Monthly Archives: February 2018

How a bow-tie can smarten up corporate risks

BowtieImagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?

Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.

Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.

Typical risk analysis in an annual report

The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;

“Adoption of rigorous policies and processes…”

“Regular performance reviews…”

“Deployment of high quality people..”

These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.

The bow-tie model

If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.

Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.

Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.

We now look at causation of events;

Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.

Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.

And there are the results of an event happening;

Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.

Recovery barriers:  These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.

And then there are escalation factors;

Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.

This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.

An example of a corporate risk

Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;

Bow tie diagram

This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.

If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.

What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.

This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.

Annual Report

The full model would be too big to include in an annual report, but could be summarised in this way;bowtieannreport.jpg

This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.


Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.


Simon Laffin

1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.




Carillion – What can we learn?

Carillion vans

The collapse of Carillion was a tragedy, especially for its 45,000 employees and 25,000 pensioners. In an earlier article, I looked at its last Annual Report to see if there had been clues that could have tipped readers off to the impending catastrophe. Since then, we have had Select Committee hearings and their January 2018 turnaround Business Plan has been released. This now gives quite a bit more colour to understand better what happened and what lessons can be learned to improve corporate reporting.

This was a business with a yo-yo strategy and difficult execution

In 2009, Carillion had a strategy review, which concluded that it should halve the size of its UK construction business and double the size of its Middle East and Canada businesses. By 2013 however, Carillion changed its strategy again, and stopped bidding for work in Canada (other than PFI) and would no longer bid for traditional construction work in the Middle East (unless export finance was agreed). However, it seems that the die was cast and long-term contracts already signed in Canada and the Middle East proved fatal in 2018.

It wasn’t just a faulty strategy that was the problem. Its rescue Business Plan1 in Jan 2018, concluded; “The Group had become too complex with an overly short-term focus, weak operational risk management and too many distractions outside of our ‘core’”.

When things went wrong, they appear to have gone wrong quickly

Carillion signed off its Annual report in March 2017. At that time, cash was ‘…broadly in line with the budgeted position for the first couple of months of the year…” (recalled Keith Cochrane2, then a non-executive director, later Interim CEO from July 2017). At the AGM on 3 May 2017, Richard Howson, Cochrane’s predecessor as CEO, announced3 to the markets that; “trading conditions across the Group’s markets have remained largely unchanged since we announced our 2016 full-year results in March.”.

However, at ‘the beginning of May’2 the board learned that the internal reporting of contracts had been incorrect, with management accounts netting off receivables and payables, and therefore reducing the apparent cash risk. The board then commissioned the external auditors (KPMG) to conduct a review of the accounting. This concluded that the published accounts had correctly grossed up the amounts, but that the internal reporting was wrong. This, however, sufficiently unnerved the board that it then commissioned a second report from KPMG, initiated “around the end of May2, to examine the cash recoverability of its largest contracts.

This second KPMG review: “driven largely by a deterioration in cash flows on a number of major contracts, which occurred particularly as we went through Q2” (according to Keith Cochrane2) concluded that there needed to be an £845m provision made.

The provision was announced4 to the markets on 10 July 2017. The auditors5 concluded this some four months after signing off the original accounts.

The business had major risks that weren’t clear from their Annual Report

Zafar Khan, Carillion’s short-lived CFO from January to September 2017, told the Select Committee2;

If you look at the 2016 annual report, and if you look at the key risks identified within that, my view is that the setbacks and issues that we experienced in 2017 were largely related to the risks that we had set out in the 2016 annual report. What was not anticipated at the time was the number of risks that crystallised in the end, and also the quantum of the impact that we had to deal with.”

However, it seems that 6 to 8 long term contracts came to a scheduled end in 2017, but this had not been flagged in the 2016 annual report6. Khan explained2;

“Another factor that I do not think has been given enough attention is that, going into 2017, we had a number of large-ish contracts in our UK construction business that were coming towards completion…We had a good pipeline of opportunities…”

The top risks disclosed in the annual report were;

  1. Work winning
  2. Contract management
  3. Pension liability
  4. Brexit

But the risks that seem to have brought the company down were in fact;

  1. Contract management
  2. Working capital management
  3. Excessive cash outflow breaching debt facilities

All of these are of course linked, and stem from the fundamental problem of poor contract management. Carillion’s stated6 mitigations of the contract management risk were;

Adoption of rigorous policies and processes for mobilisation, monitoring and management of contract performance. Regular performance reviews…Independent peer reviews of contracts…and contract health checks undertaken by internal audit

These mitigations don’t sit easily with admissions now being made by directors.

Long term construction contracts are difficult to manage

Long-term contracts have many complexities and risks, not least as changes are made over several years with cash flow trailing. Keith Cochrane explained2: “If you take the Qatar job…this is a job that had doubled in size. It had 2,500 design variations to it, and essentially we were not paid for 18 months prior to the business failing.”

Richard Howson gave an example2 of Crossrail. The initial contract was for £30m, but by the end of 2014 costs were £90-£100m, with Carillion having been paid only £76m. The final revenue was eventually agreed at £100m and the rest of cash received at the end of the contract.

Zafar Khan put it bluntly2: “Carillion has some quite large contracts…and cash flows on those can change over a short period of time.”

Carillion had to finish long-term construction contracts as it got full payment only at the end, and on many contracts, if it walked away the client could appoint another contractor thereby also losing performance bonds. Carillion didn’t have the right to suspend work on the Qatar contract. The Qatari client, in dispute with Carillion, appointed another contractor in June 2017 to complete the works at Carillion’s cost, also jeopardising its £54m performance bond.

But Carillion contributed to the problems

Philip Green, the Chairman, admitted2; “There were some examples where negotiations around the contract itself were done too quickly, and the lesson learned was that if we had spent longer on the actual negotiations, some of the risks may well have been able to be mitigated.”

Carillion found it difficult to collect cash due on some of its contracts

Keith Cochrane said2; “…as it (the group) sought to exit from certain key markets and start to refocus itself on its core, that required us to take a different perspective on our ability to collect outstanding receivables in those markets.”

But then he suggested2 operational issues:

‘…there was a lot of focus on reported debt across the business. Was there the same focus on collecting cash, day in, day out…?”

There were concerns about the accounting

The new CFO, Emma Mercer, appointed in September 2017, told the Select Committee2 that she saw: “slightly more aggressive trading of the contracts” than in her previous experience.

“As part of Keith’s strategic review, we had changed the way we were looking at some of the services contracts, and that resulted in an increased position at the end of September, in terms of an additional £200m of provision.” Confusingly, the interim results7 published that month, described this provision as having “minimal impact on cash

Emma Mercer explained2 about contract accounting;

“…you have to exercise judgement over all sorts of things: when the contract is going to get finished; how much we are going to receive; if we are claiming against anybody; what entitlement we may have…both the number of contracts we were taking judgement on and the size of those judgements had increased….when we saw the deterioration…because we were already at a more aggressive position, it was very difficult to withstand those deteriorations on those projects.”

The numbers were huge

The May 2017 contract review led to an £845m provision being made. Of this, £375m related to the UK and £400m related to Canada and Middle East, particularly in Oman and Qatar. The Qatar contract alone owed £200m.

In total Carillion wrote £1.1bn off against its contracts, including £215m related to service contracts. In 2017, net debt increased by £850m, £1.1bn higher than expected. It used £834m working capital (of which £371m related to 9 construction contracts). Average net debt was £886m. It then projected1 to use another £234m working capital in 2018 and 2019, including £325m related to nine construction contracts. On top of this, it planned for another £131m cash restructuring cash costs in 2017-19.

Carillion ran out of cash and debt facilities

Carillion tended to focus on ‘cash conversion’, ie underlying cash inflow from operations divided by underlying cash from operations. This seems a strangely static snapshot view for a business based around long-term contracts with complex cash flows. The ‘cash conversion’ over the three years to 2016 was 119%, 104% and 117%, appearing to show a healthy cash generation. But year-end net debt was actually flat over that period at £219m. Underlying cash from operations of course excludes all the bad news; pension top-ups, non-recurring items, interest, tax and capital expenditure.

Reducing net debt was stated as being a key objective in the 2016 annual report, but the amount of net debt wasn’t then given as one of its 14 key performance indicators. Furthermore, focusing on year-end net debt was of little value when you realise that average net debt was more than double this.

In the 2016 annual report, debt facilities were stated as £1.4bn. With only £85m to mature in 2017 and additional funding secured after the start of the year, facilities should have been still around £1.4bn when Carillion went into compulsory liquidation. On 30 June 2017, Carillion had net debt of £571m. We now know1 that average net debt during 2017 was £886m. In December 2017, it announced8 that it had got agreement to defer covenant testing (probably net debt to Ebitda) until April 2018, suggesting that it was at least close to breaching them. Net debt actually rose by £791m in 2017, driven by £834m of working capital outflow.

Using nearly £800m of cash on top of a year start net debt of £200m, would imply a year-end net borrowing of about £1bn, against £1.4bn of facilities. If you add the cash outflow to the 2016 average net debt of £587m, this suggests a pro-forma average debt of £1.4bn. It therefore is easy to imagine that their peak debt outran their facilities of £1.4bn. The fact that the average net debt at £886m was so much lower than this implies that there was a serious ‘run’ on working capital towards the end of the year.

So what lessons are there for reporting from the collapse of Carillion?

Companies should be more balanced in writing about themselves

The Strategic Report must, by law, contain a fair, balanced and comprehensive analysis of the company’s development, performance and financial position.

I suspect that there is a growing practice of annual reports being written by professional writers, thereby becoming increasingly an arm of the PR/communication industry. Carillion’s text in its annual report boasts about pretty much every aspect of their business. This is little different to most annual reports. But in Carillion’s case, ex-directors are now making statements that do not sit comfortably with what the board wrote so recently in the annual report.

An annual report is never going to be an impartial review. What organisations, including regulators and politicians, ever write impartial reviews of their own performance? This is difficult to legislate for, but it may be appropriate to hold directors to account if something goes seriously wrong that is not discussed as a risk in the annual report.

Discussion of risks needs to be integrated into the whole report

The risk section in the annual report is of little use. Carillion is typical in that it lists ‘top’ risks and then gives mere platitudes about mitigation. The mitigation section gives no feel of the real risk, or the ability to avoid or reduce the impact of the risk occurrence. As is standard practice, its declared risks are listed together in a few tedious pages. There is insufficient information for the reader to become better informed, even if bothered to read the whole thing.

The key to risk management is to integrate it into decision-making, not ghettoised as a separate activity or schedule. Annual reports would be much more informative if they tackled each risk together with the relevant business activity or segment. For example, the section on construction contracts could have had a discussion of their inherent risks. At the very least, every risk should have a discussion of how the company reduces the chance of the risk happening (“avoidance”), how it will know when things are going wrong (“detection”); and how it would react if the risk did crystallise (“mitigation”)9. Risks also require numeric quantification as well as words.

Cash needs to be taken even more seriously

Carillion’s use of cash conversion (underlying operating cash flow/underlying operating profit) was not fit for purpose. It excluded too many cash items and did not reflect the complex cash flows of its long-term contracts. It’s impossible to define a single cash metric for all businesses, but companies should think hard about how to communicate cash effects. Carillion could have shown segmental cash flow and return on capital. This might have provided some warning about the cash flow characteristics that eventually proved fatal.

There is far too much emphasis on year-end cash. Businesses fail when their peak cash usage breaks through facilities. Companies should be more explicit about average and peak debt, and explain why if this differs significantly from year-end levels.

The viability statement was introduced to give some comfort on future cash flows and debt over a period longer than a year. Regulators have tended to fixate on the length of the look forward, but actually this misses the point. As a result, half of Carillion’s viability statement6 is justifying its looking forward only three years. But this business didn’t start to deteriorate years later. It apparently started the month after annual report stated6;

“On the basis of both reasonably probable and more extreme downside scenarios, the Directors believe that they have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three-year period of their assessment.”

It’s clear that without some quantification of the assumptions made and scenarios tested, the viability statement assurance is of very limited value.


The Carillion annual report is a very typical one, glossy smooth talk and adhering to the rules, regulations and corporate governance requirements. However, it is also an example of the inadequacies of such reports. It fails to convey adequately the risks that the business was running, its volatile working capital and long-term working cash flows.

Some changes that would help in reporting are;

  1. Companies need to more balanced about their company, talking about downsides as well as the wonders. Boards should take back writing and editorial rights from copywriters.
  2. Strategy and segmental performance sections should discuss risks, cash flow, and capital employed. The current risk section should be broken up and risks tackled in the relevant section of the body of the report.
  3. Discussion of the risk appetite should be integrated into the strategy section.
  4. Discussions of risks need to be more detailed, covering at least avoidance, detection and mitigation, with numeric quantification.
  5. The going concern and viability reviews should require more detail and quantification of how they have been stress tested.

This isn’t just about the annual report. This would also help to focus board discussions and potentially alert directors to looming issues. Risk management has to be a major part of every management and board discussion, not just a periodic review by a committee and internal audit.


1 Carillion Business Plan January 2018

2 Business, Energy and Industrial Strategy and Work and Pensions Committees; Oral evidence: Carillion, HC 769, Tuesday 6 February 2017

3 RNS issued 3 May 2017

4 Trading Statement 10 July 2017

5 The FRC has opened an investigation in relation to KPMG’s audit of the financial statements of Carillion plc. The investigation will cover the years ended 31 December 2014, 2015 and 2016, and additional audit work carried out during 2017.

6 Carillion Annual Report 2016, published March 2017

7 Carillion Interim Results 29 September 2017

8 Carillion RNS statement 22 December 2017

9 This methodology for reviewing risks is discussed in my blog