subsidiary governance conference

The ICSA Subsidiary Governance Conference 201612 October, London

Introduction from the Conference ChairPeter Swabey FCIS, Policy & Research Director, ICSA

Assessing corporate culture at subsidiary level

Richard Sheath

12 October 2016

Culture: core questions for the Board (1)

WHERE DO WE WANT TO GET TO?Is there a governance structure that supports oversight and strategic

leadership around culture?

Working out where we need to get to

Looking at what we’re doing as a board

1

Culture: core questions for the Board (2)

WHERE DO WE WANT TO GET TO?Is there a governance structure

that supports oversight and strategic leadership around

culture?

HOW CAN WE BE SURE IT IS COMING TOGETHER?

How do we build evidence so we can know are where we need to

be?Working out

where we need to get to

Looking at what we’re doing as

a board

Assessing what management are doing to embed

the right behaviours

Building a picture of

behaviours

Looking into the

organisation

1

Culture: core questions for the Board

1

WHERE DO WE WANT TO GET TO?Is there a governance structure that supports oversight

and strategic leadership around culture?

HOW CAN WE BE SURE IT IS COMING TOGETHER?How do we build evidence so we can know are where we

need to be?

Working out where we need to get to

Looking at what we’re doing as a board

What do we want to achieve and why?What role do we need to play?How does this fit with executive responsibilities?What governance structure needs to be in place?

How do we…• currently exercise

oversight? • provide leadership on

behaviours?• discuss the strategic

imperatives & implications?

• consider behaviour as part of our decision-making?

• communicate our objectives and concerns?

• assess behaviour roots of performance/problems?

What are the gaps: where we are and want to get to?

Assessing what management are doing to embedthe right behaviours

Building a picture of behaviours

Looking into the organisation

How do we get a view of the executive approach/actions?How do executives manage behaviours downwards?How does our incentive approach align?How can we see the way cultural diversity is tackled?How do they see what people are doing day to day?What is the process for tackling problems? How do we know what’s going on inside?

How do management give the Board insight?

How is the behaviour angle covered in reporting?

What is used to provide us with assurance/evidence?

How do we assess the risks?

How do we see/discuss the known problems?

Thinking through what surveys are coveringGetting a view of:• how far expectations

are understood• how people see/react

to day-to-day behaviours

• perceptions of manager

• messages/actions• comparison of

executive & manager behaviours

• views on what needs escalating and how

Extending out to subsidiary culture

WHERE DO WE WANT TO GET TO?Is there a governance structure

that supports oversight and strategic leadership around

culture?

HOW CAN WE BE SURE IT IS COMING TOGETHER?

How do we build evidence so we can know are where we need to

be?

The same questions apply…

… but the context is different

STRATEGIC ORGANISATIONAL

How far do we want the same “culture”?How far is the same culture achievable?What are the risks?

How is the risk appetite being applied?

What is the environment?

What is the organisational context?

What is the group/subsidiary relationship?

How is control exerted?

How does governance oversight work?

How do information/messages flow?

2

Putting it in context

STRATEGICThe

Environment

The context is different…ORGANISATIONA

LGroup/

Subsidiary

3

But then follow the same basic steps…

Reach a consensus on the need

4

Basic steps (2)

Make sure you know what you’re aiming at - for the Group and each subsidiary

5

Basic steps (3)

Recognise diversity – and work out how much you want

6

Basic steps (4)

Determine what style of leadership you expect to see at group and subsidiary levels

7

Basic steps (5)

You’ve limited reach and line of sight: so understand what management are doing

8

Basic steps (6)

Make sure executives and management are on board – at Group and subsidiary levels

9

Basic steps (7)

Think through the group relationships and how they are understood

10

Basic steps (8)

Think through the language and communication angles

11

Basic steps (9)

Work out how you are going to build the picture

12

And only then start assessing…

13

Get out there…

There’s no substitute for getting out there: site visits are a core source of insight and comfort

14

Use what you’ve got PUTTING TOGETHER A PICTURE THROUGH A “CULTURE & BEHAVIOUR”

LENSEXTERNAL

INDICATORSHR

REPORTINGCUSTOMERS

INTERNAL CONTROL

INDICIATORS

STAFFFEEDBACK

SUPPLIERS

INVESTORS

COMMUNITYNPS

Net Promoter Score

COMPLAINTS

SOCIAL MEDIA

ABSENTEEISM

TURNOVER

EXIT INTERVIEWS

TRAINING

CONTRACT STAFF

MEDIA

WHISTLEBLOWING

COMPLIANCE BREACHES

AUDIT REPORTS

SAFETYHEALTH ENVIRONMENT

PUT TOGETHER…WHAT ARE THESE INDICATORS SUGGESTING?

MORALE & MOTIVATION

WHAT IS EXPECTED?

WHAT DO I SEE?

HOW WE TREAT PEOPLE?

TAKING RISKS

MAKING DECISIONS

What are the surveys actually

covering?

15

And apply it to subsidiaries in the same way…

…but…

• Put it in context

• Work out with management how to distil the picture

• Understand how management are

using the picture/indicators • Link to the relative risks for each

subsidiary (financial, regulatory, reputation…)

Build the same picture… And when it comes to surveys…• Watch the language and relevance • Work out how you’re going to use the data

16

© Independent Audit Limited 2016

CONTACT:Richard Sheath: +44 (0)20 7220 6583 | [email protected]

4 Bury Street | London | EC3A 5AW | +44 (0)20 7220 6580 | www.independentaudit.comRegistered in England number 4373559 Registered Office One Glass Wharf Bristol BS2 0ZX

Panel session: working with foreign subsidiary boardsJohn Mills FCIS, Group Company Secretary, Anglo AmericanBen Mathews FCIS, Group Company Secretary, HSBC

Roseanna Rowett

Case study: Intertek Group plc

v1.0

Ida Woodger

12 October 2016

25

Our Heritage

1996: Inchcape divests testing

business to Charterhouse

Development Capital

1885: Caleb Brett, cargo certification business founded

1896: Lamp Testing Bureau founded, later

renamed ETL

1973: Labtest established in Hong Kong,

initially focussing on textile testing

1900 2002

2015: PSI building and construction

assurance business acquired

2011: Moody International

acquired

1925: SEMKO electrical

safety testing founded in Sweden

1988: ETL Testing

Laboratories acquired

1984-87: Caleb Brett

acquired

1992: Warnock Hersey acquired

1994: SEMKO acquired

1888: Milton Hersey establishes a chemical testing

laboratory in Montreal, Quebec

1996-021970

Intertek Group plc listed on the LSE

Intertek develops into an international testing business through acquisition and organic growth

2002: Intertek listed on the

London Stock Exchange

2009: Intertek enters the FTSE 1001987: “Inchcape Testing Services”

formed

Intertek’s pioneering founders

1911: Moody International, Oil and Gas testing and certification

business

1880

1927: Charles Warnock Company formed in Montreal, Canada to

inspect steel products

1989: Intertek enters China

26

What We Do

What We Do Everyday Which Economic SectorsWhere

Assurance

Testing

Inspection

Certification

Products

Trade

Resources100+ countries

1,000+ laboratories40,000+ people

27

Our subsidiaries

33joint-ventures

80branches

312wholly-owned subsidiaries

28

Our group structure

Intertek Group plc

UK entity 1

Middle East & Africa China

South and South East Asia (50%)

UK entity 2

Russia, Europe &

Central AsiaAustralasia North

AmericaSouth and South East Asia (50%)

29

Our Company Secretariat support structure

Group Company Secretary

Regional Co Sec – North America

Regional Co Sec – MENAP & SE

Asia Regional Co Sec

– ChinaCompany

Secretarial Admin Assistant

Deputy Company Secretary

Company Secretarial

Trainee

Assistant Company Secretary

Company Secretarial Assistant

30

Our subsidiary governance framework

Centrally managed – from London HQ

Locally managed – in country of incorporation

Assistance from external local legal and accountancy firms as well as the Group’s Auditor

31

Centrally managed components

Core Controls

Framework

Policy on Subsidiary and Joint-venture

companyboards

Parental guarantee guidelines

Group-wide Authorities

Cascade

Blueprint Oneworld

database – master data

Incorporations, liquidations

andrestructuring

31

Our core controls

Guidelines on Powers of Attorney

32

Regular catch up meetings and to-

do list

Online sharing platform

Templates & procedures

Sharing the load Record keeping Handovers

Communication and management tools

33

In practice

Event / Project

• Legal paperwork required

• Internal approvals

• Local points of contact

Key Co Sec considerations

Director and

shareholder

meetings

01

• Assistance in the DD process

• Funding and paperwork

• Closing & Integration

Change of personnel02

• Accuracy of Blueprint data

• Verification material available for audit

• Changes throughout the year

Annual Report03

• Leaver and appointment procedure

• Consider share ownership – ESS and those held on trust

• Resulting board structure changes

Treasury and tax

projects04

• Minutes and resolutions

• Verification process – officers, share capital, company information

• Reconciliation of accounts - local books vs centrally held accounts (Cognos)

Acquisitions05

34

Take away points

03 Don’t be a bureaucrat

02

01 Good communication is essential

Have a clearly defined strategy

The Subsidiary Governance Conference 201612 October, London

Competition issues for subsidiaries and boards

Parents mind your children

Nicole Kar

October 2016

37

Agenda

> Application of competition law and risks to companies

> Parental liability

> Managing and mitigating risks

> What does this mean for boards?

38

Competition law – a primer

39

The basic rules

Law prohibits Who?

Abuse of dominance Undertakings

Restrictive agreements/collusion Undertakings (and in the UK, Austria, Germany, Ireland) individuals

40

The smoke filled chat room

> Recent investigations have seen competition authorities push the limits of antitrust and new regulators like the FCA take on antitrust powers and consider requiring expansive mandatory self reporting of competition breaches

> Focus is now beyond the classical “smoke filled room” and looks e.g. to different fora; collusion on non price parameters; and pure information exchange (e.g. price signalling),

41

Information exchange: Good, Bad, Ugly

Good Bad Ugly> Historical data > Future price/volume

data or future strategic intentions

> Current data which discloses intended conduct

> Aggregated/ anonymised data

> Disaggregated, company specific data

> Systemised, frequent exchanges

> Exchanges in public (i.e. the customer has equal access)

> In private > Partly in private/partly in public – not genuinely public

> Increases transparency for consumers/consumer benefits

> Highly concentrated market (few players)

> Covers a broad part of the market which is concentrated

42

Competition risks

Fines

Damages claims Damages

claims

Imprisonment

Negative commercial

impact Disciplinary action

Procedural costs

Reputational damage

Company risks

Personal risks

Director disqualification

43

Cartel fines in the last 25 years

1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-to date0

1000

2000

3000

4000

5000

6000

7000

8000

9000

344 271

3157

7969

8700

4332

127

1419938

2332

3363

2750

264

1061

EU US

China

Million (EUR)

Comparatively higher than in the previous period

44

Liability for individuals/board members in the UK

> Criminal cartel offence: no dishonesty requirement as of April 2014; is jury trial appropriate? “not in usual spectrum of fraud cases”

> Director disqualification: personal involvement; knowledge of conduct and failure to take action; where “ought to have known”

> Claiming damages from directors and employees? Safeway v Twigger: attempt to recover fines against individuals (really D&O insurance). Failed as against public policy

Advice for Directors: Insist on compliance programme and training in high risk areas (e.g sales team in industrial companies), query anomalies.

Advice for companies: assess risk levels and tailor compliance programmes accordingly; do audits to monitor compliance; clean up conduct found.

45

Parental liability

46

Concept of parental liability

> In the EU, a parent company can be held jointly and severally liable for the conduct of its subsidiaries (in the broadest, not just accounting sense) (single economic entity doctrine)

> The parent does not need to be involved or aware of the subsidiary’s participation in the infringement

> Parental liability arises when parent and subsidiary constitute a “single undertaking” in the economic sense (the underlying legal structure is not decisive)

> The European Commission must in principle prove on the facts that the parent exercised decisive influence over the commercial policy of the subsidiary to show that they are a single undertaking (except if the parent has – almost - 100% shareholding)

47

The Akzo (rebuttable?) presumption

Shifts the Commission’s burden to prove that parent/subsidiary are a single economic entity, but:

> The Commission must prove that the conditions to apply the presumption are met

> The parent company must hold (almost) 100% of the subsidiary’s capital

> The Commission must identify unequivocally the addressees of the potential fine sufficiently early in the investigation (the statement of objections)

> In such cases the presumption becomes, in practice, impossible to effectively rebut

48

Outside Akzo

When the parent does not have (effectively) a 100% shareholding, the Commission must prove that the parent exercised actual decisive influence over the subsidiary’s commercial policy, which involves the unity of market conduct of the subsidiary and its management

> Market conduct/commercial policy includes strategic decisions and operational matters

> May be triggered at much lower levels of control (e.g. joint control and minority interests), relevant factors include actual control of the subsidiary’s board, management overlaps and reporting mechanisms

> PE investors can also be held liable if they did not act as a purely financial investor

49

Goldmans/Power Cables

> Commission decision in 2014 finding the Goldman Sachs Group, Inc. (GS) liable for the participation of one of its portfolio companies, Prysmian, in the Power Cables cartel (Euro 37.3m)

> GS had exited when the investigation started (and the infringement started before it purchased it)

> GS appealed the decision (ongoing proceedings before the EU General Court)

> Two clearly differentiated periods for GS, but the Commission held it liable throughout both periods

> 2005-2007: GS shareholding far below 100% for most of the period

> 2007-2009: GS minority shareholder

50

The Impact of Brexit

> Still a lack of clarity, but “hard” Brexit now seems likely (‘Great Repeal Bill’ to bring about a “fully independent, sovereign country” without being bound by ECJ law)

How might Brexit impact the CMA’s position towards parental liability?

> If the ECA 1972 is repealed, and the CMA is no longer bound by the European Courts’ jurisprudence (s 60 Competition Act), will it change its stance on parental liability?

> Unlikely. There are strong public policy reasons (e.g. deep pockets, deterrence, effectiveness of enforcement, recidivism uplift) for the CMA to maintain the approach taken by the EU

More generally, CMA has criminal powers and may be expected to enforce these actively without needing to think about interaction with EU law

51

Managing and mitigating risks

52

Acquiring new entities or businesses

> Pre-acquisition: due diligence should cover antitrust issues (may be difficult in an auction), identify industry hot spots and interview management. Easier when you are already active in the industry.

> Limiting risks by structuring acquisition (ideally, you will want full recourse)

> Asset deal: selling entity should not disappear, share deal: not to merge entity within acquirer

> Consider making the seller seek leniency prior to signing

53

Acquiring new entities or businesses cont.

> Use robust warranties and indemnities to cover possible fines and/or damage claims

> But enforceability of indemnity clauses may be challenged in the UK on the basis of the ex turpi causa maxim

> Minority investment

> Carve-out infringing company/business if have knowledge

In any event, the Commission is pushing the boundaries and the options are becoming more limited

> Act early post-acquisition: address antitrust at first board meeting, end infringement, implement effective compliance programme

54

Group companies’ compliance

> You will likely be liable for (indirect) subsidiaries, joint ventures and even minority investments’ conduct if there is control

> Do I want to know? TYPICALLY YES

> Effective compliance programmes, identify risk areas, but rolling out compliance programme can be seen as control!

> Any doubts/suspicions: do an audit

> If passive JV partner, ensure that there is no suggestion of control (e.g. water down your rights)

> Consider “remedial/clean up” action e.g. application for immunity/leniency

55

Disposals

> When selling a group company or an interest options include:

> Clean up conduct before the sale (seek immunity if appropriate)

> Limiting warranties and indemnity exposure (ideally, you want to walk away with clean hands)

> Beware of asset sales due to residual corporate liability

> Escrow account to cover potential liability

> Record of non-involvement and compliance efforts

56

Conclusions

57

What does this mean for boards?

> Compliance fatigue: stream competition risk assessment and controls with other risk areas facing the business (ABC, sanctions, etc.) but don’t ignore competition law.

> Ensure compliance programmes and training is fit for purpose and revisited regularly (e.g with M&A, with expansion into new geographic areas; when new teams are hired from competitors)

> Consider contractual protections in acquisitions and limit exposure when disposing of group companies or businesses

58

Contact

Nicole KarPartner, National Practice Head Competition Antitrust, LondonTel: +44 20 7456 [email protected]

Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers or European lawyers.

Please refer to www.linklaters.com/regulation for important information on our regulatory position.

http://www.linklaters.com/regulation

Health and Safety – Subsidiary Governance

Health and Safety: Risk & Liability Review

Ann Metherall CEng FICE Partner


24/07/15


Offence Starting Point*

Range*

Corporate ManslaughterAct

£7.5m £4.8 - £20m

Health & Safety at Work Act

£4m £2.6 - £10m

*assumes very high culpability and a turnover greater than £50m


How can the firebreak be undermined?

• H&S obligations

• Cases of

• Chandler v Cape [2012]• Thompson v Renwick [2014]• R v CAV Aerospace [2015]

• Risk Factors

• Practical Steps

Purpose of limited liability subsidiaries?

Tax? Firebreak?


Health & Safety Obligations/Consequences

Corporate ManslaughterDuty of care based on negligence principles

HSWA“organisations must ensure safety so far as

reasonably practicable

s.2 s.3

Everyone else affected by “scope of undertaking”

Factual question

Employees

Gross breach caused substantially by the way

senior management organises its business

Corporate Manslaughter creates no new obligations

just increases the consequences


Chandler v Cape plc [2012]

• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its duty of care• Subsidiary dissolved• Claim against Cape plc

• Group Medical Advisor and scientific officer • Board discussion on aspects of production• Cape knew its subsidiary arrangements were defective

Court of Appeal found for claimant because of its knowledge of the condition and asbestos risk meant it had a duty of care to advise the subsidiary what to do or to ensure steps were taken


Pure holding company may

reduce risk

Factual and what does the parent say in its

safety management

system?

Audits increase and reduce risk.

Ignoring

warnings from subsidiary

increases risk

Centralised advice and

medical support and practice of

intervention generally

Parent ought to have

foreseen subsidiary

would rely on it

Risk Factors

Business of parent &

subsidiary are the same

Parent has or ought to have had superior

H&S knowledge

Parent knew or ought to have known system of work unsafe


Chandler v Cape plc [2012] Thompson v The Renwick Group plc [2014]

• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its duty of care• Subsidiary dissolved• Claim against Cape plc

• Group Medical Advisor and scientific officer • Board discussion on aspects of production• Cape knew its subsidiary arrangements were defective


• Claimant employed by a Renwick subsidiary• Exposed to raw asbestos• Subsidiary had no EL insurance or assets• Claim against parent company

• No group directors on subsidiary board and subsidiary run by an “unconnected director”

Applying factors in Chandler, Court of Appeal found not liable on facts


Mere appointment of

subsidiary director not

enough

Appointment of directors

Co-operation between subsidiary

without parent control ok.

Problem if parent controls key element e.g.

delivery/finance

Sharing resources

Avoid assets and paperwork asserting

work done or decisions made on

behalf of parent

Corporate branding

Pure holding company

reduces risk

What does the Group

say it does in its safety

policy and management

system?

Audits both increase and reduce risk.

Ignoring warnings from

subsidiary increases risk


medical support


foreseen subsidiary

would rely on it

Risk Factors




H&S knowledge



Chandler v Cape plc [2012] Thompson v The Renwick Group plc [2014]

R v CAV Aerospace [2015]

• Claimant employed by a cape subsidiary• Exposed to asbestos dust• Cape plc accepted subsidiary failed in its

duty of care• Subsidiary dissolved• Claim against Cape plc

• Group Medical Advisor and scientific officer

• Board discussion on aspects of production• Cape knew its subsidiary arrangements

were defective


• Claimant employed by a Renwick subsidiary• Exposed to raw asbestos• Subsidiary had no EL insurance or assets• Claim against parent company

• No group directors on subsidiary board and subsidiary run by an “unconnected director”

Applying factors in Chandler, Court of Appeal found not liable on facts

• Fatally injured person employed by CAV subsidiary

• Killed when stack of metal billets collapsed• Corporate manslaughter and HSWA

prosecution of CAV A

• Cases of Chandler and Thompson considered when establishing duty of care

• CAV A treated CAV C as supplier but did not give it control (no FD and purchasing and stock control governed by CAV A)

• Ignoring warning of near misses was most aggravating feature

Convicted of both offencesFined £600,000


Mere appointment of

subsidiary director not

enough

Appointment of directors

Co-operation between subsidiary

without parent control ok.

Problem if parent controls key element e.g.

delivery

Sharing resources

Avoid assets and paperwork asserting

work done or decisions made on

behalf of parent

Corporate branding

Conflict of interest/direction

and control

Pure holding company

reduces risk

What does the Group

say it does in its safety

policy and management

system?

Audits both increase and reduce risk.

Ignoring warnings from

subsidiary increases risk


medical support

Run as a business

division - no separate

financial function


foreseen subsidiary

would rely on it

Risk Factors




H&S knowledge


Lack of independence

Overlap of directors


A question of risk

Increased control may mitigate risk of safety failures

But increase exposure if something goes wrong

May be tainted anyway?


• How likely are CM prosecutions? Does it matter?

• Rarely can Parent avoid any scrutiny

• Identify where in the organisation safety management decisions should be taken

• Robust on how decisions are recorded • Does the safety management system reflect the reality? • Check terms of reference for oversight committees

• How are decisions in JVs and SPVs taken?

• Robust and independent audit of subsidiary

• Follow through on actions and do not leave recommendations hanging

• Acquisitions

• Check how business fits into safety management structure

• Does company come with the competence to run it?

There was no clear and realistic thought given to the relationship between CAV A and CAV C particularly at the level of senior management and above.

Practical Steps


Ann MetherallPartner

T: +44(0)117 902 6629M: +44(0)7980 984 071E: [email protected]

Thank you

This presentation gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content. © Burges Salmon 2016


Risk Culture vOrganisational CultureRichard Anderson, Director, AndersonRisk


My agenda for today• Why is risk culture important to business?• Who has been talking about a “risk” culture?• VW – a case study• FRC, IIA, CIMA, CIPD, CVF – what are they saying?• What do I think? • A possible approach…• Wrap up and questions


Why is risk culture important to business?© Richard Anderson Photography | www.raphoto.me


Why is risk culture important to business?Five reasons: because of…• People• 300 years of failure• Risk appetite• Extended enterprise• Societal impact


Human nature is …Individualist … or … collectivist

What do you believe … ?

I or C? Which do you think?The way we live …

“superiors” tell “inferiors” … or … “equals” negotiate the “rules”Prescribed/In-equal … versus … Prescribing/EqualTell or Negotiate? T or N? Which way does it work?

People


Fatalist

Individualist

Egalitarian

Hierarchist

Richard BransonPhilip GreenEntrepreneur Greenpeace

EnvironmentalistPrince Charles

Typical Government Chief Scientist

What will be will be

I C

Tell

Negotiate

People


300 years of failure

The South Sea Bubble (1720)

Volkswagen (2015)

Savings & Loans (1986 -

1995)Polly Peck

(1990)Maxwell (1991)

Marconi (2006)

Banking Crisis(2008)

BP (2010)

HSBC (2012)

Wal-Mart (2012)

Tesco(2014)

Enron and .com Bubble (2001)




Volkswagen (2015)


1995)Polly Peck

(1990)Maxwell (1991)

Marconi (2006)


BP (2010)

HSBC (2012)

Wal-Mart (2012)

Tesco(2014)


COSO Internal Control I & IICOSO ERM I & II (almost)

Cadbury to Corporate Governance CodeCoCo

King I, II & III




Volkswagen (2015)


1995)Polly Peck

(1990)Maxwell (1991)

Marconi (2006)


BP (2010)

HSBC (2012)

Wal-Mart (2012)

Tesco(2014)


And the next disaster is being incubated right

now…


Risk Appetite


But any model of Risk Appetite makes heroic assumptions about the

ability of the people in the organisation to cope within the

ranges it sets…

Risk Appetite


Joint Endeavour

Outcom

es

Multiple Economies in Multiple Societies

The

exte

nded

en

terp

rise


Joint Endeavour

Outcom

es

Customer 1

Customer 2

Customer 3

IP OwnerRegulator

Sub-Contractor 1

IT Outsource Provider

Government

Supplier 1

Supplier 2

AgentsPrime Contractor

Multiple Economies in Multiple Societies

The

exte

nded

en

terp

rise

Sub-Contractor 2

Labour


Joint EndeavourO

utcomes

Extent of Shared Values

Allocation of Incentives

Relative Power

Regu

lato

ry

Influ

enceTh

e ex

tend

ed

ente

rpris

e Multiple Economies in Multiple Societies


Joint EndeavourO

utcomes

Extent of Shared Values

Allocation of Incentives

Relative Power

Regu

lato

ry

Influ

enceTh

e ex

tend

ed

ente

rpris

e Multiple Economies in Multiple SocietiesCulture is KING in

managing across the Extended Enterprise…


Because the societal impact of failure is leading to breakdowns in society as witnessed in BREXIT and

the rise of nationalism and protectionism versus free trade and

globalisation

Societal impact


Who has been talking about risk culture?© Richard Anderson Photography | www.raphoto.me


The commentatorsOrganisation Title Pages Culture Risk Culture

DoJ (2010) Bribery Act 43 7 (16%) Nil (0%)

NAO (2011) Managing Risk in Government 18 4 (22%) Nil (0%)

IRM (2012) Risk Culture – resources for practitioners 114 893 (783%) 344 (302%)

FRC (2014) Risk Management etc 28 20 (71%) Nil (0%)

FSB (2014) Guidance […] on Risk Culture 14 100 (714%) 70 (500%)


• The board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed within the organisation and with external stakeholders.

• The board must determine its willingness to take on risk, and the desired culture within the company.

• The board has ultimate responsibility for RM…, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded.

• Training and communication assist in embedding the desired culture and behaviours in the company. To build a company culture that recognises and deals with risk, it is important that the RM and IC systems consider how the expectations of the board are to be communicated to staff and what training may be required.

The FRC


• “The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”

• “Those at the top of an organisation are in the best position to foster a culture of integrity where bribery is unacceptable. The purpose of this principle is to encourage the involvement of top-level management in the determination of bribery prevention procedures. It is also to encourage top-level involvement in any key decision making relating to bribery risk where that is appropriate for the organisation’s management structure.”

Department of JusticePrinciple 2 - Top-level commitment


• “An anticipatory and strategic approach to supervision rests, among other things, on the ability to engage in high-level sceptical conversations with the board and senior management on the financial institution’s risk appetite framework, and whether the institution’s risk culture supports adherence to the board-approved risk appetite.”

• “Culture can be a very complex issue as it involves behaviours and attitudes. But efforts should be made by financial institutions and supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.”

FSB


The FSB’s top four indicators of the risk culture•Tone from the top;•Accountability;•Effective communication and challenge; and

• Incentives.


IRM Risk Culture FrameworkIRM’s risk culture framework looks at component parts making up an organisation’s risk culture• How will I react?• How will I respond in

recognition of other competing needs?

• What will I do?• What will we do?• Our overall risk culture

This is upside down… and probably back to

front... Risk culture and organisational culture are

neither nested, not necessarily the same


Risk culture aspects model

Likewise this does not tell you anything about

HOW to manage the culture, or HOW to measure

it. Great conceptually, but hopeless

managerially…

Governance | Risk Management | Assurance © 2016 AndersonRisk© Richard Anderson Photography | www.raphoto.me

VW: a case study


Objectives• To be the biggest car manufacturer in the world

• To move motorists across to diesel engines as requested by the EU

• To demonstrate compliance with Californian air quality requirements


Core personal values1. Social responsibility:

Innovative employment models and social involvement.

2. Sustainability: Human rights, labour standards, environmental protection: there are many facets to sustainability.

3. A spirit of partnership: Equality and humanity: fairness is important to us.

4. "Pro Ehrenamt" volunteering initiative: Have you ever thought about becoming a volunteer? There are many ways to get involved - and there's one near you.


Sustainability“We aim to be the world’s most successful, fascinating and sustainable automobile manufacturer. For the Volkswagen Group, sustainability means that we conduct our business activities on a responsible and long-term basis and do not seek short-term success at the expense of others. Our intention is that everyone should profit from our growth – our customers and investors, society and, of course, our employees. In this way, good jobs and careful treatment of resources and the environment form the basis for generating lasting values.”


Global Compact• Since 2002, Volkswagen has been involved in one of the largest and most important CSR initiatives in the world• This sets out the Ten Principles of human rights covering working standards, environmental protection and combating corruption• “Together with 12,000 companies from over 170

countries, Volkswagen works in diverse international CSR projects towards making the global economy more sustainable and fairer. An annual progress report documents our projects.”


Failing to live up to their standards• Emitting larger amounts of NOx than allowed was not in

line with looking after the Human Rights of communities where their cars were sold;

• Lying to regulators by installing this software is fundamentally corrupt when you define corruption as “the abuse of entrusted power for private gain”; and

• Clearly the engineering solution was not consistent with environmental protection.


Where they failed

1. Values2. Silos3. Layering4. Short-termism

5. Control v Risk6. Obstruction7. Black holes


The Culture CoalitionOrganisation Title Pages Culture Risk Culture

FRC (2016) Corporate Culture and the role of boards 62 435 (702%) 7 (11%)

IIA (2016) Organisational Culture 27 366 (1,355%) 31 (115%)

CIMA (2016) Rethinking the Business Model 38 5 (13%) 0 (0%)

CIPD (2016) A Duty to Care 38 381 (1,002%) 0 (0%)

CVF (2016) Governing Culture, Risk & Opportunity 30 130 (433%) 0 (0%)


FRC guidance on culture: a missed opportunity62 pages of platitudes:• How chairmen and chief executives are vital to the culture;• How non-executive directors should probably be involved,

but poor individuals, they find it hard;• How culture is so very important, but it really is difficult;• How important it is for directors to exhibit their corporate

values;• How hard pressed heads of internal audit want to do work in

this area, but their boards are not ready


My conclusions on the FRC reportSo rather than see some wishy-washy platitudes with “suggested” topics for boardrooms to discuss, when they get round to it, it is time for the FRC to commission first class research from people who have genuinely thought about the subject – both academics and practitioners. And then we can talk constructively about the importance of culture versus risk culture and just how we can measure and manage both of them.

Let’s move on beyond the 1980’s views of risk

management exhibited here


And the others• CIIA: only about assurance. Little about managing the

culture or risk culture and no reference to the differences

• CIMA: seem to have forgotten the topic• CIPD: NOTHING about risk culture• CVF: Ditto


The risk…The participants in the FRC’s Culture project, led by the FRC have let directors wriggle off the hook and substantially to ignore Organisational Culture (because they only spoke in platitudes) and totally to ignore Risk Culture which barely gets a mention.

The next disaster is incubating right now and

nobody is doing anything to stop it…


Risk v Organisational CultureUnlike some, I firmly believe that there is a major difference between the “Culture” of an organisation and the “Risk Culture”. I also think that the two elements are entirely measurable by looking at the conversations and risk conversations (the cultural DNA) in the organisationCulture:The culture of the organisation is built from the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and the social & regulatory environment.

Risk Culture:“The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.”


My model of risk management has now changed…Traditionally I see risk management as a trade off between two pairs of tensions:1. Taking more managed risk

– v – Avoiding pitfallsAND

2. Performance culture – v – Corporate ethics and behaviours

I now add a third pair of tensions3. Allowing the needs of

today to dominate because of the corporate culture – v – Allowing the needs of tomorrow to dominate because of the risk culture


In summary, I think that…• Organisational Culture and

Risk Culture are different• Both are vital to retaining

and growing long term sustainable value

• The Risk Culture is poorly understood but ignoring it is potentially very dangerous

• VW, the GFC, HSBC, and LIBOR show that problems STILL exist

• We MUST demonstrate to boards why this is important

• We MUST develop practical approaches to managing Risk Culture


Assessing the Risk Culture: three traditional steps

Desk Top

Research

Surveys Interviews

But… not often that much

policy worthy of review in

terms of risk culture

But… Most surveys suffer from groupthink

and you can’t move beyond it

But… Most senior people will

give the right answer

anyway so you learn little

And they are ALL subjective and therefore of

limited value in determining what changes

need to be made…


So we have introduced a fourth step

Desk Top

Research

Surveys Interviews

Conversations in Risk

Which will…

Provide more rich, actionable data than

all of the other approaches combined,

give you insight into your values, and

provide both board-level metrics and

data which you can use to actively

“manage” the risk culture


Conversations in risk management

You

CFO CEO

Suppliers Clients

CMOBack OfficeAll organisations function on the back of

”conversations” of all sorts between people. Some

are formal, some informal, some are written, some

are only oral, some are recorded in minutes, some

aren’t. These are the DNA of the Culture. And

those about “risks” are the DNA of the Risk

Culture.


Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%

Production and ProjectsIn this organisation, there were six

organisational departments. “Production and Projects” talked a lot

about risk, but 73% of their conversations were WITH

THEMSELVES: they were not dealing with risk by talking to other experts

in the organisation… About 22% were with their “Sustainability and

HSE” department.


Sustainability and HSEBut the “Sustainability and HSE”

department was not listening because less than 10% of their risk discussion were with Production and Projects and a whopping 72% were

WITH THEMSELVES. This organisation was HOPELESSLY silo’ed and they did not recognise it inthemsleves. They needed to work together because of the economic environment, but their risk culture was shot to pieces and

the business was following downhill.Production and Projects

Sustainability and HSE

Drilling Exploration & New Business

Finance Other0%

25%

50%

75%


Three states for a conversation

Unmatched Partially Matched

Completely Matched

The Desired Direction of Travel


Unmatched Partially Matched

Completely Matched

% % %

Three states for a conversation


This diagram, straight from our system, shows all

of the participants in

the exercise and (rather

depressingly) shows that none

of the conversations was matched.

They had a lot of work to do to turn

this round, and they needed to do so quickly


This picture simply illustrates the richness of

the data showing linkages between individuals. Each

connection is based on a set of

data that we analyse and

summarize to come to the

board level view. It also explains

why the underlying data are actionable…


And where cultures clash…Issues which any board should want to know about:• Values: Significant deviations from the board’s values.• Silos: Especially where an organisation is facing complexity in its

dealings internally or externally. • Layering: Layered management reporting prevents new issues

being spotted on a timely basis.• Short-termism: Extrapolation from past behaviours is not

necessarily good enough for dealing with new futures.


And where cultures clash…Issues which any board should want to know about:• Control v Risk: Control (or risk control) management

instead of risk management.• Obstruction: Individually obstructive nodes can be very

dangerous.• Black holes: Sometimes it is difficult to discern any

volume of conversations about risks.

Governance | Risk Management | Assurance © 2016 AndersonRisk© Richard Anderson Photography | www.raphoto.me

Resources:1. IRM Risk Appetite and Tolerance Guidance:

https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf2. IRM Risk Culture Guidance:

https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf3. FRC Culture document:

https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/Corporate-Culture-and-the-Role-of-Boards-Report-o.pdf

4. FSB Risk Culture: http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1

5. AndersonRisk Commentary on Risk Culture: http://andersonrisk.com/publications/downloads/ (and check my publications on LinkedIn)

6. AndersonRisk board agenda: http://andersonrisk.com/publications/downloads/ 7. AndersonRisk blog: http://andersonrisk.com/conversations/

Thank you for joining us