volunteer? There are many ways to get involved - and there's one near you.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Sustainability“We aim to be the world’s most successful, fascinating and sustainable automobile manufacturer. For the Volkswagen Group, sustainability means that we conduct our business activities on a responsible and long-term basis and do not seek short-term success at the expense of others. Our intention is that everyone should profit from our growth – our customers and investors, society and, of course, our employees. In this way, good jobs and careful treatment of resources and the environment form the basis for generating lasting values.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
Global Compact• Since 2002, Volkswagen has been involved in one of the largest and most important CSR initiatives in the world• This sets out the Ten Principles of human rights covering working standards, environmental protection and combating corruption• “Together with 12,000 companies from over 170
countries, Volkswagen works in diverse international CSR projects towards making the global economy more sustainable and fairer. An annual progress report documents our projects.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
Failing to live up to their standards• Emitting larger amounts of NOx than allowed was not in
line with looking after the Human Rights of communities where their cars were sold;
• Lying to regulators by installing this software is fundamentally corrupt when you define corruption as “the abuse of entrusted power for private gain”; and
• Clearly the engineering solution was not consistent with environmental protection.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Where they failed
1. Values2. Silos3. Layering4. Short-termism
5. Control v Risk6. Obstruction7. Black holes
Governance | Risk Management | Assurance © 2016 AndersonRisk
FRC, IIA, CIMA, CIPD, CVF – what are they saying?
© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
The Culture CoalitionOrganisation Title Pages Culture Risk Culture
FRC (2016) Corporate Culture and the role of boards 62 435 (702%) 7 (11%)
IIA (2016) Organisational Culture 27 366 (1,355%) 31 (115%)
CIMA (2016) Rethinking the Business Model 38 5 (13%) 0 (0%)
CIPD (2016) A Duty to Care 38 381 (1,002%) 0 (0%)
CVF (2016) Governing Culture, Risk & Opportunity 30 130 (433%) 0 (0%)
Governance | Risk Management | Assurance © 2016 AndersonRisk
FRC guidance on culture: a missed opportunity62 pages of platitudes:• How chairmen and chief executives are vital to the culture;• How non-executive directors should probably be involved,
but poor individuals, they find it hard;• How culture is so very important, but it really is difficult;• How important it is for directors to exhibit their corporate
values;• How hard pressed heads of internal audit want to do work in
this area, but their boards are not ready
Governance | Risk Management | Assurance © 2016 AndersonRisk
My conclusions on the FRC reportSo rather than see some wishy-washy platitudes with “suggested” topics for boardrooms to discuss, when they get round to it, it is time for the FRC to commission first class research from people who have genuinely thought about the subject – both academics and practitioners. And then we can talk constructively about the importance of culture versus risk culture and just how we can measure and manage both of them.
Let’s move on beyond the 1980’s views of risk
management exhibited here
Governance | Risk Management | Assurance © 2016 AndersonRisk
And the others• CIIA: only about assurance. Little about managing the
culture or risk culture and no reference to the differences
• CIMA: seem to have forgotten the topic• CIPD: NOTHING about risk culture• CVF: Ditto
Governance | Risk Management | Assurance © 2016 AndersonRisk
The risk…The participants in the FRC’s Culture project, led by the FRC have let directors wriggle off the hook and substantially to ignore Organisational Culture (because they only spoke in platitudes) and totally to ignore Risk Culture which barely gets a mention.
The next disaster is incubating right now and
nobody is doing anything to stop it…
Governance | Risk Management | Assurance © 2016 AndersonRisk
What do I think? © Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Risk v Organisational CultureUnlike some, I firmly believe that there is a major difference between the “Culture” of an organisation and the “Risk Culture”. I also think that the two elements are entirely measurable by looking at the conversations and risk conversations (the cultural DNA) in the organisationCulture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.
Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”
Governance | Risk Management | Assurance © 2016 AndersonRisk
My model of risk management has now changed…Traditionally I see risk management as a trade off between two pairs of tensions:1. Taking more managed risk
– v – Avoiding pitfallsAND
2. Performance culture – v – Corporate ethics and behaviours
I now add a third pair of tensions3. Allowing the needs of
today to dominate because of the corporate culture – v – Allowing the needs of tomorrow to dominate because of the risk culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
In summary, I think that…• Organisational Culture and
Risk Culture are different• Both are vital to retaining
and growing long term sustainable value
• The Risk Culture is poorly understood but ignoring it is potentially very dangerous
• VW, the GFC, HSBC, and LIBOR show that problems STILL exist
• We MUST demonstrate to boards why this is important
• We MUST develop practical approaches to managing Risk Culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
A possible approach…© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk
Assessing the Risk Culture: three traditional steps
Desk Top
Research
Surveys Interviews
But… not often that much
policy worthy of review in
terms of risk culture
But… Most surveys suffer from groupthink
and you can’t move beyond it
But… Most senior people will
give the right answer
anyway so you learn little
And they are ALL subjective and therefore of
limited value in determining what changes
need to be made…
Governance | Risk Management | Assurance © 2016 AndersonRisk
So we have introduced a fourth step
Desk Top
Research
Surveys Interviews
Conversations in Risk
Which will…
Provide more rich, actionable data than
all of the other approaches combined,
give you insight into your values, and
provide both board-level metrics and
data which you can use to actively
“manage” the risk culture
Governance | Risk Management | Assurance © 2016 AndersonRisk
Conversations in risk management
You
CFO CEO
Suppliers Clients
CMOBack OfficeAll organisations function on the back of
”conversations” of all sorts between people. Some
are formal, some informal, some are written, some
are only oral, some are recorded in minutes, some
aren’t. These are the DNA of the Culture. And
those about “risks” are the DNA of the Risk
Culture.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Production and Projects
Sustainability and HSE
Drilling Exploration & New Business
Finance Other0%
25%
50%
75%
Production and ProjectsIn this organisation, there were six
organisational departments. “Production and Projects” talked a lot
about risk, but 73% of their conversations were WITH
THEMSELVES: they were not dealing with risk by talking to other experts
in the organisation… About 22% were with their “Sustainability and
HSE” department.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Sustainability and HSEBut the “Sustainability and HSE”
department was not listening because less than 10% of their risk discussion were with Production and Projects and a whopping 72% were
WITH THEMSELVES. This organisation was HOPELESSLY silo’ed and they did not recognise it inthemsleves. They needed to work together because of the economic environment, but their risk culture was shot to pieces and
the business was following downhill.Production and Projects
Sustainability and HSE
Drilling Exploration & New Business
Finance Other0%
25%
50%
75%
Governance | Risk Management | Assurance © 2016 AndersonRisk
Three states for a conversation
Unmatched Partially Matched
Completely Matched
The Desired Direction of Travel
Governance | Risk Management | Assurance © 2016 AndersonRisk
Unmatched Partially Matched
Completely Matched
% % %
Three states for a conversation
Governance | Risk Management | Assurance © 2016 AndersonRisk
This diagram, straight from our system, shows all
of the participants in
the exercise and (rather
depressingly) shows that none
of the conversations was matched.
They had a lot of work to do to turn
this round, and they needed to do so quickly
Governance | Risk Management | Assurance © 2016 AndersonRisk
This picture simply illustrates the richness of
the data showing linkages between individuals. Each
connection is based on a set of
data that we analyse and
summarize to come to the
board level view. It also explains
why the underlying data are actionable…
Governance | Risk Management | Assurance © 2016 AndersonRisk
And where cultures clash…Issues which any board should want to know about:• Values: Significant deviations from the board’s values.• Silos: Especially where an organisation is facing complexity in its
dealings internally or externally. • Layering: Layered management reporting prevents new issues
being spotted on a timely basis.• Short-termism: Extrapolation from past behaviours is not
necessarily good enough for dealing with new futures.
Governance | Risk Management | Assurance © 2016 AndersonRisk
And where cultures clash…Issues which any board should want to know about:• Control v Risk: Control (or risk control) management
instead of risk management.• Obstruction: Individually obstructive nodes can be very
dangerous.• Black holes: Sometimes it is difficult to discern any
volume of conversations about risks.
Governance | Risk Management | Assurance © 2016 AndersonRisk
Wrap up and questions?© Richard Anderson Photography | www.raphoto.me
Governance | Risk Management | Assurance © 2016 AndersonRisk© Richard Anderson Photography | www.raphoto.me
Resources:1. IRM Risk Appetite and Tolerance Guidance:
https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf2. IRM Risk Culture Guidance:
https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf3. FRC Culture document:
https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Corporate-Culture-and-the-Role-of-Boards-Report-o.pdf
4. FSB Risk Culture: http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1
5. AndersonRisk Commentary on Risk Culture: http://andersonrisk.com/publications/downloads/ (and check my publications on LinkedIn)
6. AndersonRisk board agenda: http://andersonrisk.com/publications/downloads/ 7. AndersonRisk blog: http://andersonrisk.com/conversations/
Governance | Risk Management | Assurance © 2016 AndersonRisk
[email protected]: +44(0)7807 780284www.AndersonRisk.com
Thank you!
© Richard Anderson Photography | www.raphoto.me
Thank you for joining us