The short answer is – you hope you have some idea! So how are you driving out your corporate risk?
No one wants to be in the spotlight like Tesco was last week, announcing that they had overstated profits by £250 million. Without having good risk and governance tools in place, this type of problem is exactly what we are risking.
At least part of the control framework at Tesco has worked effectively – a whistle-blower has spoken with the audit committee and the issue has been taken seriously and investigated. The problem of course is that this part of the control framework was too late to avoid reputational damage with investors, customers, suppliers and employees.
The very nature of business is challenging, but by identifying the major risks to your business, you have an opportunity to manage those potential situations effectively. Options include insuring against them, avoiding them and minimizing them.
An area of risk minimization the Tesco story has highlighted is how to minimize the risks to our businesses of inappropriate preparation and validation of reporting numbers. Whether those numbers are being reported to market, to private owners or in another direction, the same requirement exists – accuracy.
So can you look at ways to minimize risk from accounting policies? The primary risks are clearly that the policies are followed and that they are appropriate. Ensuring that policies are followed and are appropriate is fundamentally what the audit committee and audit processes are there to support.
At a higher level, to make this effective, an organization needs to ensure that an appropriate control framework is in place, incorporating an effective risk management model.
The very idea of risk management needs to be embedded in an organization’s culture. If someone does not feel able to highlight a concern or risk, then the whole organization is at fundamental peril.
The underlying concern here is awareness so that appropriate controls can be put in place. If a board is aware of a risk or issue then they can put plans and actions in place to handle or avoid those items.
To achieve this we need everyone to be able to contribute to risk identification. Whether this is directly through line management where there is potential personal risk of identifying concerns, directly to the audit committee or via an anonymous concern identification forum. If the organization can be better aware of the issues that are potentially being faced, then there is an opportunity to put plans in place to minimize or handle those issues and risks.
On this basis I would actually like to congratulate Tesco for having a mature enough culture to allow whistle-blowers to come forward.
How do you handle issues raised by your staff members?