COSO 2: the big yawn the British enterprise risk regulations are hardly radical. There are no mandatory compliance or legal requirements
Graham Buck
For many of Britain’s top blue chip companies, the United States is a vital market–in some eases, providing the bulk of their revenues. However, few would appear to regard the new Enterprise Risk Management Framework being developed by the Treadway Commission as life changing, or even particularly radical.
Set against the series of U.K. corporate governance guidelines initiated in 1992 with the Cadbury Report, COSO 2, named for the Committee on Sponsoring Organizations, has already been criticized as adding little new or original thinking to subsequent codes of best practice.
The nearest equivalent, the Turnbull Report, was published in September 1999. Drawn up by The Institute of Chartered Accountants in England and Wales, Turnbull offered British companies a framework for implementing the internal controls required by the Combined Code on Corporate Governance and had the blessing of the London Stock Exchange.
Simon Evans, a senior manager of the Enterprise Risk Management division at KPMG, believes COSO 2’s focus is less on Enterprise Risk Management and more on risk assessment; the latter al ready very much in evidence in the United Kingdom since Turnbull.
“The U.S. regime, as exemplified by Sarbanes-Oxley, is very much compliance driven, whereas the United Kingdom has moved more to one of comply or explain,” he says. “COSO 2 reflects this–it doesn’t focus on the wider framework for risk management.”
Richard Anderson, director of the Corporate Risk Group, is also unimpressed. “COSO 2 offers an interesting read as a framework of best practice, but no more, as it contains no mandatory compliance or legal framework,” he suggests.
This has further muted its impact, in contrast to the reverberations caused across the Atlantic by Sarbanes-Oxley.
Anderson believes some U.K. companies and those elsewhere in Europe may decide COSO 2 is a useful tool and adopt it as part of their ongoing corporate governance reviews.
Much of Europe, most recently the Netherlands, has adopted its own version of the Combined Code and similar moves are under way in Spain and some Eastern European countries about to join the European Union. However, in the wake of the Parmalat scandal in Italy and major corporate casualties such as Dutch supermarket group Royal Ahold, there is an audience for guidelines.
But Anderson describes it as “unadventurous” and modest in its ability to advance the debate on ERM. “It doesn’t pick up on either the new business thinking or the models now being developed in the United Kingdom.”
These include the newly launched Risk Management Standard, which was developed by the Institute of Risk Management, the Association of Risk Managers and the national forum for risk management in the public sector, called ALARM. This homegrown model has attracted rather more attention, to the extent that a number of companies are attempting to comply with its guidelines.
A further weakness of COSO 2 is that it fails to address a fundamental shift in emphasis in corporate governance and risk management, from compliance to performance, says Anderson.
“People should be able to focus on risk management as an enabler; one that is about the organization and its people, its processes, its outsourcing and relationships with its partners.
“That said, it would be good to see an equivalent of COSO 2 produced which replaced the focus on compliance with one on performance.”
SHAREHOLDERS IN THE DRIVER’S SEAT
In Britain and, to a lesser extent, continental Europe, activist shareholders have become a significant driving force for changes in corporate governance.
Major investors are already applying pressure on companies to disclose ethical risks, fearful of potential litigation or negative publicity for those with corporate policies that do not stand up to close scrutiny.
The Association of British Insurers, whose members represent about a fifth of London stock market investors, has issued guidelines encouraging boards to detail in the annual report how their company tackles non-financial risks. It also claims that only half of the top 250 blue chips yet do so.
The ABI has backed fund manager Henderson Global Investor, which recently indicated it would review a company’s “non-financial risk management” when deciding whether it was willing to endorse the report and accounts.
Nick Robinson, its head of socially responsible investment research, said companies that withheld information on these issues were denying investors the right to make informed investment decisions.
Meanwhile, the U.K. government’s Department of Trade and Industry is about to publish the Operating and Financial Review, the fruits of a working ,group set up at the end of 2002. Described as “a shareholder driven document,” OFR comprises a new set of guidelines requiring companies to include in the annual report details of social, ethical and environmental issues that materially affect their businesses.
They are scheduled for introduction in 2005 or 2006.
GOING BEYOND THE SEC
Business in the Community, an organization set up by more than 700 top U.K. companies, has come up with its own definition of what information should be regarded by directors as “material” and included in the OFR, summarizing it as:
“Information that is material … may be quantitative or qualitative; and may relate to facts or probabilities, and to past, present or future events and decisions.”
“Under OFR, companies that go into the risk assessment process will have to be very transparent, disclosing how they have gone about identifying and assessing each risk,” says KPG’s Simon Evans.
“It goes rather further than the SEC requirement that business risks are identified on 20F; for example, touching on issues such as a succession plan for the board and contingency plans ready for if and when a certain business strategy fails.”
BITC’s initiatives have included a business management tool, The Corporate Responsibility Index, established two years ago to support companies in improving their impact on society and the environment.
The index allows an assessment of the extent to which strategy translates into responsible practice throughout the company in managing the four key areas of community, environment, marketplace and workplace.
At an earlier stage of development is an initiative by the British Standards Institute to develop a national standards framework for companies.
Nicki Davies, the BSI’s head of risk management development, said work is likely to get under way this summer and the aim would be “to change behavior and come up with standards that are aspirational, reflecting best practice rather than general practice.”
Davies believes the AIRMIC/IRM/ ALARM guidelines provide an excellent starting point. The BSI project would require the involvement of bodies such as the Confederation of British Industry and the Institute of Directors as interested stakeholders. She admits that the work is not as pioneering as might first appear. “We lag behind Australia in this work, which is some four to five years ahead,” she says. “With a much smaller business community than ours, it’s been easier for them to get consensus–but all credit to them for moving the debate on standards further on.”
GRAHAH BUCK, Risk & Insurance’s U.K. correspondent, Writes regularly on corporate governance issues. He can be reached at riskletters@lrp.com
COPYRIGHT 2004 Axon Group
COPYRIGHT 2008 Gale, Cengage Learning
