Archives For Paul Moxey

Risk and Black Swans

accapr —  25 March 2014 — Leave a comment

integrated

Simon Constant-Glemas, VP Corporate and UK Country Controller at Shell

There are few industries more risky (in terms of the obvious risks, at least) than the oil and gas sector. These companies typically work in dangerous environments, often in unstable regions (in terms of both geography and politics) and are subject to the unpredictable variances of commodity prices and exchange rates. As a result, risk reporting is both a critical and contentious subject for the oil and gas sector, as was brutally illustrated by BP’s Deepwater Horizon disaster in the Gulf of Mexico in 2010.

The disaster focused everyone’s mind on risk and risk reporting, particularly in the extractive industries. There has definitely been an increased focus around risk since Deepwater Horizon, because it was such a significant event. That and the financial crisis have made everyone more risk-aware.

I am aware of investors’ desire for more information about risks, but a more considered approach should be taken. Addressing all possible risks in a risk report would be counterproductive – more comprehensive risk reporting doesn’t mean better risk reporting. We employ more than 100,000 people in 70 countries, so any risk that’s applicable to a large multinational would apply to us. It is much better to provide a concise overview of the key risks inherent in the business that are most likely to prevent the achievement of its objectives.

One area where risk reporting might be constrained is where disclosure could be perceived to damage competitive advantage. I don’t think competitive advantage is an issue – you can strike a balance between referencing risk and not giving away critical information. We need to be careful sometimes about things like risks around a particular transaction but the vast majority of the time some information will be in the public domain already and so, if necessary, a more generic reference can be made. Suggestions that companies should try to quantify the potential impact of major accidents and events, though, are more difficult to address.

The fundamental question is whether a risk report can ever helpfully highlight the risks of rare but catastrophic events – analysts argue that an attempt to quantify the financial impact of a disaster on the Deepwater Horizon scale would be useful but understandably, this is something that organisations themselves are reluctant to do.

It’s the Black Swan effect – it rarely happens but when it does, the impact is massive. The difficult conversations about Black Swan events do take place within a company, but specifically disclosing all of the details in a risk report is another thing altogether. If you put a dark lens on everything and, for instance, try to quantify what the financial impact of a very rare disaster could be, you could scare away a lot of investors.

The nature of black swan events means that it is difficult to think about what the impact of an event could possibly be, let alone put a reliable figure on it, but I strongly believe that a thorough consideration of everything that could possibly go wrong is an important part of good risk management, even if the full details are not disclosed publicly. I do wonder if enough thinking goes on around rare events – I suspect that not enough people considered the probability of the entire inter-bank lending system grinding to a halt overnight before the financial crisis happened.

The main problem discussing Black Swan events in a risk report is that the context of probability is difficult to get across. Ideally a risk report should contain enough detail to start the necessary conversation between stakeholder and management. The quality element of risk reporting comes down to the conversation about risk that takes place, and that conversation should start with the risk report. A detailed discussion about risk is more likely to come out in a discussion between the CEO or finance director and analysts and other stakeholders – the annual report is not really the place to go into that sort of detail.

It is these conversations that are the most valuable to stakeholders, and also why more frequent risk reporting would not be particularly helpful. A certain amount of risk is strategic and it would feel more like crisis management if risk reporting was carried out more frequently than it is today. The crystallisation of an emerging risk or emergence of a new risk would certainly warrant disclosure but risk reporting should not be confused with robust and timely management information.

There are parallels to be drawn here with the increased regulation faced by multinationals since the financial crisis. There has been a huge increase in it since the financial crisis and the question is whether that drives better risk management or not. There have certainly been unintended consequences – at Shell we are captured by criteria that are not intended for us, simply because we are large. In my view it has the potential to distract organisations from good risk management.

My main concern is the raft of new regulatory requirements could result in organisations seeing risk reporting as just another tick-boxing exercise, rather than driving better risk management. We have to be careful that we’re not reporting on risk in order to satisfy a process, but that risk management is used effectively as a way to differentiate the business. In the past risk management was focused on mitigation, but today it is part of adding value to the organisation.

Advertisements

Frank Curtiss, head of corporate governance at RPMI Railpen Investments

Investor primacy and a clear narrative in the voice of management are key elements in risk reporting.

What I want to see is an honest explanation in the context of the business strategy and the business model and how that risk is managed. While I recognise that other stakeholders will want to look at corporate reports and there is a wider public interest, the purpose of reporting is about stewardship and accountability to those who provide the risk capital.

Boilerplate reports are of little use, as are reports which drag investors into the micromanagement of the business.

A boilerplate approach may be what your lawyers think is a good idea and you may think you can’t be faulted but you can. Even worse is just an exhaustive list of risks, some of which are so obvious. What we need to know are the key risks, why management thinks they are critical and what they are going to do about it.

As a member of the IIRC working group I am naturally a keen proponent of integrated reporting, and keeping risk reporting connected to the broader risk management approach of the company.

It’s also about integrated thinking and working across the company. We see enthusiastic companies taking part in the IIRC pilot programme where finance and corporate social responsibility and investor relations are working together, not in silos.

The less enthusiastic finance departments tend to throw out excuses about sensitive information and increasing the reporting burden. In many cases they should be reporting on these things anyway if only for management information. There’s clearly a balance between informing the markets and giving the game away, but the more transparent companies don’t seem to have a problem. If people tell me ‘it can’t be done, it can’t be done’ I just tell them that some people are already doing it.

Some of the companies I think demonstrate good risk reporting include:

  • Admiral – highlighted the risk relating to their change of strategy in the CEO’s statement – which is where it should be
  • Aggreko – written in a personal voice, refreshingly honest and doesn’t shrink from telling us the potential risks to revenue
  • BT – very good description of the business model and very good up-to-date risk section – we don’t want to read the same thing year after year
  • Great Portland Estates – they explain the strategy pretty clearly, each risk is identified and discussed with helpful cross references to other parts of the report
  • Provident Financial – lending to subprime customers is a very risky business and terribly topical: the risk section is very good and tells what their risk committee agenda is.  But it’s a hugely controversial sector and they know they need to explain it—we don’t need that level of detail from every company.

Often higher levels of transparency can be found in those areas, such as gambling and tobacco, where the ‘licence to operate’ is in question. They are all too aware that the spotlight is on them and they’ve got to justify themselves.

But some industries are in general better than others – the extractive industries are generally ahead of many financial services organisations, for example.

An important factor is the general level of information that is around. There’s the risk of assuming prior knowledge. For a mid-tier company there’ll be nothing like the level of analysis that there is on say, the big telecoms providers and their peers. And even the most clued-up investors don’t know everything – they’re not present at board meetings or risk committee meetings or audit committee meetings so the more that a company explains the better.

In recent years RPMI has shifted its asset allocation considerably away from UK equities and is now a truly global investor across a number of countries. I would like to see a more closely aligned international standard of reporting. However with even English-speaking countries with common traditions having wide variations, it is difficult for companies simply to import a better reporting regime into a different jurisdiction.

There’s got to be a race to the top, that’s why I support the IIRC attempt to promote best practice internationally. There’s definitely a willingness by governments and regulators to embrace this, but investor and privately led initiatives tend to be more successful, as by definition regulation has to be more detailed. We don’t hope to change it tomorrow but we might see a significant step-change between now and 2020.

By this time I hope that more and more reporting will have moved online, hopefully in standardised formats that make it easier for investors to mine and work with the data.

An annual report is useful as a snapshot for stewardship purposes—but as technology improves you will see dynamic integrated reporting as reporters and users become more confident, and that will eventually replace the massive end-of-year annual report.

I have seen a lot of progress in risk reporting since the financial crisis. Risk has now become something that can be discussed when previously it was a four-letter word. The better reporters are telling us something useful about risk—the levels of disclosure used to be terrible across the board, now there are plenty that are not.

Successive generations of management will wonder what all the fuss was about. The benefits of better quality information and greater transparency must outweigh the risks of an enhanced disclosure regime, and any unhelpful side effects will be more than balanced by the positives.

The big challenge now is the mass of companies whose risk reporting is inadequate at best:

There are some shining examples, good reports that tell the story honestly and in the voice of the company. The trick is to get the others up to speed.

High quality risk reporting increases investor confidence, not just in terms of the risks being discussed, but also in the overall quality of management:

It provides reassurance in terms of stewardship and responsibility that the management are taking on all this and that they are looking at the right risks.

Ultimately it’s all about what management think and what they are doing.  And if a company can’t explain its own strategy and its business model itself, then who can?

integrated

By Eric Tracey, investor, Governance for Owners

An integrated and individual approach to risk reporting is the key to helping investors make the right decisions.

When I read about a company’s strategy and objectives I want to read about risk as well. You can have higher and lower risk strategies depending on what you are trying to do but risk is inherent: what you want to see is how two companies that do ostensibly similar things are going about, or might go about, them in a way that is different, and that’s what you want to understand.

I want to read about what the directors are really worrying about – not something that is just made up for the annual report.

The great challenge in all reporting is that it gets taken over by advisers. They either make it all very bland or alternatively put everything in but the kitchen sink, in which case it becomes completely useless. That’s the biggest threat to good risk reporting.

Risk reporting should contain a certain amount of policy, but it’s more about what’s changed than what carries on from year-to -year.

What you want people do each year is not to quite start from a blank sheet of paper, but it’s important to say this is what we’ve done this year. Reporting needs to be in the past tense – if it just becomes a whole series of policy statements then it frankly becomes pretty meaningless.

I am also not impressed when issues of commercial sensitivity are used as a barrier to risk reporting.

It’s a fantastic smokescreen to hide all sorts of things and I don’t give it much credence at all. You ought to be able to describe your risks to the business without giving away something that you should keep secret. It’s precisely because it’s sensitive that something should be reported to shareholders.

Where the law limits what can be said, looking forward, there is still a lot that can be said about the company’s approach to risk and who is managing it.

If I saw something that said risk is the responsibility of the audit and risk committee, I’d be more wary than if a company told me that risk is the primary responsibility of the CEO and the management team. Those would be quite different statements.

Similarly a company’s risk appetite can be better communicated by talking about what the company actually does and is revealed in the decisions the company makes. It is reflected in the exposures taken, and whether you are comfortable with them and if the return you are getting is acceptable.

What’s important is that this risk appetite and approach is reflected right through the business all the way up.

In good companies that’s what they try to do – they say, this is how we do what we do, this is how we approach risk, now let’s write that story. So you don’t have these enormous exposures that the board is not fully aware of, which is clearly what happened in the financial crash, when there would have been people somewhere in the banks who understood the risks.

I want to get a clear understanding of regulatory risks and how these are shaped by the various financial control authorities around the world.  More standardisation of the reporting of risk around the world would in theory be a good thing, but the perfect should not be the enemy of the good.

While you can’t object to standardised international reporting, you don’t want to say you want everyone to be in the same place before you do anything.

As far as frequency goes, I am fine with ‘proper annual reporting’. If you do anything other than that you can overload people with information so that they can’t cope or use it in any way. You need to know what’s going on but the shareholder can’t cope if it’s every quarter or every six months – that’s too often and encourages short-termism.

Risk is the “core of capitalism” and developing an adequate understanding of it is an “interesting challenge.”

Does the growth of risk reporting make organisations more risk averse? Possibly, but it’s not necessarily a bad thing. You can have an adequate discussion of risk without beating the hell out of any entrepreneurial spirits.

integrated

An ongoing tension in the debate around risk reporting is the gap between what investors want from a risk report and what companies feel is appropriate to disclose. The arguments are familiar: investors want a full and frank discussion of the risks the company faces; however companies say that providing any more detail than they currently do would require them to disclose commercially sensitive information.

In the first of a series of blogs on risk reporting, Jane Fuller, journalist and financial analyst, says this is a poor excuse for not being completely transparent.

I think it’s used too much as an excuse and it tends to infantilise the role of investors. Companies are effectively saying that they don’t want to frighten the horses.

I have been closely involved in responding to the initiatives developed by the IASB (the International Accounting Standards Board), the UK’s Financial Reporting Council and others since the financial crisis, which have collectively attempted to improve the risk reporting of financial institutions.

I feel that risk reporting in general still has some way to go, although guidance such as that from the Enhanced Disclosure Task Force of the Financial Stability Board has helped. The momentum towards better risk reporting has increased since 2008 – I have had more discussions about how to improve risk reporting since then. Moving things forward with purpose will require a change in attitude.

One of my major concerns about current risk reporting, and one that has been identified by CFA UK, is that risk reports rarely get to the fundamentals of what an identified risk would mean in practice i.e. the oil spill from BP’s Deepwater Horizon rig in the Gulf of Mexico in 2010. The group’s risk reports before the accident might have mentioned safety risks repeatedly, but there would have been little to help analysts in terms of what a rare accident might mean when looking at the financial impact it has.

BP could have said, for example, that accidents rarely happen but if one does, it will be very expensive for us and this is how we would mitigate the impact. Or a pharmaceutical company could disclose its general risk of litigation and say that while it happens on rare occasions, if it does happen the risk is considerable, perhaps illustrating this by disclosing the biggest payouts in the sector in the past.

This approach might cause migraines in many a boardroom but it would result in a far more useful discussion about risk. The main barrier to better risk reporting is companies’ reluctance to be frank. At the moment risk reporting is a process-driven exercise, which describes what they have looked at and the risk-management process, and that is a long way from a truly frank discussion.

The second problem is that risk reports have a management bias – a bias towards putting a gloss on everything. There is not enough challenging going on, from boards or auditors or investors, about the ‘what ifs’ – what if this went wrong? The reaction of some companies seems to be “don’t worry your little head about it.”

Ideally I would like to see risk reports that prioritise the major risks faced by the company, as well as identifying any emerging risks. A few banks, notably Barclays and HSBC, have experimented with this approach since the financial crisis and the results have been interesting.

This suggests that there is some scope for shortening risk reporting in the voluminous discussions and boilerplate lists sometimes produced. Some investors like the very detailed risk reporting you get in a prospectus. I’ve seen risk reports that run to pages and pages, Personally, I would like to see see risks prioritised, without losing too much detail. I would rather have 20 pages of risk disclosures and use my own brain than very few. If there is too much narrowing down of the reported risks it is more likely that something will be left out.

I don’t favour frequent or real-time risk reporting. It has to be a stand-back exercise and for that reason, I am generally happy with annual reporting. A focused, standalone interim report, which states the top risks and how the company is handling them, as well as any new risks that have emerged, might be a good addition, but risk reporting twice a year is enough.

The various initiatives designed to improve risk-based disclosures – such as the IAASB’s proposals on material misstatement – have had some impact. But even if the quality of risk reports improves, any sensible investor would see the report as just one element in making a decision. A risk report is the management’s perspective, after all. To get the full picture you need to look more broadly than that. You ask yourself if there is other evidence that you can collect that would shed more light.

It’s a timely reminder that to see the best view, you need to stand back.

By Paul Moxey, head of corporate governance and risk management

It’s now 20 years since the Cadbury Code was introduced. This is the code adopted by the Listing Authority and the London Stock Exchange to restore trust in the City and in financial reporting and ensure that scandals such as BCCI, Polly Peck and Maxwell could not happen again. It set out 19 best practice principles for corporate governance – few people had heard of the term then. Its provisions, in fewer than 600 words, covered the role and structure of the board, audit and reporting on the company’s position including going concern, board remuneration and internal control.

The Code has grown through the years as it went through several iterations. It is now administered by the FRC and called the UK Corporate Governance Code and its principles and provisions take up around 5,500 words, roughly ten times as many as the original code.

Has the Code done a good job? Most experts think it has. The UK has seen few corporate scandals in the last 20 years and many would say that is thanks to the code and they are probably right. But has governance helped create value? We have had the financial crisis and, for savers and investors, little growth in share prices for the last 10 years.

We have however seen the growth of an industry of governance specialists and advisors and we have seen the failure of several banks and, as a society, we bear the scars. ACCA says that the bank failures were governance failures. Others see things differently and in December 2010 the FSA concluded its first inquiry into the failure of RBS saying it did not find evidence of governance failure on the part of the board. This surprised many people. If a company fails surely that points to governance failure unless the reason for it was clearly not to do with the board. It is hard to think of how the failure of RBS was not to with the board unless we consider they were just victims of circumstances.

Is a board responsible for what goes on or a victim of it? Let’s consider Barclay’s role in fixing LIBOR? The Treasury Committee, in its inquiry this summer, heard that the FSA, in a recent review, had considered Barclay’s governance to be satisfactory. The official conducting the review was reported to have said Barclay’s governance was ‘best in class’. During the same period, others at the FSA were concerned about the culture of Barclay’s at the top. Lord Turner, the FSA Chairman, wrote to the then Barclay’s Chairman about what the FSA saw as behaviour at ‘the aggressive end of interpretation of the relevant rules and regulations’ and about the bank’s ‘tendency to seek advantage from complex structures or favourable regulatory interpretations’. Lawyers call this creative compliance and it sounds a little like Enron.

It illustrates the main problem today with both governance and regulation – there is more to compliance than compliance. The focus with both governance and regulation has been on compliance with provisions -in the case of governance, with the Code’s provisions, where the banks and other companies of course fully comply with the letter. It is much harder to tell if companies follow the spirit of the Code and it seems that essentially no one has been looking at how companies do this. The culture at the top of an organisation and the tone set by the board are crucial to whether or not there is good governance but it is very hard for outsiders to judge. Very few company governance reports convey a real sense of this although there is usually plenty of well-crafted text to tell us everything is just fine.

The FSA is changing its approach to regulation to one where supervisors are allowed to exercise judgement. This will make it easier for them to decide when the spirit of a code or regulation is being followed. It may be harder to get a board to respond appropriately. The Treasury Select Committee Chair interpreted Lord Turner’s letter to Barclay’s as a reading of the Riot Act. The Committee report however makes it clear that neither the CEO nor the Chair of Barclays seemed to get the message although Barclay’s board minutes recorded the seriousness of the matter as it recorded ‘Resolving this was critical to the future of the Group’. The Committee report says that judgement-led regulation will ‘require the regulator to be resolutely clear about its concerns to senior figures in systematically important firms’.

A judgement approach is needed for how everyone else looks at governance for companies – investors and their advisors, the media and regulators – and us. As we hear more and more stories about the tone at the top of organisations such as News Corp and the BBC, and about the minimal amounts of UK tax paid by UK household names such as Amazon and Starbucks, it behoves us all to look more closely at large organisations and how they are governed -not just whether they comply with the rules. We should be asking more questions of our leading corporations and holding them to account.