Draft guidance to the directors of companies applying the UK Corporate Governance Code

Comments from ACCA to the Financial Reporting Council January 2014


We congratulate the FRC in taking on the challenge of attempting to bring a joined-up approach to what might be called the four cornerstones of sustainable enterprise: risk management, internal control, reporting on risk and assessment of going concern. This challenge was given by the Sharman Panel and we are pleased that the FRC has essentially started again in its approach since it exposed for comment last year its revised Guidance on Going Concern and revised International Standards on Auditing (UK and Ireland). The draft guidance, if issued, could have a profound effect on businesses and in due course on the parts of the public sector, such as the NHS, which tend to follow private sector standards. It is important to get the detail as right as possible.

In our response to the previous consultation we expressed concern that the draft guidance on going concern would be difficult to implement in practice, particularly for smaller companies. The new approach in the current draft will apply only to those companies, essentially listed companies, expected to report in accordance with the UK Corporate Governance Code (the Code). The draft guidance is also based more on high-level principle rather than more detailed prescription, so should be easier to implement in practice. We think smaller companies could also benefit from considering the principles.

We consider that the new draft guidance much better reflects the intent of the Sharman Panel. We agree broadly with the bullet pointed text in Section 1 that says that:

  • Risk management and internal control should be incorporated within the company’s normal management and governance processes, not treated as a separate compliance exercise; and
  • The board must make a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks.

Regarding the first bullet point, we suggest that evidence of good risk management control, or the lack of it, should form part of manager performance reviews and, where relevant, bonus calculations.

On the second bullet point, we fully support the idea that the business model and ability to deliver strategy and objectives should be the starting point for considering risk and, indeed, running the business. An assessment of principle risks should be worth undertaking; indeed in many circumstances it may be necessary but it is unlikely ever to be sufficient. We think it would be wrong to imply that the (only) way for the board to do this is by making an assessment of the principal risks. This is because there is an erroneous presumption that all risks, as well as their timing, can be identified and assessed with reasonable accuracy.

Arguably it is dangerous as such a presumption will give false comfort. As such, companies will not be prepared when the inevitable unexpected risk happens or an expected risk happens in an unexpected way. Also, there are companies that would prefer to consider risk around their business plans and model using other methods, such as models in conjunction with stress and sensitivity testing. Furthermore, there are aspects of risk management that do not rely on risk analysis at all, but involve adopting particular ways of managing as standard practice

The risk of control circumvention or management over-ride of controls should also be borne in mind and is perhaps worth reference in the guidance. People can make well designed systems fail and poor systems work. The risk of missing or generally ineffective controls, at critical moments, may be lower than the risk of circumvention or over-ride of those controls.

The purpose of the draft guidance should be to help companies ensure they are more resilient in responding to the risks that can affect a company’s purpose and the working of its business model. Company resilience, rather than risk assessment, should be the principal aim, as risk assessment is more an art than a technology. Risk assessors who believe otherwise tend to make the dangerous assumption that all significant risks can be foreseen. Worse yet, they often suffer from linear thinking about these risks, failing to take into account that several risks can present themselves at the same time, and that any given risk can be more severe than assessed.

One of the common responses from regulators and others following the 2008 banking failures was that no one could have foreseen the problems. While we do not entirely agree with that sentiment, it is worth keeping firmly in mind when considering risk assessment. This is why we suggest that resilience should be a better aim for boards. Risks, even if foreseen, are unlikely to happen just as expected.

Companies that anticipate, and are prepared for, the unexpected are more likely to be resilient and deal with risks and more likely to survive and thrive than companies that commit considerable resources to dealing with a list of risks populating a risk register.

We are pleased that the word culture appears frequently in the draft guidance, as it does more widely these days in discussions of risk. The subject is vitally important but poorly understood. ACCA is currently undertaking an international research project on corporate culture with backing from the Economic and Social Research Council (ESRC). This is due to report at the end of June 2014 but our initial findings suggest that there is little practical organisational understanding of workplace culture and how that culture, or more accurately cultures, affect decision making and behaviour. Methodology to assess culture is at a very early stage of development.

The state of useful understanding about corporate culture now is probably similar to the state of understanding about internal control in 1992 when the Cadbury Report said that internal control was important and should be assessed and reported upon. However the Report wisely recognised that reliable procedures for assessment and reporting did not exist and that any reporting should wait until something reliable had been developed. That same year a new control framework did come out from the US Committee of Sponsoring Organizations (COSO) and the Turnbull Guidance was issued in 1999 but the following decade and a half of good practice around internal control-from 1992 to the financial crisis-was failed to prevent banks from taking what with hindsight at least were extreme risks. The reason for this failure probably owed to the risk management processes at the time not taking account of human nature. Also there was a lack of confidence by many (including directors) to confront their own ignorance on matters such as complex financial products. More work on understanding culture is needed and we hope the FRC will take a lead in encouraging this.

The FRC’s proposed guidance, arguably, is historic in its aims. However, we are concerned that the FRC may not fully appreciate the difficulty of what it hopes to bring about. In our view the present conventional approach to risk management, which essentially consists of making lists of risks, prioritising them, then deciding on an action for each, will be not be fit for purpose. New skills, techniques and methods will be needed by boards, executives, risk managers and internal auditors. This will require more research, experiment and a genuine desire to learn and improve. In due course there will be a considerable training requirement.

Finally we would like to emphasise the need for independent assurance and challenge of risk management and internal control and on a company’s resilience to threats. This is a role for internal audit.

Specific comments

Question 1 (page 3 Section 2): The FRC would welcome views on whether the draft revised guidance achieves these objectives, and on the structure of, and level of detail in, the draft revised guidance.

As we discuss in the summary above we have some serious concerns about the guidance and therefore about the likely efficacy of the guidance on the board’s deliberations on each of the following, as listed in the report:

  • the nature and extent of the risks facing the company;
  • the extent and categories of risk which it regards as acceptable for the company to bear;
  • the likelihood of the risks concerned materialising;
  • the company's ability to reduce the incidence and impact on the business of risks that do materialise; and
  • the costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.

We think that the joined-up approach in the guidance, which attempts to link risk management and internal control with risk reporting and assessment of  going concern, is very helpful, as stated in the opening of this comment. In addition we appreciate the FRC’s attempt to link these with company strategy and the business model.

We have a fundamental concern however that the guidance steers people to a particular approach to risk management that involves responding to a prioritised list of risks that are believed to be complete and to have been objectively assessed. Risk management and assessment is not mechanistic linear activity. The FRC should tell boards that managing and assessing risk is an art rather than a technology. It would be a mistake for any board to think it has fully identified and understood the nature of all risks facing a company. The biggest risk, and a risk that could be fostered by the proposed guidance, is complacency. Complacency was clearly an issue for bank executives, bank boards and bank regulators during the lead up to the banking crisis in 2008. Anecdotal evidence suggests that many risk managers were less complacent but were ignored. Boards should be encouraged to recognize and understand the limitations of their knowledge, and the limitations of risk analysis.

Question 2 Page 3 Section 2: Do you agree or are more substantive changes to these sections required?

As implied above we think substantive changes are required. As discussed, the main danger, or risk, is that the guidance could foster a misplaced complacency about risk and the resilience of the risk model.

In addition to the prioritised risk listing approach, which forms the bulk of the FRC’s suggested approach, greater attention should be given to how companies and their boards help to ensure that they are more resilient to risks that have not been identified, or have been identified but that happen with more severity than allowed for, or happen to hit at the same time as other risks that may or may not have been predicted.

We do not claim to have all the knowledge of how to go about this but several steps seem key. Each of these steps should be considered in relation to the company’s business model, strategy and objectives:

  1. Pay more attention to scenario planning and analysis, including stress testing and sensitivity analysis.
  2. Recognise that the future is unknowable and that risk identification and assessment are an art not a technology (no matter how complex the mathematical models employed). Therefore risk identification and assessment are carried out to aid good judgement and are not a substitute for it.
  3. Consider how confident people should be about risks that have been identified. Once again we invite the FRC to consider the proposal on Confidence Accounting that ACCA published in 2012 with the Chartered Institute for Securities and Investment (CISI) and Long Finance. The proposal sets out how accounts might better convey levels of confidence about the assets and liabilities in a set of accounts where it is difficult to give accurate and precise values or where market prices fluctuate widely. Examples include mineral reserves, long term work in progress, freehold property and assets such as mortgage backed securities. Pages 15 to 20 discuss how more meaningful assurances on going concern could be given, with particular reference to a major bank. This approach to reporting financial amounts could equally well be applied when considering and reporting upon risk.
  4. Know the staff (and the culture). Staff generally know what is going on and may have a better understanding of the risks to the business model than senior management or boards. And most staff want to do a good job and are loyal to the organisation. Boards and senior executives should talk to them and consider using control and risk self-assessment to gain a better insight into what staff know.
  5. Expect, or anticipate, and prepare for the unexpected. Empower staff to use their common sense. If a crisis happens, staff should be able to exercise good judgement. Previously written procedures may be unhelpful and precious time could be lost while staff wait for instructions or authorisation from more senior management.

We would be pleased to discuss these suggestions with the FRC.

Question 3 Page 6 Section 3 (Addressing concerns about a ‘high level of confidence’ over the ‘foreseeable future): Do you believe that the approach taken in Appendix B of the draft revised guidance is appropriate? If not, how should it be amended and why?

We broadly agree with the approach. We are pleased that Appendix B, in apparent contrast to the main document, recognises that the future is unknowable, calls for sound judgement, does not call for risk lists and commends stress testing and sensitivity analysis. The assessment of solvency and liquidity risks should obviously feed into the assessment of other risks that can affect the business model.

Question 4 Page 7 Section 3 (Guidance on determining material uncertainties to the going concern basis of accounting): Do you agree with the guidance in Appendix C of the draft revised guidance? If not, how should it be amended and why?

We broadly agree with the approach but, again, we consider it important that the guidance make the purpose of the exercise very clear. We suggest that the purpose should be to assess whether the company ‘will remain solvent and liquid’ for the foreseeable future and report to shareholders if there are material concerns. It is important that this purpose of reporting on going concern is not lost by over-elaborate wording of disclosure or guidance about disclosure. The danger is that shareholders will be confused about disclosure and conflate reporting on a going concern basis of accounting with a declaration that the company will be a going concern (solvent and liquid) and will remain so for a least a further year.

Question 5 (Page 7 Section 3 Guidance to directors of banks: Do you agree with the revised guidance? If not, what needs to be amended and why?

The business model of a large bank is fundamentally different from that of other businesses and is generally poorly understood. For most businesses, to survive and thrive means to innovate. A risk is something that has to be managed as a company strives to innovate to remain competitive. For a bank, risk is everything. Innovation is about new ways of taking a risk, especially out of sight of a regulator. 9 years out of 10 or 19 out of 20, more risk taken means more profit. In the lead up to the crisis of 2008, the most profitable (and, in most people’s judgment, successful) banks were the ones that took most risk. The more leverage, the more the risk. In no other business sector is leverage as high as it is in banks, particularly when one bears in mind that banks can, in various ways, hold leverage off the balance sheet. The banking business model of the early 2000s could be likened to throwing a 10- or 20-sided dice where any number apart from 1 results in a gain but a 1 results in a wipe out. The banking sector has worked this way for many years, which is why every 20 or so years parts of the banking sector have had to be rescued. Each time a few banks disappeared and there were fewer but larger banks remaining. The 2008 crisis was no different except the number and size of bank failures and the amounts lost were more than before. This was in large part a function of bank consolidation following past failures, but also in part owing to an astonishingly lax attitude to leverage by regulators post 2001.

A government will let a bank fail at its peril – as the bankruptcy of Lehman’s demonstrated. Governments have to guarantee the (consumer at least) debts of banks. This means that banks are a protected sector, which creates serious moral hazard problems. Federal Reserve Chairman Alan Greenspan is reported to have said ‘I made a mistake in presuming that the self-interests of organisations, specifically banks and others, were such that they were best capable of protecting their own shareholders and their equity in the firms’. He failed to realise that bankers knew that, in a crisis, most banks would survive thanks to government protection and that the real risk was to be the outlier, the first to go.

Any disclosure that could indicate that a bank has a solvency or liquidity problem would guarantee its need for rescue. This is why a going concern qualification made public is extremely unlikely to happen in practice. The approach to going concern used for most companies is therefore not appropriate for a bank.

In short, a bank’s business model is different from the models of other companies. This means that a different approach to risk management and going concern accounting is needed. As such, new regulation is required.

Question 6 (page 7 Section 3): Do you agree with the draft revised auditing standards? If not, what should be changed and why?

In response to the earlier consultation, we commented that the proposed amendments to auditing standards adequately implemented the role of the auditor as envisaged in the Consultation Paper. Because we considered that the guidance needed revision, however, we did not comment in more detail on the proposed amendments, as they would have to reflect any revisions made. We note the changes to the proposed amendments and agree with them, in particular the clarification that the requirement to report, where the auditor has anything to add to the directors’ statement and disclosures about risk, is only relevant where that addition is material.