Manage risk, protect rewards

AS A MOMENTARY blip is a tempting way to regard the fraud figures published last week by the accountancy firm KPMG. That serious fraud more than doubled over the year to pounds 279m is serious enough, but it comes at a time of growing concern about business's ability to manage risk of all sorts.

Such worries have been most graphically illustrated by the financial crisis that brought the tiger economies of the Far East crashing to earth in 1997, before ripping through other emerging economies, and the near- collapse of the speculative investment fund Long-Term Credit Management. But the globalisation of business and the increasing complexity of many of its operations mean that it is a problem not limited to isolated incidents.

Recent research from another accountancy firm, Ernst & Young, indicates that senior executives are increasingly concerned about financial risk. Two-thirds of organisations across Europe said risk management was an important issue, with 97 per cent claiming to have assessed their major risks. But fewer than half expressed confidence in their risk control systems. Only 10 per cent were completely confident.

Even organisations that appear to be among the most sophisticated in the world find it easy to underestimate the risks in emerging markets or fledgling financial instru- ments.

For financial institutions a significant part of the problem is that their industry changes so fast. They need to make improvements to their risk-management systems just to keep pace. At the same time, they cannot abandon risk altogether, since a large part of their business is about assessing and taking risks.

But this is also true for non- financial businesses, since risk is a key element in the investment decisions made by shareholders and directors. Accordingly, while leading banks can be expected to limit their future exposure to emerging markets - just as they reduced their lending to the property sector after the sharp downturn at the beginning of this decade - they cannot abandon risk altogether.

Instead, organisations are tackling the issue in two ways. First, they are making greater use of models and detailed analysis of past events. Effective as these can be in reducing the likelihood of poor decisions, they will never provide an absolute answer, Michael Foot, head of financial supervision at the Financial Services Authority, points out.

But investors of all kinds are also trying to find out more about the operations in which they are seeking to invest: hence the growing interest in international accounting standards, so that investors can be more certain that companies are performing how they say they are.

But there is a related issue which has come to a head in the UK with the publication at the end of last year of the Stock Exchange's Combined Code on Corporate Governance, with its requirement that boards of companies identify key business risks or review how they have been identified and endorse the conclusions.

This has led to much debate about the extent to which managements will be prepared to report on their effectiveness and whether external auditors will feel qualified to comment upon such statements.

A survey recently carried out on behalf of the management consultancy Tillinghast-Towers Perrin found that most finance directors in leading companies, while recognising the importance of risk management, were worried about confidentiality and the costs of enhanced reporting on risk.

But the Institute of Internal Auditors is trying to drive home to organisations the need for effective controls. Though this idea has negative connotations, Richard Gossage, the NatWest executive who is the current president, sees a role for internal auditors in challenging their colleagues on their activities.

Mr Gossage believes he and his counterparts in other organisations can add value - in the current parlance - if they can encourage executives to take a more professional view of risk management. As evidence, he points to the arrival in certain financial institutions of operational risk management functions. And he hopes others will be encouraged to join them by a brochure his organisation has published under the title "10 minutes is all it takes" with the aim of setting out the benefits of having an effective internal audit department.

But organisations are not starting to go down this route just because they are being compelled to. They are starting to see sound commercial reasons for doing so, not least because companies with such systems in place are starting to be seen as better credit risks.

As Mr Gossage says: "Assessing and controlling risks is not a flash in the pan. It's a key driver for maintaining sound corporate governance and competitive advantage."

Nevertheless, for all his enthusiasm, there are still plenty of grounds for concern. At the FSA, for instance, Mr Foot points to barriers to effective internal controls, including the difficulty of managing increasingly far- flung and complex organisations. The collapse of Barings has shown how easy it is for responsibility for certain activities to slip between the cracks.

Comments