Corporate Governance – Boards, Audit and Risk Reporting - Nabarro

International Financial Regulation ReviewISSN 2047-4733Source: International Financial Regulation Review: News Archive > 2012 > Latest Developments >Analysis > Corporate Governance: Corporate Governance – Boards, Audit and Risk ReportingCorporate GovernanceCorporate Governance – Boards, Audit and Risk ReportingBy Alasdair Steele, Partner, Nabarro LLP, LondonIn September 2011, the Financial Reporting Council (FRC) published reports on “Boards and Risk” 1 and“Effective Company Stewardship” 2 . Both of these reports highlighted the finding of research carried outby the FRC and give an indication of some of the FRC's agenda for 2012.——————————————————————————————1 Financial Reporting Council, Boards and Risk: A summary of discussion with companies, investors andadvisers (September 2011)http://www.frc.org.uk/images/uploaded/documents/Boards%20and%20Risk%20final.pdf2 Financial Reporting Council, Effective Company Stewardship: Next Steps (September 2011)http://www.frc.org.uk/images/uploaded/documents/ECS%20Feedback%20Paper%20Final.pdf——————————————————————————————Report on Boards and RiskThis report focused on the way in which company boards assess, manage and report on the risksaffecting their businesses. The main conclusions reached by the FRC were:• the focus on risk by boards has increased greatly;• a limited review of the Turnbull Guidance 3 (Internal Control: Revised Guidance for Directors) isrequired to reflect the role of a board as set out in the UK Corporate Governance Code 4 ; and• there is a need to share more widely the ways in which boards are developing to assess andaddress risk.——————————————————————————————3 Financial Reporting Council, Internal Control: Revised Guidance for Directors on the CombinedCode.(October 2005)http://www.frc.org.uk/documents/pagemanager/frc/Revised%20Turnbull%20Guidance%20October%202005.pdf4 Financial Reporting Council, The UK Corporate Governance Code (June 2010)http://www.frc.org.uk/documents/pagemanager/corporate_governance/uk%20corp%20gov%20code%20june%202010.pdf——————————————————————————————Copyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V1

International Financial Regulation ReviewISSN 2047-4733The UK Corporate Governance Code states that “the Board is responsible for determining the nature andextent of the significant risks it is willing to take” and “should maintain sound risk management andinternal control systems” 5 .——————————————————————————————5 UK Corporate Governance Code, Main Principle C.2——————————————————————————————Risk awareness, management and monitoringThe FRC found that there is now greater awareness and discussion of risk than there had been a fewyears ago, but that there were doubts as to the extent to which this has fed through to lead to betterpractices. One aspect which is stressed in the report, and important to keep in mind when framingdiscussions around risk, is that better risk decision-taking should not automatically mean less risk-taking.Risk-taking is an inherent aspect of running a business. Risk management is really all about boardshaving a better understanding of the risks involved in what their companies are doing and then takingdecisions consciously and monitoring those risks.As to how to assess and monitor risks, one of the themes which comes through from the FRC's report isthat there is a general acceptance that one size does not fit all. Therefore while it may be an appropriatemanagement mechanism in financial sector companies and some other industries which involvedsignificant health and safety, environmental or regulatory risks, to have a specific board risk committee,for the majority of other businesses, it was unlikely to be necessary. Risk in these types of business willbe addressed either by the board itself or in the various sub-committees which they have for matters suchas compliance.As between the roles of management and the board with regard to risk assessment and control,management are primarily responsible for identifying operational risks and bringing them to the attentionof the board, as well as for implementing the board's policies on a day-to-day basis. The board howeverremains responsible for assuring itself that management's responsibilities are being carried outeffectively. There are a number of ways in which a board can do this, including ensuring that there isclear allocation of responsibility and accountability to individuals within management (including asbetween the senior executives) and then following up with direct board contact with those individuals.Other approaches used have ranged from board committees meeting regularly with the relevantmanagers to requiring managers to certify the effectiveness of the risk controls to the board and bringingin external advisers to review the position. In each case, the approach depended on the nature of thecompany, its size and business.Different views are expressed between the identification of risks and the management of risks. Theboard's involvement in identifying risks is likely to be more focused on identifying risks relating to thecompany's strategy and external risk (such as regulatory change) while the identification of operationalrisks is seen as lying mainly with management. However, no such distinction is drawn when it comes tomanaging risk, where the board needs to focus on the risks which might cause the most damage to thecompany, including reputational risks, however they may arise.Assessing risk is also becoming considerably more developed, with boards now considering both grossrisks (risks before any mitigation policies, such as disaster plans, were effected)and net risks (the riskafter the mitigation policies are effected). By looking at both the gross and net risk, at both the individualrisk level and across all risks, the board should be able to determine an aggregate appetite for risk whichcan then be used to set reporting levels where management should report incidents and risks to theCopyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V2

International Financial Regulation ReviewISSN 2047-4733board. This reporting mechanism needs to balance the need to consider the velocity of risk (the extent towhich relatively small individual matters may escalate into something much more serious) against theprovision of too much information (where every minor matter is reported to the board).Risk reportingHow boards report on risks is an area where there is a divergence of views between investors andcompanies. Investors believe there is significant scope for improving the reporting of risk whilecompanies remain concerned that they will be disclosing commercially sensitive information or thatdisclosing the risks may heighten the likelihood of their occurring. Suggestions in the FRC report on howthe position could be improved include:• commenting on risk matters throughout the annual report where relevant, rather than having astandalone section;• reporting on risk by reference to the strategy and business model of the company, rather thannecessarily specifically to the company's operations;• reporting on how key risks are managed; and• reporting on changes in risk exposure, particularly as a result of changes in strategy or thecompany's business model.While the FRC will pick on various aspects of the contents of the report when it reviews the UK CorporateGovernance Code in 2012, the main activity which will follow from this report is a review of the TurnbullGuidance to ensure that it reflects the way in which the UK Corporate Governance Code links strategyand risk as well as changes in the general corporate environment. This review is expected to take placethis year.Report on Effective Company StewardshipThe FRC's paper on Effective Company Stewardship focuses on the role of audit committees and the wayin which information is presented by companies. The FRC recognises a number of principles in itsapproach to financial reporting and the respective roles of boards, audit committees and auditors asfollows:• companies themselves are responsible for preparing financial reports and providing the relevantinformation, not the auditors;• companies, through their interaction with investors, are better placed than auditors to know whatinformation investors want and regard as material. Auditors are not in a position to know this orto make decisions which are properly management decisions as to what information is materialand should be provided;• if more emphasis is put on auditors providing information in the financial report, this is likely tolead to more boilerplate and less focus on the individual business and run a risk of theintroduction of standardised language;• all those involved in preparing financial reports, ie companies, audit committees and auditors,must ensure that the information is complete, neutral, free from error, fair and balanced;Copyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V3

International Financial Regulation ReviewISSN 2047-4733• auditors must exercise professional judgement, adopting a challenging or appropriately scepticalapproach to key issues, matters and assumptions;• companies and their auditors must be comfortable that the annual report, taken as a whole, is fairand balanced; and• greater transparency should not automatically lead to more information but should lead to a betterquality of reporting.Narrative ReportingThe FRC intends to work with the Department for Business, Innovation and Skills in its review of narrativereporting as the FRC develops its own proposals. The FRC acknowledges a general need to improvethe quality and relevance of narrative reporting generally, with the emphasis being on improving thequality and reducing boilerplate disclosures. With this in mind, the FRC is going to be reviewing whetherit will be possible to create meaningful narrative supporting standards which can be applied on a “complyor explain” basis but without leading to more legalistic reporting.The FRC does not propose to pursue earlier proposals to increase the ability to report on information ontheir websites only by reducing the requirements for the printed annual reports in light of widespreadopposition. However, it is encouraging companies to look at improving access to annual reports usingavailable technologies.Strategy, Risk and Going ConcernAs part of its review of the Turnbull Guidance referred to above to reflect risk aspects, the FRC will alsobe reviewing the Turnbull Guidance and UK Corporate Governance Code to ensure that in future reports,companies focus on primarily on strategic risks(as opposed to those arising naturally such as earthquakedamage)and the major operational risks inherent in their businesses, and how they address and managethese risks.Role of the Audit CommitteeThe fundamental role of an audit committee is to oversee the integrity of a company's financial affairsfrom the effectiveness of its internal controls to the fair presentation of its results in its financial report. Itperforms this oversight function behalf of the whole board, as all directors are equally responsible for thecontents of the financial reports. The FRC would like to see greater transparency of the work undertakenby audit committees in the financial reports of companies, both so as to inform investors of the work beingcarried out and to allow audit committees to learn from the practices of others.The FRC is therefore proposing reviewing the UK Corporate Governance Code and related Guidance forAudit Committees 6 so that:• the audit committee's remit is extended to include reviewing the whole of the company's annualreport to ensure that it provides all necessary information for investors to assess the company'sfinancial performance and prospects and, taken as a whole, is fair and balanced;• the audit committee will report first to the full board setting out:——————————————————————————————6 Financial Reporting Council, Guidance on Audit Committees. (December 2010_Copyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V4

International Financial Regulation ReviewISSN 2047-4733http://www.frc.org.uk/images/uploaded/documents/Guidance%20on%20Audit%20Committees%202010%20final1.pdf•——————————————————————————————• issues considered, how they were addressed and key judgements made;• their basis for concluding that the annual report is fair and balanced; and• their views on the effectiveness of the external audit and the appointment orre-appointment of the company's auditors; and• the full report of the audit committee to the board is included in the company's annual report.Audit and the role of auditThe FRC has considered again the role of the auditor and, as set out above, concluded that it is theprimary role of a company and its directors and audit committee to prepare and provide the informationfor inclusion in the financial report. The auditor's role is then to review and challenge the adequacy andaccuracy of that information.In line with this principle, the FRC is proposing reviewing the reporting of auditors in their reports to auditcommittees and in their audit reports to increase the transparency of their actions. The FRC specificallynotes that its revisions are not intended to affect the underlying work undertaken by auditors, only itstransparency. The revisions will affect the auditing standards relevant to:• auditor's reporting to audit committees under ISA (UK & Ireland) 260) 7 , in particular to ensurethat the report gives the audit committee all the information needed to understand what theauditors have relied on in reaching their audit opinion. The FRC expects to see increasedreporting on the effectiveness of the company's systems of control, how judgements onmateriality have been arrived at and the appropriateness fo the company's accounting policies;and• audit reports under ISA (UK & Ireland) 700 8 to give greater transparency , including whether theauditors have identified any matters in the annual report which are inconsistent with theinformation provided to them or contained in the financial statements.——————————————————————————————7 International Standard on Auditing(UK & Ireland) 260, Communication with those charged withgovernancehttp://www.frc.org.uk/images/uploaded/documents/ISA%20_UK%20and%20Ireland_%20260.pdf8 International Standard on Auditing (UK & Ireland) 700 (Revised), the Auditor's Report on FinancialStatements(March2009)_http://www.frc.org.uk/images/uploaded/documents/ISA%20700%20Web%20Optimized.pdf——————————————————————————————Copyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V5

International Financial Regulation ReviewISSN 2047-4733AuditThe FRC has noted the various examinations of the audit market by the House of Lords Economic AffairsCommittee and the European Commission, as well as the Office of Fair Trading's decision to refer theaudit market to the Competition Commission , although the FRC generally is opposed to regulatoryintervention as being the best means to address the competition and market issues being identified.——————————————————————————————Office of Fair Trading, Statutory Audit: Market investigation reference to the Competition Commission ofthe supply of statutory audit services to large companies in the UK(October 2011)http://www.oft.gov.uk/shared_oft/markets-work/oft1357MIR——————————————————————————————There are two main aspects which the FRC considers as directly within its remit. The first is the auditappointment process and the length of time some auditors hold office (some of which have lasted morethan half a century). The FRC is not generally in favour of a mandatory rotation of audit requirement butis proposing amending the UK Corporate Governance Code and related Guidance for Audit Committeesto require companies to put the audit out to tender at least every 10 years (or explain why not) and torequire audit committees to explain why they did or did not put the audit out to tender and chose tore-appoint the existing auditor or appoint a new one.The second aspect which the FRC considered is the extent to which audit firms are permitted to providenon-audit services to audit clients. The position was last reviewed and the standards amended inDecember 2010, when the majority view was that auditors should be permitted to provide such services.The FRC believes it is too soon to judge whether the changes introduced in December 2010 have had theintended effect and will continue to monitor the situation.Next StepsThe FRC expects to consult on the amendments to the UK Corporate Governance Code, relatedGuidance to Audit Committees and Turnbull Guidance during the first half of 2012, with a view to anyamendments coming into effect later in the year.Alasdair Steele is a corporate partner at Nabarro LLP, specialising in UK and cross-bordercorporate finance, including public and private M& A, strategic investments and primary andsecondary equity issues, as well as regularly advising on consortia and corporate joint venturearrangements, particularly in the infrastructure sector. He regularly advises quoted companiesand financial intermediaries on the UKLA Listing Rules and Disclosure Rules, the ProspectusRules, the AIM Rules, the Takeover Code, corporate governance matters and general companylaw. Telephone: +44 (0) 20 7524 6422; E-mail a.steele@nabarro.com.Copyright 2012, The Bureau of National Affairs, Inc.Reproduction or redistribution, in whole or in part, and in any form, without express written permission, is prohibited except aspermitted by the BNA Copyright Policy. http://www.bna.com/corp/index.html#V6