Linking Risk Management to Strategic Controls
This paper shows the extent of overlap between a broad-based view of risk management, namely Enterprise Risk Management (ERM), and the balanced scorecard, which is a ideal used strategic control system. A case study of one of the Auk’s largest retailers, Tests Pl. Is used to show how ERM can be introduced as part of an existing strategic control system. The case demonstrates that, despite some differences in lines of communications, the strategic controls and risk controls can be used to achieve a common objective.
Adoption of such an integrated approach, however, has implications for the profile of risk and the overall risk culture within an organization. Keywords: balanced scorecard; case study; corporate governance; enterprise risk management; risk controls; strategic control, Tests Pl. Introduction The notion that risk Is Inherent to any business activity Is a long standing one, but the establishment of formalized risk functions in organizations is a much more recent phenomenon.
Corporate governance frameworks serve to create structures that help to facilitate management accountability in a world characterized by a divorce of ownership from control (Spire and Page, 2003), but such controls seem so far to have failed to stem the recurrence of corporate scandals across the globe. Regulatory
Need essay sample on "Linking Risk Management to Strategic Controls"? We will write a custom essay sample specifically for you for only $ 13.90/page
In the UK, the Combined Code of the Committee on Corporate Governance was originally published in 1998 and incorporated the recommendations of a number of earlier committees (Academy. Greenberg and Hamper). A revised version of the Combined Code was issued in July 2003, in which the principles of good corporate governance were categorized under a number of headings including financial Combined Code requires the Board of Directors to maintain a ‘sound’ control system in order to safeguard shareholders’ investment and the company’s assets and to review, at least annually, the effectiveness of that control system.
Financial, operational, compliance and risk management controls should all be included in the review. There is, however, no requirement for the Board to report externally on the reviews findings. As part of the process of ensuring effective internal controls, the Board is also required to appoint an audit committee of at least three members, all of homo should be independent non-executive directors. The Combined Code thus emphasis executive responsibility for internal controls, which explicitly include risk management controls.
In the United States the Committee of Sponsoring Organizations (COOS) has published two key reports (COOS, 1992, 2004) laying down guidelines on the design of internal control systems. The internal control framework outlined in the 1992 report identifies risk management as one of five elements within the control system, but the 2003 report (Enterprise Risk Management) was drafted in injunction with consultants from PricewaterhouseCoopers with the specific aim of developing a framework to enable managers to evaluate and improve their companies’ risk management systems.
In so doing it argues that it “expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management … That incorporates the internal control framework within it” (COOS, 2004, foreword, p. V). The profile of risk management is thus raised substantially, as it shifts from being a component of internal control to one in which it effectively encompasses internal control. This change in thinking is of great potential significance for the risk and audit professions.
The COOS 2004 report complements the Sardines Solely Act (SOX) of 2002, which was a direct response to the corporate scandals of World and Enron. The act places great emphasis on the responsibilities of directors for effective internal control, although it contains no provisions on the role of internal audit function. Section 404 of SOX requires that a company’s annual report should contain an internal control report which includes a statement of management’s responsibility for establishing and maintaining an internal control system, and an assessment of the system’s effectiveness.
This must be supplemented by a statement from the external auditor attesting to and reporting on the management’s assessment report. Like the I-J, therefore, the US regulators seek to emphasis management’s responsibilities for the design and maintenance of internal control systems. In designing internal control and risk management systems managers need to try and strike a balance between taking advantage of the growth and returns that can be generated by taking risks with the potential losses that may also result from risk taking.
Setting strategic objectives and establishing an acceptable associated level of risk are thus closely intertwined, and this paper seeks to demonstrate how risk management systems can be used to both encourage line managers to meet strategic objectives whilst also aligning their risk taking to the risk appetite established by the Board of Directors. In other words, utilizing risk management to enhance strategic success. It argues that the ultimate objective decision making and thus enhance performance from the perspective of multiple stakeholders.
The paper contributes to the risk management literature in two distinct ways. Firstly, by using detailed case study information from Tests Pl, one of the Auk’s leading retailers, to provide insights into risk management practice the paper adds an empirical dimension to work that has to date emphasized the design of theoretical models of risk management rather than consideration of risk in practice. Secondly, the paper links the key concept of Enterprise Risk Management (ERM), as promoted by COOS, with the balanced scorecard which is used as a strategic performance measurement system.
In so doing, the link between risk management and strategy is made explicit in a manner that is relatively new to the literature. The paper is structured so that the next section on the development of the concept of enterprise risk management is followed by a section discussing an alternative form of strategic control system, namely the balanced scorecard. The strong parallels between ERM and the balanced scorecard are explained in detail, and arguments presented to show the potential advantages of combining the two control systems.
The main part of the paper then describes the risk management system within Tests Pl, and its interface with the balanced scorecard approach also used within the business. The concluding section seeks to identify the advantages and disadvantages of the risk systems deployed in Tests, and the scope for further research in this field. 2 The development of enterprise risk management (ERM) A review of the risk management literature indicates that both the definition of risk and also our understanding of the term risk management have evolved over time.
Spire and Page (2003) chart in some detail the evolution of risk definitions from the pre-seventeenth century onwards. In pre-rationalism times risk was seen as a ensconce of natural causes that could not be anticipated or managed, but with more modern, scientific based thinking there emerged a view that risk was both quantifiable and manageable via the Judicious use of avoidance and protection strategies. Risk management became institutionalized with the application of science (Beck, 1998) and in the process the public were led to expect risks to be managed.
As a consequence, risk management led to some diffusion of responsibility for the adverse effects of risk whilst the notion of accountability required some demonstration of risk management effort (Spire and Page, 2003). Slim and Menace (1999, p. 161) note what they describe as “major paradigm shifts in organizations’ approach to risk management”. The first of these relates to the fact that over time risk management has evolved from an insurance and transaction based function into a much broader concept that is linked to both corporate governance and the achievement of strategic objectives (Enclave, 1996; Nottingham, 1997; Unshorn, 1995).
The concept of risk management being centered in the treasury division with its use of financial instruments to hedge transaction and funding risks is long dead, as asks have become much more broadly defined to include aspects such as corporate reputation, regulatory compliance, health and safety, employees, supply chain management and general operational activities.
Risk is now viewed from a very broad perspective, and it is almost inevitable that this has important implications for the The second paradigm shift is a result of the broadening of the definition of risk leading to a reconsideration of the purpose of risk management, and the development of views that argue that it is concerned with assisting decision making to improve corporate strategic performance (Dolomite and Touché, 1997).
The Institute of Chartered Accountants of England and Wales (ICE) defines business risk as “the uncertainty as to the benefits that the business will derive from pursuing its objectives and strategies” (ICE, 2002, Para. L . 2, p. 3). One of the core dimensions of the risk management process is thus “identifying, ranking and sourcing the risks inherent in the company’s strategy’ (ICE, 2002, Para. 4. 2, p. 5). Broad definitions of risk, and recognition of the strategic and governance roles played by risk management are the characteristics of Enterprise Risk Management (ERM) or what is moieties called holistic risk management.
The framework for risk management outlined by COOS defines ERM as follows: “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” (COOS, 2004, p. 2) The definition contains a number of key phrases. Firstly, ERM is initiated by the board f directors in the first instance, but is cascaded across the organization via line management.
Secondly, it is broad based because it encompasses all potential events that may affect achievement of objectives. Lastly, ERM aims to contain risk within the boundaries of a specified risk appetite and provide reasonable assurance in this regard. Such a broad perspective of risk management implies a requirement to develop a very comprehensive strategy to identify, measure, monitor and control a vast array of risk exposures, and communicate the company’s risk policies to staff at al levels via the creation of a risk aware culture.
This is a very broad remit for the risk manager, as it encompasses all hierarchical levels within the company as well as multiple functions, and hence poses major challenges in its practical implementation. Perhaps not surprisingly, therefore, there is evidence to indicate a limited take up of ERM to date. In a survey of internal auditors, focused primarily on US based companies, Basely et al. (2005) found that only forty eight per cent of the 174 respondents had at least a partial ERM system in place in their companies and a rather one third were planning to implement ERM in the future.
Basely findings need to be viewed with caution because the survey response rate was only 10%, and the majority of respondents were from large US corporations with annual sales in excess of $1. 3 billion. There is therefore a danger in generalizing up from such results, but they none the less offer some indications that the adoption of ERM is still in its relatively early stages. Notwithstanding the challenges of introducing it, because ERM seeks to assist the fulfillment of strategic objectives it aligns the interests of the risk manager with those of the entity as a broader whole.
In principle performance management systems. The integration may raise issues of professional rivalry between parties such as internal auditors and risk managers, but there is no obvious intrinsic conflict between the aims of ERM and any other control system. One of the most widely documented control and performance management systems in use today is the Balanced Scorecard or Tableau De Bored. In the next section of this paper, the basic principles underpinning the Balanced Scorecard are discussed, gather with its scope for use as the tool for implementation of ERM. The balanced scorecard The balanced scorecard is a management control system popularized by Kaplan and Norton (1992, 1993, AAA,b,c, 2000) that has its origins in Porter’s concept of strategy as a response to competitive forces in an industry. The popularity of the scorecard can be explained in part by the fact that it recognizes the significance of non financial factors in determining strategic success, and hence moves performance measurement away from its traditional focus on purely financial measures.
In addition, it serves as a feed forward control system as well as a performance measurement system (De Has and Giggled, 1999), thereby offering clear advantages over the historically based performance measures that characterize financial systems. The balanced scorecard identifies four component perspectives within which a company must perform well in order to achieve its strategic objectives – namely financial, customer, internal business processes and learning and growth.
Kaplan and Norton (AAA) argue a linked cause and effect relationship between performance in each of the perspectives and strategic outcomes. In other words, for example, improvements in organizational learning may lead to improvements in internal business processes, which in turn raise customer satisfaction levels and ultimately result in higher levels of financial performance. The perspectives may be interlinked and so the order of cause and effect may vary, but the basic principle remains – by setting targets for operational behavior, strategic performance can be improved.
There is some debate within the management accounting literature about the extent to which the balanced scorecard is empirically proven to be an effective intro and performance improvement tool (Dinner and Larker, 1998), but proving the cause and effect relationships in practice is extremely difficult. Kaplan and Norton (ICC) argue that the balanced scorecard is valuable in ensuring both the articulation of corporate strategy and the specification of the factors that will facilitate strategic success, but there are reasons to be rather cautious of these proclaimed benefits.
Grady (1991) argues that strategic objectives need to be classified in terms of critical success factors and critical actions, but the balanced scorecard does not rank measures of performance in this way. In addition, the importance of good communication systems cannot be underestimated. Merchant (1989) argues that failure to communicate strategies effectively throughout an organization can lead to poor economic performance, but the balanced scorecard seems to assume the existence of effective communication systems which may not exist in practice.
Despite such criticisms, one of the greatest benefits of the balanced scorecard lies in its potential to overcome the remoteness of strategy from day to day seeking to introduce ERM into an organization. Risks of various types may threaten he achievement of strategic objectives, and systems need to be devised to create a culture or consciousness of how to manage those risks at all levels within the organization.
If risks can be linked to the four perspectives of the balanced scorecard, then the management of those risks can be integrated into an existing performance measurement system. 4 Linking ERM and the balanced scorecard Table 1 below, which draws on Kaplan and Norton (Bibb) and COOS (2004), shows the degree of overlap between ERM and the Balanced Scorecard in terms of their basic philosophies, organizational breadth and scope for use as both control and reference measurement tools.
Table 1 The overlap between ERM and the balanced scorecard ERM Basic philosophy Poor internal control of risk can Jeopardize strategy Interface between control and performance measurement Risk controls help to achieve higher performance levels via minimization of the loss of resources Organization wide High. Controls should work to align operational activity with corporate risk appetite Strategic performance is influenced by both financial and non-financial factors Performance measurement against targets serves to ensure effective controls Balanced scorecard
Level of staff involvement Significance of operational behavior and performance Risk Organization wide High. Targets should work to align operational activity with corporate strategy Straddles all functional and Encountered in all scorecard operational areas perspectives, for example: Customer – risk of dissatisfaction/ loss Financial – interest rate and credit risks Learning and growth – poorly trained staff Internal business processes – delivery delays; cookouts Both ERM and the balanced scorecard recognize the significance of non-financial factors in overall company performance.
In the case of ERM, the non financial component is purely that of risk, which is not explicitly mentioned in the balanced scorecard, although it can indirectly impinge upon any or all of the quadrants of the scorecard, as indicated in the Table. Implicitly if not explicitly, therefore, the balanced scorecard incorporates risk as an influence upon strategic performance. One interpretation is that the balanced scorecard seeks to create a control structure that ensures the implementation of strategy, and risk management complements this by identifying and mitigating any potential threats to strategic implementation.
Table 1 also shows that both systems function across all hierarchical levels within an organization. Neither strategy nor risk issues are exclusively the preserve of the board of directors, with the result that operational effectiveness even at the lowest levels of employment can serve to impact on the achievement of objectives. In the fully stocked can cause lost sales for the business leading to missed targets, simply because customers may be unable to find what they want.
Such an individual, albeit in a limited way, has an impact on the achievement of both risk and strategic sales argues, and hence the setting of operational performance targets and the use of controls to monitor that performance are fundamental to both systems. In both ERM and the balanced scorecard, performance measurement and control may be regarded as complementary – good controls enhance performance, but performance also needs to be managed via Judicious target setting that reinforces strategic objectives.
Ultimately, therefore, the balanced scorecard is Just one specific type of control system and ERM another type, but there are potential advantages to be gained by their integration. If risk issues are managed separately from other strategic objectives, so that a balanced scorecard runs parallel with ERM, then managers may have difficulty in proportioning the targets they have been set.
If the two systems are integrated, then the influence of various types of risk upon, for example, customer loyalty levels becomes clearer, with the result that risk targets become embedded in the performance culture of the organization, and relevant to all grades of staff. Where risk management systems are embedded in this way, there is less need to create a new function of risk management, because everybody Jobs are redefined to incorporate a risk component. Overall responsibility for risk control rests with the board of directors, as suggested under both UK and US regulations.
Simultaneously, the management, implementation and monitoring of risk controls is delegated to line management, whose remuneration and survival is linked to performance against a range of targets, of which risk is Just one element. The following section outlines the structures used to control and manage risk in Tests Pl, one of the Auk’s largest retailers, with over 220,000 employees and group sales in excess of EYE,OHO million. The data for the case study was drawn from two key sources.
The first was the extremely rich and publicly available information contained in the company’s annual report and website which included extensive detail on the corporate governance and control structures in place at Tests. The second source was personal interviews with the head of internal audit and the head of international audit, at the company headquarters in Chunter. The interviews offered further insights into the company’s design of the risk management and internal audit functions, thereby both verifying ND expanding upon the material already collected from the public domain.
The use of case studies in accounting research has been the subject of extensive coverage in the academic literature (Berry and Outlet, 2004; Humphrey, 2001; Outlet and Berry, 1994; Escapes, 1990) and it is now a widely accepted research method. 5 Risk management structures in Tests Pl 5. 1 Strategic planning and control: the balanced scorecard in Tests The corporate governance section of the Tests Pl annual report and financial statements, contains a brief outline of the planning and control structure used across the group.
The group has a five year rolling plan, categorized under revenue and capital expenditure headings, and this forms the basis for the creation of similar plans for each of the separate group businesses. Targets are set, and these are then monitored via the ‘steering wheel’ which is the under four separate headings of customers, operations, people and finance, which the company argues “is the best way to achieve results for our shareholders” and “allows the business to be operated and monitored on a balanced basis with due regard for all stakeholders” (Tests Annual Report, 2004, p. 0). The performance of the individual businesses against targets is reviewed quarterly by the Executive Committee, which is a sub division of the board comprising all executive directors plus the company secretary. The committee meets weekly and takes responsibility for the day to day management and control of the business. It is understood that targets within the separate businesses are set and monitored by line management and the steering wheel concept and performance against it is a familiar concept right down to individual store level.
Performance against targets is closely linked to enumeration at the level of the executive directors, and there is also a profit sharing scheme in place for all employees with more than one year’s service with the company. The executive bonus scheme offers a mix of both long and short term bonuses, which in combination can equal up to 150% of the executive’s annual salary, and payment is linked to the achievement of a mix of targets covering PEPS growth, total shareholder return, and the achievement of specific, but confidential, strategic goals.
Employees receive a profit share that is calculated pro rata to their base salary, p to the maximum EYE annual tax free limit set by the Inland Revenue. The strategic planning system is thus monitored and controlled via the use of a form of balanced scorecard, which assumes that good financial performance is the outcome of good performance in the areas of customers, operations and people.
This approach is very closely aligned with that of Kaplan and Norton, in so far as the cause and effect linkages are acknowledged via the remuneration system and as was noted in the interviews, “this allows the business to be operated with due regard for al stakeholders” (Head of International Audit). It would appear that the cycle is driven by paying very close attention to the customer’s needs, which if satisfied create a virtuous circle of improving results as shown below in Figure 1 .
This focus on the customer fits with the widely accepted principle that increased customer loyalty is the single most important driver of long term financial performance (Nortek, 2000). It may, however, be argued that this view might be limited to or especially applicable to fast moving consumer goods’ markets, such as Tests, where customers make frequent purchases. Starting with employees, investment in staff training and effective recruitment help to ensure low staff turnover rates and ongoing improvements in employee performance, which in turn feed through to better process management.
Equally, process improvements may raise employee performance levels, and so the cause and effect arrows flow in both directions. Efficient operations help to ensure that customer needs are met, and if customers are happy the financial targets will be achieved. Information feedback systems ensure that operational processes are fine tuned to respond to customer complaints ND so once again the cause and effect arrow flows in both directions.
The resulting higher profitability facilitates investment in better customer provision combined with increases in staff bonuses that hopefully reduce staff turnover rates. In this way the circle repeats itself and the controls and performance targets interact to add value impossible because of all of the intervening factors that may impact on performance, but the model suggests that Tests Pl have adopted and believe in a balanced scorecard approach to strategic performance management.
Figure 1 Cause and effect in the steering wheel 5. Linking strategy to risk management Ensuring that targets are met in terms of customers, people and processes does not necessarily mean, however, that risk is being managed. Consequently, there is a need to also ensure that risk management controls complement rather than conflict with the performance targets set within the steering wheel. The first way in which this is achieved is via a strategy:risk management control loop as portrayed in Figure 2.
The risk management standard produced by the Institute of Risk Management (2002) identifies three key elements in the risk management process, namely risk assessment, risk reporting and risk response (measures to reduce or modify risks), and all three elements form part of the control loop. Risk assessment comprises both the establishment of risk appetite and the identification of risks; risk reporting takes place following the risk monitoring by both line management and internal audit.
Risk responses and control mechanisms are the responsibility of line management and internal audit then independently monitors the risk systems established by management. Internal audit may also offer advice to line managers regarding deficiencies or potential improvements to risk controls. As Figure 2 shows, the corporate strategy that is determined by the Board of Directors is translated into a maximum acceptable level of risk, which is set in the light of their knowledge about market and shareholder requirements and the trade off between risk and return.
The risk appetite will also be influenced by the existing business mix and the known associated risks. Line managers, in conjunction with internal audit take responsibility for establishing a complete list of the risks that may be encountered across all businesses and designing the controls that will ensure compliance with the appetite bevel specified by the Board of Directors. The adequacy of the controls is then assessed by internal audit, whose staff use process mapping to compare exposure to risk against the Board’s desired risk appetite.
Figure 2 The strategy: risk management control loop The effectiveness of the controls at business unit level is monitored via performance measures overseen by the line managers, and the CEO of each business unit holds overall responsibility for risk performance. This operationally based risk management is complemented by risk based internal audit, with the audit programmer focusing on received ‘problem’ areas and new businesses where risks are less well understood – “we would audit on the basis of highest risk” (Head of International Audit).
The problem areas are identified via managerial experience and intuition rather than extensive use of sophisticated risk modeling – “at the end of the day it is people’s experience and how you feel” (Head of Internal Audit). This approach matches with were preferred to probabilistic measures of risk. Internal audit sees its role as threefold. Firstly, assisting in the identification of risks; secondly advising on the sign of appropriate controls, and finally using risk based audits to test the effectiveness of the risk control system(s).
The overarching aim is to raise awareness of the formal risk management processes. The degree of controls is closely linked to strategy, so that if investment in a new high risk area is required, then audit resources are diverted to monitor those risks to ensure the fulfillment of strategic aims. This fits with the findings of Slim and Menace (1999) who found that the assets, projects and processes that were deemed key to strategic objectives were entrant to the definition of the audit universe.
In addition, a key risk register is held at board level and a traffic light system used to categories risks, so that any key risks registering as amber or red will be brought to the attention of the board and/or the audit committee within a very short time frame. 5. 3 Communication lines for strategic and risk control In order for any organization to achieve its objectives in respect of strategy or control of risk, effective communication of the objectives across the organization is vital. The communication framework rivers to both support the achievement of objectives and operational the relevant controls.
In the case of Tests Pl, therefore, there is a need to design communication lines to ensure that all staff understand the group’s strategic Figure 3 portrays the lines of communication used within Tests Pl. The direction of the arrows indicates the direction of the flow of information, with upward arrows showing reporting lines, whilst downward arrows show the communication of objectives or priorities. In terms of strategic performance, staff report to the strategy director who, in the case of Tests, is also the finance director.
Risk issues are reported to the monitoring committees and internal audit. The non-executive position is represented by the audit committee, to whom the head of internal audit reports on a regular basis. In fact there is two way communication here, because the audit committee may also ‘drive’ internal audit via the expression of concerns over specific areas of business. Figure 3 Communication lines used for control of strategy and risk objectives as defined within the steering wheel, and also the relevance of both steering wheel and risk based performance measures to the attainment of those objectives.