Author Archives: Simon Laffin Business Services Ltd

About Simon Laffin Business Services Ltd

Chairman of both Flybe Group plc and Assura plc.

Sexing up the statistics. Who needs facts?

Female CEOs

Want Higher Profits? Hire a Female CEO, CFO” The article headline caught my eye. Aren’t we all looking for a magic ingredient that can guarantee financial success? I think that women are disadvantaged and undervalued in business. And this doesn’t have to be the case. The last CEO I appointed was a woman – in a male-dominated industry – and the last board I chaired had a majority of female directors. So, I read this article with great anticipation.

The article is based on a research report1 by S&P Global, entitled even more eye-catchingly: “When Women Lead, Firms Win”. This is shown by the statistic that: “In the 24 months post appointment, female CEOs saw a 20% increase in stock price momentum…”

So, your investment strategy should be to buy stocks with newly appointed female managers! Ah no, the report rebukes you for drawing this obvious conclusion; “…we admonish the reader to interpret the results as a descriptive analysis, relevant from a governance standpoint, but not providing evidence of a predictive trading signal.” Maybe they don’t quite have the confidence in their own research?

The study goes on to suggest that one driver of female-led out-performance is that females are held to a higher standard than males, so like-for-like female executives are better: “…females in C-suite positions are consequently more talented.”

Naturally, I wanted this all to be true. But something about the scale of the claim and the certainty didn’t ring true. I wondered if the statistics were that definitive? Had those headlines been sexed up?

The research study

The study2 is a large one, based on the Russell 3000, a benchmark for the whole US stock market, over the last 17 years and encompassing over 5,800 new executive appointments, of whom 90% were male. It looks for changes in company performance in the two years3 post a female executive appointment4.

In summary, the results seem to show that;

  1. The sex of a newly appointed CEO does not have any effect on the market capitalisation of a business.
  2. New female CEO’s have a better record than males in improving the valuation5 of a company over their first two years.
  3. There is no significant difference by sex for new CEOs in levels of capital expenditure, profitability6, or 12 month share price momentum. However, new female CEO’s companies have greater share price momentum over 6 months.
  4. Companies with new female CEOs appear to reduce the level of their balance sheet accruals compared to those with new male CEOs (However, given that female CEOs on average inherit significantly higher accruals than their male equivalents, this is quite likely to be a case of reversion to the mean).
  5. Companies with new female CEOs increased leverage more than those with new male CEOs7.

What conclusions does the research make?

Sadly, the research makes the most basic of statistical errors. Correlation does not imply causation8. The fact that two sets of data appear to move together does not prove that one causes the other. This is particularly pertinent where both different results are cherry-picked to highlight those that fit the argument, and there is not a robust hypothesis tested to explain the mechanism involved.

The research’s headline claim is that female CEOs deliver a 20% increase in share price momentum. However, this is only true looking at the 6 month momentum. Even then, this result is statistically ‘significant’ at only the 90% level, well below the standard test of a 95% chance of it not a being random event. The 12 month momentum shows improvement of less than half the 20%, and is not significant at any level.

The next major claim in this research is that new female CEOs improve their company valuation (ie reduce the book/market value ratio) over their first two years versus those of new male CEOs. However, the research finds no evidence of a significant gender-related improvement in market capitalisation, share price momentum or profitability, and so it’s not clear where this rating improvement derives from. One answer could be in the finding that new female CEOs increase leverage, which can assist in improving company valuations, whilst raising financing risk.

Confusingly, the graph of average residual returns in the research appears to show that new female CEOs companies are generally under-performing against equivalent males. This finding, whilst unlikely to be statistically significant, seems to undermine the central conclusion.

Ave res returns graph

So where did those headlines come from?

Contrary to the article headline, the research does not claim that female CEOs deliver higher profits. However, the research itself is also guilty of wish-fulfilment and outcome-seeking. There is no evidence that “When women lead, firms win”. In fact, the predominant evidence is that the sex of a new CEO is not a significant factor in company success. This is as you would expect. If sex were a dominant factor, life would be so much easier for Nomination Committees. Business – as with everything in life – is so complex that no one factor about a person is likely to have an overwhelming predictive effect on a company’s performance.

The research’s major claim is that new female CEOs see a 20% increase in stock price momentum. However, the report’s own data doesn’t support this conclusion9, nor would this be a robust long-term performance indicator in the absence of any improvement in either profitability or market capitalisation10.

Is it still possible that the average new female CEO is better than their male equivalent?

It is certainly possible than new female executives are better than equivalent males, and it is possible that female CEOs drive superior company performance. It is possible that the data on financial performance is so noisy that it would not be evident statistically. However, at this stage, there is no robust evidence for this.

It is also possible that females are discriminated against so that they have to be superior in ability or experience to male equivalents in order to get promoted to senior roles. The research uses a crude analysis11 of executive biographies to conclude that females are ‘more talented’ than male equivalents. The research here fails to distinguish between ability and experience. There is no reason to believe that females are innately better executives than males, but they may well suffer discrimination. As a result, women may find they need more experience or more talent, compared to a male candidate, to get the top job. Also, in having and caring for children they may well end up with less management experience than similarly aged male executives. All of this suggests that females deserve some positive discrimination in appointing them with less experience than their male equivalents might have.

Conclusion

This is one of many pieces of research12 that appear to be aimed at proving that females outperform males in senior roles. Studies like this should be invaluable sources of understanding about how business works, how prejudice harms decision-making and how business can create value. However, wish-fulfilment, the selective use and hyping of inconclusive statistics helps no-one, merely pandering to media and political prejudice against business.

I think females are discriminated against and constitute vast under-utilised talent. The fact that we can’t prove it doesn’t mean it isn’t true. We need to work hard to counter prejudice and promote women.  We don’t need sexed up headlines to tell us that this is the right thing to do.

 

Simon Laffin

Notes

1 https://www.spglobal.com/en/research-insights/featured/when-women-lead-firms-win

2 The statistics are difficult to interpret, particularly how exactly the performance measures are calculated and presented, with little explanation or definition provided. I have interpreted them to the best of my ability in their absence.

3 Two years appears to be a random time frame.

4 The research also looks at new CFO performance, but for simplicity I have focussed on the CEO analysis. If sex were a significant indicator of executive success, you would expect to see that primarily in CEO performance.

5 Defined by market capitalisation divided by accounting book value

6 Defined as Gross profit or EBITDA as % of book assets

7 Interestingly, this is counter to many commentators’ claims that females are more risk-averse and would be more conservative in running companies, particularly in financial services.

8 See for example for more explanation: https://towardsdatascience.com/why-correlation-does-not-imply-causation-5b99790df07e

9 The research claims that; “These results are economically and statistically significant.” However, this would only be true if the research had started out with a hypothesis that female CEOs improved stock price momentum and then found that the data supported that. In fact, it looks as if the researcher selected seven measures of performance and alighted on the only two that gave him the answer he was looking for. It has two measure of stock price momentum and he has selected the one with a result that fits its conclusion. Test of statistical significance are based upon the likelihood of something happening against a random event. If you choose a measure because you like its outcome, you cannot rank it against a random event, precisely because you selected it. Statistical significance doesn’t work on a ‘pick and mix’ basis.

10 The research does not provide a hypothesis as to how share price momentum is boosted despite there being no improvement in either market capitalisation or profitability.

11 It looked for words in biographies of male executives in companies with ‘positive excess returns’ and then judged the quality of female CEOs by counting the occurrence of these same words in their biographies.

12 The research claims; “The analysis presented herein is one of the most comprehensive examinations, by breadth and time horizon, of gender diversity, to-date.”

Response to consultation on Market Study on Statutory Audit Services

CMA report coverI am responding to the request from the Government for views on the recommendations by the Competition and Markets Authority on the market for Statutory Audit Services. This submission is made in a purely personal capacity.

Over the last 25 years, I have been chairman or director of ten different companies, from small privately owned to FTSE100, participating in over 200 audit committee meetings. I have never worked for an auditing firm, big or small. I am now a non-executive director/Chairman of the Audit Committee at Watkins Jones plc and Chairman of the Audit Committee of Dentsu Aegis Network, as well as a private investor.

Introductory Comments

There needs to be a clearer understanding that audit is a regulated statutory service. As such companies and stakeholders should rely on the regulator to ensure high quality standards. Failings in the quality of audits are primarily the responsibility of the audit firms and their regulator, not company audit committees. Audit committees should be responding to issues that they see in the conduct of their own audits, and should be allowed to select their auditor based on their own criteria. If shareholders are unhappy with this, then they have the power to influence boards and ultimately vote directors out if necessary.

The CMA Report is heavily UK-centric, failing to take full account that the Big 4 have international arms and associates and that most FTSE350 companies are international. It does however recognise that the dominance of the big 4 firms is an issue that must be tackled globally, or at least on a European basis. It is not tenable to argue that the global oligopoly of the Big 4 can be successfully challenged by measures that affect UK-based firms only.

The CMA report provides no analysis as to why the market has become so concentrated (although its predecessor body contributed significantly by allowing the merger of Coopers & Lybrand and Price Waterhouse in 1998). As a result, the report sheds no light on what will happen if the joint audit proposal is implemented, diverting significantly more revenue to non-big 4 players. How will they react? Will this artificial subsidy turn the non-big 4 into real challengers? The answer is that no-one knows. This is a poor basis for a major change to affect virtually all our 350 largest companies. The CMA should have recommended that this proposal be trialled first to learn what happens rather than rush to rollout a significant untried policy measure.

The most effective and fastest way to increase competition in this market would be to increase competition within the big four by ensuring that each of the big four can always compete for an individual audit. This is not currently the case as often a company already uses one or more of the big 4 to provide tax, advisory or internal audit services. The CMA recommendation to require some form of split between the audit and non-audit services of the big 4 is therefore the strongest recommendation and the one most likely to provide more choice in the short term. The government should also lobby internationally for other countries to require a similar split.

Arguably, the best opportunity for non-big four firms to increase their competition against the big 4 would be by investing in their non-audit work. Developing a strong tax practice or due diligence team is likely to be easier than trying to compete for audit work, particularly as the latter tends to require a strong international network.

Detailed responses to questions posed by the Government

  1. Do you agree that the new regulator should be given broad powers to mandate standards for the appointment and oversight of auditors, to monitor compliance and take remedial action? What should those powers look like and how do you think those powers would sit with the proposals in Sir John Kingman’s review of the Financial Reporting Council?

The CMA has not provided any guidance as to what form the ‘standards’ for the appointment and oversight of auditors would be, and therefore there is no basis for this being new powers for a regulator. UK corporate governance hinges on boards, and particularly non-executive directors, exercising their fiduciary duty to operate the company on behalf of members and other stakeholders. There is no evidence in the report of widespread failure by boards to do this. Nor is there any analysis of why individual auditing failures have emerged. Regulation of statutory audit is not the role of boards, who have in fact been let down by the failure of the regulators themselves to do their job. It is therefore somewhat ironic to have regulators trying to increase their own powers to regulate boards with regard to audit quality.

  1. What comments do you have on the ways the regulator should exercise these new powers?

These new powers are not justified by any evidence and so should not be conferred on a regulator.

  1. How should the regulator engage shareholders in monitoring compliance and taking remedial action?

Shareholders should be engaging with boards directly themselves.

  1. What would be the most cost-effective option for enabling greater regulatory oversight of audit committees? Please provide evidence where possible.

The case has not been made for greater regulatory oversight other than by shareholders themselves engaging with individual companies.

  1. Do you agree with the CMA’s joint audit proposal as developed since its interim study in December?

The CMA’s joint audit proposal does not have an evidential basis. Joint audits are voluntarily used by a few companies, but are mandatory only in France. The actual evidence shows very mixed results. For example the Lesage, Ratzinger-Sakel, Kettunen study, ‘Struggle over joint audit: on behalf of public interest?’ concludes that;

“we do not observe a higher quality associated with joint audit, neither on the Danish sample (main analysis) nor on the matched FRA/GER [France/Germany] sample.”

The CMA admits that the effect on quality ‘should be at worst neutral.’ (Final Summary Report. P10). This is hardly a ringing endorsement for a major proposal to improve audit competition and quality.

The CMA’s main objective is to increase revenue for non-big Four firms. It is akin to them mandating that shoppers must purchase half their groceries from an independent convenience store, rather than a supermarket. This proposal would by definition lead to the non-big four firms getting more audits, but is by way of a large subsidy to them rather than through increased competition. There is no guarantee – and no evidence identified – that this will improve the quality of non-big four audits, as opposed to swell their partners’ incomes.

This proposal would be a very substantial change to UK audits and incur considerable extra costs. An incumbent big Four firm is very unlikely to reduce its fees in order to fund a smaller competitor duplicating some of its work. Companies will have two sets of auditors reviewing the same accounts, slowing the process and consuming management time. It would take a long time for the non-big 4 to grow their headcount to cope with even 30% of the audit work of the FTSE 350. The CMA interestingly has made no attempt to model out how much this work would be, how long it would take for the non-big 4 to be in a position to resource this, nor whether such pace of expansion required is feasible.

The CMA has failed to show any evidence that this proposal is likely to be either successful or proportionate. In the absence of this evidential basis, the most that should be proposed is a trial for certain companies or sectors to see if joint audits do have the benefits claimed. This should be followed by a very gradual roll-out if it deemed successful. This would also give more time for the non-big 4 to resource up.

  1. Do you agree with the CMA’s proposed exemptions to the joint audit proposals? How should the regulator decide whether a company should qualify for the proposed exemption for complex companies?

Whilst I believe that the joint audit proposal is a costly and disproportionate measure, I do not see the argument to exempt complex companies. This measure would be most cost/benefit effective if applied precisely to the largest companies and largest audits, as they would transfer most revenue to non-big 4 companies per audit affected. The more complex the audit, the more the learning should be transferred to smaller firms.

  1. Do you agree that challenger firms currently have capacity to provide joint audit services to the FTSE350? If a staged approach were needed, how should the regulator make it work most effectively? If not immediately, how quickly could challenger firms build sufficient capacity for joint audit to be practised across the whole of the FTSE350?

Obviously non-big 4 firms would need both to recruit new staff and to improve the overall quality of the staff that they currently have. Inevitably this would require large scale recruitment by them from big four firms. It might well mean that non-big four firms would also have to resign from smaller audits in order to resource the new audits gained. The main results are likely to be inflation in pay for auditors and partners, with a modest growth in non-big 4 headcount. Audit quality is likely to suffer as big four firms lose staff and non-big 4 firms struggle to upscale. Accordingly, the Government would be taking a major risk in mandating a large scale roll out of this proposal.

As suggested above, a pilot scheme involving a relatively small set of large companies would be the optimum next step to see if the remedy works without causing widespread disruption.

  1. Do you agree with the CMA’s recommendation that the liability regime would not need to be amended if the joint audit proposal were implemented?

If both firms were jointly and severally liable, they would need to review each others’ work. It seems unlikely that they could place reliance on the other’s review. This would reinforce the duplication of effort and increased costs of this proposal.

  1. Do you have any suggestions for how a joint audit could be carried out most efficiently?

A joint audit is inherently inefficient, particularly when its main purpose is to give more work to smaller players in the market.

  1. The academic literature cited in the CMA’s report suggests the joint audit proposal would lead to an increased cost of 25-50%. Do you agree with this estimate?

This sounds plausible.

  1. Do you agree with the CMA’s assessment of the alternatives to joint audit, including shared audit?

No comment.

  1. How strongly will the CMA’s proposals improve competition in the wider audit market, and are there any additional measures needed to ensure that those impacts are maximised?

The CMA’s proposals will cause significant dislocation in the audit industry as non-big 4 firms try to grow to meet the increased number of audits required, poaching staff from the big 4. Overall audit quality is likely to therefore decrease, not helped by the inefficiency of having two auditors.

  1. Do you agree with the CMA’s proposals for peer review? How should the regulator select which companies to review?

The CMA argues that there should be a non-big 4 peer review for audits that are too complex for a non-big 4 firm to jointly auditor. This seems illogical, especially as the inexperienced non-big 4 firm will have no liability for the outcome. How different is this from a regulator’s Audit Quality Review (AQR)? What value would the peer review have? The peer reviews would report only to the regulator, but if they are not shared with either the auditor or the Audit Committee, how can the regulator get a balanced view of the value of said peer review?

  1. Are any further measures needed to ensure that the statutory audit market remains open to wider competition in the long term?

It is likely that forcing a split between audit and other services would be the most effective and low risk measure to improve competition. This would enable companies to have a fuller choice between the big 4, reducing the times that one or more is ruled out through a conflict of interests.

  1. What factors do you think the regulator should take into account when considering action in the case of a distressed statutory audit practice?

As the CMA recommends, the regulator should take a close interest in the viability of the big 4 and act early in the unlikely event that one appears to be failing.

  1. What powers of intervention do you think the regulator should have in those circumstances, and what should be their duties in exercising them?

No comment.

  1. Do you agree with the CMA’s analysis of the impacts on audit quality that arise from the tensions it identifies between audit and non-audit services?

I have not seen any evidence that audit quality is affected by ‘tension’ between audit and non-audit services. There are in fact benefits from the cross-fertilisation between audit and non-audit in sharing knowledge and career development. However, the overwhelming argument is to split them organisationally to increase effective choice for audit clients.

  1. What are your views on the manner and design of the operational split recommended by the CMA? What are your views on the overall market impact of such measures?

The proposals for an operational split seem sensible.

  1. Are there alternative or additional measures which would meet these concerns more effectively or produce a better market outcome?

No comment.

  1. Do you agree with the CMA’s proposal to keep a full structural separation in reserve as a future measure?

Yes.

  1. What implementation considerations should Government take into account when considering the operational split recommendations? Please provide reasoning and evidence where possible.

No comment.

  1. Do you agree with the CMA’s other possible measures? How would these suggestions interact with the main recommendations? How would these additional proposals impact on the market?

Limiting notice periods and non-compete clauses for big 4 firms seems sensible. The other proposals appear somewhat peripheral. Moving audits to a fixed term of seven years would be unnecessarily intrusive, but there could be a requirement for a tender every seven years. This however should not be expected to have an impact on big 4 market share.

  1. Do you agree with the CMA’s suggestions regarding renumeration deferral and clawback?

Having the opportunity to clawback auditor remuneration for serious failings discovered later seems sensible and in line with modern corporate governance.

  1. How would a deferral and clawback mechanism work under a Limited Liability Partnership structure?

No comment.

  1. Do you agree that liberalising the ownership rules for audit firms would reduce barriers for challengers and entrants to the market?

It is difficult to be sure how this would work in practice, but it would be worth trialling for a few smaller firms to see how it works.

  1. Do you agree with the CMA’s suggestions regarding technology licensing?

It might work, but you might find a low take up by smaller firms.

  1. Do you agree with the CMA’s suggestions to provide additional information for shareholders? Do you have any observations on the impact of the Public Company Accounting Oversight Board’s database on the US audit market?

This seems harmless, but I’m not sure that there will be significant benefit.

  1. Do you agree with the CMA’s suggestions regarding notice periods and non- compete clauses? Do you agree that the regulator should consider whether Big Four firms should be required to limit notice periods to 6 months?

Yes.

  1. Do you agree with the CMA’s suggestions regarding tendering and rotation periods?

Moving audits to a fixed term of seven years would be disproportionate, but the requirement for a tender could be set at seven years. This however should not be expected to have an impact on big 4 market share.

  1. Do you have other proposals for measures to increase competition and choice in the audit market that the CMA has not considered? Please specify whether these would be alternatives or additional to some or all of the CMA’s proposals, and whether these could be taken forward prior to primary legislation.

The Big 4 could be required to initiate a certain level of secondments of staff into non-big 4 players, in order to boost the latter’s capabilities.

  1. What actions could audit firms take on a voluntary basis to address some or all of the CMA’s concerns?

They could initiate an operational split between audit and non-audit services. They could also have a code of conduct to facilitate movement of staff into smaller players.

  1. Is there anything else the Government should consider in deciding how to take forward the CMA’s findings and recommendations?

The Government has a major role in lobbying for international action to increase competition and quality, as these proposals cannot work if implemented solely in the UK.

 

 

Simon Laffin                                                                                                28 August 2019

The Baked Bean Audit

Heinz baked beansWhat if the government insisted that every time you bought a tin of Heinz baked beans, you had to buy at least half a tin of Crosse & Blackwell ones too? You would have to explain to the grocery regulator why you chose Heinz, and if it thought that your choice was the wrong one it would mandate you to buy differently, publicly shame you and even take control of your grocery shopping as a punishment. You might not feel so great about it, but there’s no doubt that sales would rise for Crosse & Blackwell, who could then choose to invest the extra cash in improving its product, reducing its costs, or simply pay higher dividends.

The Competition and Markets Authority (CMA) is recommending this degree of intervention and forced joint-buying for the audit industry. The CMA report on the audit industry has many shortcomings; a lack of evidence, poor use of data, and a sharper ear to preferred interest groups. It clearly placed great weight on the views of politicians and investor corporate governance lobbies, but little weight on the views of companies and particularly not to chairs of audit committees;

“There are widespread public concerns about audit quality. While some Audit Committee Chairs (ACCs) and companies questioned whether there was a systemic and significant quality problem, the views of investors – the ultimate customers of statutory audits – were more supportive of our analysis that there is a persistent problem of variable or poor audit quality.”

The CMA suggested – without any evidence – that audit chairs were anyway likely to favour the Big Four if they had previously worked for them;

“The presence of ex-Big Four employees on Audit Committees is perhaps unsurprising given that the Big Four do employ a disproportionate share of financial professionals…However, it raises questions about whether Audit Committee members’ greater familiarity with the Big Four might lead them to favour Big Four firms when assessing audit tenders.” 1

Few would question that the audit market is too supply-side concentrated in only four companies. But the CMA is suggesting that the problem is demand-side driven. The purchasers of audit are making suboptimal choices, perhaps because audit chairs are just appointing their alma maters. The CMA also got itself into quite a spin trying to understand why ‘cultural fit’ was a helpful criterion for the selection of someone you are going to be working closely with for the next seven years, so it concluded that part of the problem is that audit committees are just looking for a friendly or compliant audit partner.

The CMA couldn’t quite persuade enough people that the choice of auditor should be taken completely out of the hands of the audit committee, but wants the regulator to; mandate minimum standards for the appointment and oversight of auditors; monitor compliance by audit committees; and issue reprimands to ‘non-performing’ committees. The CMA is silent on what those standards are, how the regulator will monitor them and how it can be sure that a regulator’s view will be superior to experienced directors working with the business and elected by shareholders.

The dual buying/joint audit remedy will increase cost and complexity for companies, but will also force revenue and market share towards smaller audit firms. This will, by definition, reduce market concentration. It may prove successful in increasing long-term audit competition if those non-big 4 firms seize the opportunity, or it may just be a long-term subsidy to possibly lower quality players, depending on how good the non-big 4 really are. In any case, the CMA has launched the project in the certain knowledge that it won’t be around to take responsibility by the time we know the ultimate outcome.

What worries me is the dismissive attitude that the CMA, regulators and politicians have for non-executives and the audit committee in particular. Independent non-executives are the key to our modern corporate governance, and yet the CMA wants audit committees to be supervised to an extraordinary degree. Auditor choice is to be mandated with joint audits and the process is to be reviewed by a regulator, who can ultimately take over the appointment decision. What would this say about the quality and integrity of our non-executives?

Even more concerningly, what does it say about the state of our regulators? Following the recent accounting scandals, regulators have lost faith in our basic corporate governance, whilst becoming more confident of their overriding wisdom. Most audit committees feel that the accounting scandals have demonstrated that the quality of regulation of audit firms is poor and needs to be drastically improved. But here we have regulators concluding that the answer is in fact more and wider regulation extended to audit committees.

Audit committees do need to face up to questioning, but it needs to be thoughtful. Do we expect audit committees to find fraud and accounting irregularities, if neither management nor auditors spot them? Do we expect boards to provide complete assurance that no company will ever go bust? How do we help boards to identify risks in their companies that might be signs of poor accounting practice or future financial instability? To help answer those questions, government needs to work with boards to understand better the issues, not just extend regulation and threats;

  • Does the audit industry need more or just better regulation?
  • Do we hold boards primarily accountable for running companies, or do we need to regulate them more?
  • Do we trust non-executives to provide sufficient independent challenge on boards, or do we side-line them by regulating more?
  • How do we help boards to identify and manage financial and accounting risks?

Otherwise we are back to the government deciding it knows best which baked bean is right for us.

 

 

1 This is a proposition that of course the CMA could have tested, but choose not to.

 

 

My response to the Competition and Markets Authority Invitation to comment on the inquiry into the Statutory audit market

CMA

 

I am making this submission in a purely personal capacity. Over the last 25 years, I have been Chairman or a director of ten different companies, from small privately owned to FTSE100, participating in some 200 audit committee meetings. I have never worked for an auditing firm, big or small. I am now Chairman of Flybe Group plc, a non-executive director/Chairman of the Audit Committee at Watkins Jones plc and Chairman of the Audit Committee of Dentsu Aegis Network.

 

 

The CMA needs to define what a high-quality audit looks like.

The CMA notes ‘widespread public concerns’, but concedes that part of the problem may be an ‘expectation gap’, where commentators do not understand what an audit is intended to do. However, the CMA doesn’t define what it thinks an audit should achieve and what a high-quality audit should look like, nor is there any description of a ‘poor’ audit. The latter needs to distinguish between concerns that the auditor signed off; a going concern (but the company subsequently went bust); the ‘wrong’ number; a number biased towards management; or where it failed to detect fraud.

The CMA should define clearly its objectives in enhancing audit quality and trace through remedies to show how they would address the specific issues noted.

The CMA should consult with Audit Committees to understand what they think a high- quality audit looks like. They would find that it differs significantly from the quality benchmark applied by the AQR. The latter essentially audits an audit, looking at technical process and documentation. The Audit Committee looks for an audit to identify issues, challenge management’s assumptions and identified risks, propose improvements to controls, and work with management to finalise accounts that satisfy all regulation in a timely manner.

The CMA seems to imply that a poor-quality audit is one where the auditors are lax in agreeing whatever number management wants to declare. However, this is a very simplistic interpretation of quality. The CMA would do better to understand a quality audit in terms of the process of applying technical standards, speediness of response, identification of control and risk issues, collaborative working and good technical judgement. Crucially, only management and Audit Committees are able to judge most of these facets of quality, and they also have the strongest incentives to employ an auditor who can deliver on them.

Most of the ‘public concerns’ stem from a few well-publicised ‘failures’. These are important, but need to be out in the context of many thousands of audits that are completed successfully. If the CMA wishes to address these ‘failures’, it must study them to understand what actually happened. Then it should test its possible remedies to show that they would have stopped, or at least reduced the risk of, these events happening. The CMAneeds to be careful not to impose wide-reaching remedies just to address relatively rare individual failures.

 

The CMA needs to be realistic about the failures of previous regulatory interventions and learn from these when proposing new ones

The CMA takes satisfaction that, despite ‘only three years in force, the Competition Commission (CC) remedies have generated some positive change in the operation of the audit market, with increases in both tendering of audit contracts and switching.’ Since retendering and switching became compulsory, it’s not too surprising to see it happening. However, the CMA provides no evidence that this has made a positive change to the market, as opposed simply to increasing churn.

The CMA argues that ‘Alongside this, the FRC has reported broad increases in quality, albeit sampling means that we should be cautious in interpreting a trend over time.’ Indeed, the CMA should be cautious, since the AQR reviewed only 6% of audits within its scope. This included 24 – only 4% of those in scope – at much-criticised KPMG.

The AQR admits; ‘Our report focuses on the key areas requiring action by the firm to safeguard and enhance audit quality. It does not seek to provide a balanced scorecard of the quality of the firm’s audit work.’ In fact, the AQR targets particular ‘problematic’ sectors for review, underlining that this is not random sample.

The CMA admits that the objective of reducing the dominance of the Big Four has signally failed. 97% of FTSE350 audits are now performed by the Big Four, up from 95% at the time of the last review.

The CMA should make a balanced appraisal of the benefits of the previous CC remedies. The 2013 remedies imposed significant extra cost on companies and audit firms, and the regulator should feel accountable for those costs being borne by the market to deliver whatever market benefits have been achieved. The CMA admits that the dominance of the Big Four has increased and public confidence is reducing. How can this be reconciled with the CMA’s conclusion of ‘some positive change’?

With a new review and remedies being proposed, the CMA should be fully confident, with real evidence to support, that any new remedies will indeed be effective and proportionate, and will not have counter-productive unintended consequences.

The CMA needs to understand its own limitations in this market

The CMA doesn’t tackle the inherent contradiction between regulation and competition. Since auditors are themselves regulators of financial reporting, is greater competition between regulators going to produce better regulation? After all, there Is only one CMA. The CMA must acknowledge that greater competition (even assuming the CMA could deliver this) may not be the solution to improving audit quality. There may be a better solution in improving the regulatory oversight of audits.

Without an understanding of what audit quality is, it is not clear how the CMA will assess the effectiveness of the AQR process (3.21). The consultation says that the CMA will ‘explore what quality means’, but appears to prejudge this by saying it will be ‘building on the CC’s report that quality involves scepticism, objectivity, integrity and independence’ (3.34 d). It then says that “We do not expect to focus our work on theme 1 (Scope and purpose of audit” (3.46). The consultation is confused and contradictory.

The CMA is correct that there is a lack of choice in selecting an auditor

The question whether there is sufficient choice of auditor is a pertinent one. The CMA will need to address whether this is a UK domestic or international problem. There may be little point in designing a solution for the former, if the problem is the latter, or if addressing the former makes the latter more problematic.

The CMA should also be aware that some companies now feel that they have reduced choice as some audit firms are actually competing with them (3.25). For example, the booming area of data analytics, increasingly being offered by the Big 4, is also a key business area for many media, IT and consultancy companies. Can you be regulated by another party that competes with your business, and do you want to open up your business to a competitor?

The CMA analysis of auditor selection and perverse incentives is naive and not backed by evidence

The demand for independent external audit arises from the social or stakeholder need for reliable financial information, not just shareholder’s needs (para 3.4 as then noted in para 3.5). This sets up a false analysis of incentives. To say that ‘the auditor is selected and paid by the company’ (3.8, error repeated in 3.18) is to ignore corporate governance that forms the heart of UK listed company regulation. The auditor is selected by independent non- executive directors, not the company.

In any case, the proposition that management only wants low prices and shareholders only high quality is naïve and not backed by any evidence. In my experience, management wants a quality audit above everything else. The consequences of having to deal with poor quality auditors during the highly time-pressured Results process are significant. The dominance of the Big Four in winning tenders reinforces that companies put a high value on their perception of quality, as smaller audit firms usually charge less and may be in a weaker position faced with management pressure. Management has to work with auditors. It is unlikely that they would seek out poor quality audit.

The scope and purpose of audit may be determined by international rules, but the CMA should try to understand what value companies expect to get from an audit. In the ten or so audit tenders, in which I have participated in, audit firms place little emphasis on how accurately they apply requisite standards. This is rightly taken as read, with the emphasis on a quality service to the company. Furthermore, the general attitude of audit committees in a tender is to select the best audit firm and then negotiate the price, not vice versa.

 

The scope is aimed at large listed companies, but the market is much bigger than this

The scope will be large companies. Why is the scope limited to large companies (3.46)?

The concerns about agency are much reduced in private companies, especially where management may be very close to shareholders, but again there may not be independent non-executives running an audit committee. However, the vast bulk of the consultation is devoted to large listed companies, so how will the CMA fully understand the position in private companies?

The CMA should avoid designing remedies just for the FTSE 100 that then get applied inappropriately to the whole market for audit services.

The potential outcomes may be counter-productive

The list of potential remedies emphasises the difficulty of applying competition solutions to a regulatory issue. There is undoubtedly a competition issue in that dominance of the Big Four reduces effective choice for companies. However earlier, well-intended regulatory reforms have actually made this worse. The CMA’s forerunner, the Monopolies and Merger Commission waived through the merger of Coopers & Lybrand and Price Waterhouse in 1998, reducing the Big Six to Big Five, despite much protest from industry. The restrictions on non-audit work by auditors has actually reduced choice and mandatory tendering has in fact strengthened the oligopoly of the Big Four.

Several of the remedies suggested are likely to reduce audit quality, for example; by shrinking audit firms to audit only; forcing some companies to take non-Big Four audits (the consequence of a market cap on the Big Four) and forcing inefficient joint audits. Other ideas, such as a regulator appointing auditors have no coherent connection with increasing choice.

Conclusion

The CMA should;

  1. Define what it means by a quality audit, after understanding what audit committees and management want and value in an audit.

  2. Be clear about the difference between the benefits of competition and higher quality regulation, and not try to achieve the latter by the former.

  3. Recognise the limitations of competition policy and not propose measures in order to be seen to do something under political pressure.

  4. Address the specific causes of public disquiet about audits and test any remedies against whether they would have avoided well-publicised company ‘failures’.

  5. Develop an evidence-based case for any further competition measures that takes explicit account of costs generated and fully understands the possible unintended consequences.

The audit punch-bag: Where is the voice of industry?

Punchbag auditStorm clouds are gathering over the audit market. Government, politicians, media and regulators are all queueing up to condemn companies and auditors over the few, but well-publicised, failures of certain companies. Lack of knowledge about the audit process is no bar to these opinion-formers. Meanwhile industry bodies are supine in defending business and signally failing to provide the missing knowledge as to what actually happens and what went wrong.

Having attended some 200 Audit committee meetings across 10 companies of all sizes and ownerships over the last 25 years, I have seen how audits actually work for companies and shareholders.

Is there a fundamental problem with the audit process?

There are hundreds of thousands of audits completed every year in the UK. There has been a handful of, admittedly large, company failures in recent years. There are even fewer cases where an auditor has been found culpable, remembering that it is not an auditor’s job to stop a company failing. There certainly have been issues in auditing, like any business, but it is not legitimate to conclude that the system is fundamentally flawed based on a few examples.

Has greater regulation helped in the past?

In 1998, I along with many other Finance Directors pleaded with the then competition regulator, the Monopolies and Mergers Commission, not to allow the merger of Coopers & Lybrand with Price Waterhouse. This, coming soon after the demise of Arthur Anderson, would mean that we would be left with only four global auditing firms. Industry was ignored, as the regulator knew better and convinced itself that competition would be maintained. Move forward 20 years, and the current regulator, the Competition and Markets Authority, is without a single blush of shame, looking at whether the Big Four are too concentrated. Industry told them 20 years ago that this was a bad thing. What chance that the regulator will listen to industry this time?

The European Union decided in 2014 that the answer would be compulsory tenders and controls on non-audit work. This hasn’t increased competition between auditors and especially non-Big Four, who haven’t won more work. It has created an industry in pitching for new audits, which itself disadvantages the smaller players who cannot afford such expense and who are increasingly not bothering to pitch for larger company work. Moreover, the banning of a company’s auditors from doing non-audit work has actually reduced choice where other Big Four firms are already providing tax, advisory or internal audit services. The choice can end up between two firms, one of whom might then be ruled ineligible as a long-standing incumbent.

In the UK, audit quality is monitored by the Audit Quality Review team, part of the Financial Reporting Council. It reviews about 25 audits for each of the Big Four and a handful each for another four firms. The reviews are effectively an audit on the audit. Although the AQR says that it contacts each Audit Committee Chair at the start and sometimes at the end of each review, there is no evidence in the reports that any weight is attached to their views. For example, the typical Audit Committee concerns; responsiveness, clarity on technical issues and speed are not mentioned in these reports. It is clear that the regulator feels it knows best what makes a good audit.

In short, the evidence is that greater regulation and intervention have proved at best ineffective, largely counter-productive and have actually reduced competition in the audit market.

Is new regulation going to help?

The Government has asked the Kingman inquiry and the CMA to look at aspects of the audit process. There are two key themes; increasing competition in the audit market and looking at a regulator taking over the responsibility for appointing a company’s auditors.

Increasing competition in the audit market

Commentators often wonder why so many companies, especially large ones, principally use the Big Four. The answer is simple. Multinational companies need to be sure that they will get a high-quality audit in all their countries, and the Big Four have the best international networks. Coordinating different auditors in different countries with different technical outlooks and rules is an unwanted significant additional complexity for companies.

There are high quality people in all audit firms, but, from my experience, there is significantly less quality in depth in the non-Big 4. They don’t have the resources, attractiveness and career development that the largest players do. If the objective is higher quality audits, forcing companies to employ less well-suited auditors is a strange response.

Breaking up the Big Four would be very problematic. These are international alliances of companies, so breaking up the UK firms wouldn’t solve the issue the international issue. It is very difficult to imagine that a coordinated multilateral effort could successfully break up the alliances across the world. The Government could encourage or subsidise the non-Big Four to merge, invest, grow their expertise and better develop international partnerships, but this feels pretty tricky. The most plausible change would be to force UK firms to divest all their non-audit work. The auditors worry that this would make audit firms less attractive as employers, and that this would damage audit quality. They may well be right, but industries also have a habit of accommodating such change, not least by increasing salaries.

A regulator appointing auditors

Some believe that companies select auditors who are more malleable to management. However, I can find no suggestion that some auditors are too lenient in any of the AQR reviews of audits, nor indeed any other evidence of this anywhere else. My experience from seven tenders that I have participated in, is that auditors are chosen largely on how sharp, commercially-aware and technically-competent the lead partner and top team are. Never has an auditor even implied that they would allow management more leeway than others. Moreover, if this were the case, then our whole governance structure with independent non-executives and audit committees would be failing. The answer then would be in governance change, rather in imposing audit appointments.

On what basis would a regulator appoint an auditor to an individual company? Would they use sector expertise? This would inevitably lead to a greater concentration of audits as it would be self-reinforcing. Would it be a cab-rank principle like barristers? But this couldn’t cope with companies needing sector-expertise or international coverage. How would allocating audits on a ‘buggins’ turn basis contribute to effective competition between auditors? If a company were allocated a poor performing audit partner, what recourse could it have when the audit is imposed on them? And how would this enhance competition?

An audit does much more than simply agree a profit number. A good audit works closely with management in order to get under the skin of a business and use that knowledge to make judgements, challenge assumptions, identify risks and suggest improvements in processes. The Audit Committee, in consultation with management, is in a good position to assess an auditor’s success in achieving this. How would a regulator be better placed to make this call for an individual audit, along with thousands of other appointments that it would have to make?

There is a problem, but how do we get to a solution?

There are issues with the quality of some audits, but there is no evidence that this is widespread. In fact, the continued repetition of Carillion and BHS as evidence actually suggests that there are relatively few known examples. Clearly there were issues to investigate at Carillion, BHS, Patisserie Valerie, and Conviviality, but no-one is really trying to understand how the audit process contributed to those failures. The media, government, Select Committees and regulators have focussed on allocating blame to individuals. This is not the same as understanding what happened. In fact, searching for blame is pretty much guaranteed to block thoughtful impartial analysis.

It does make sense not to allow any company to become too important to an audit firm. It may well be helpful to separate out completely non-audit work from all audit firms. But making auditors more nervous and cautious about signing off a company’s going concern statement won’t save companies from going bust. In fact, it is likely to increase it, as companies that could perhaps have been saved, have to through in the towel after being unable to get their accounts signed off as a going concern.

The current pressure to increase audit regulation is likely, on past experience, to be counter-productive. It may buy some good headlines for a beleaguered government, but responsible regulation has to be built on evidence, clear thinking and understanding of all the consequences (whether intended or not). It also requires the humility that would come from accepting the failures of past measures and decisions.

The likelihood is that we will end up with more regulation proposed by the ‘great and the good’, few of whom have actual experience of company audits, based on little evidence, but genuflecting to politicians with little or no understanding of business.

And where is the voice of business? The trade bodies remain craven to the government and fearful of a political backlash. The accountancy bodies, dominated by auditors, keep their heads down. It is no wonder that companies are likely to end up being the punch bag for yet more political games.

 

Motherhood & apple pie – the latest corporate governance regulations for private companies

Wates cover

The FRC has set out new proposals for more corporate governance regulation (the Wates Report) for large private companies.

This is my response to the consultation.

 

 

 

Summary

High quality regulation should focus on outcomes and provide evidence to support new rules and principles. Both the government and the FRC seem to be impervious to either. The Wates proposals identify neither outcomes nor evidence. They require private companies to disclose more about governance, but don’t identify who will use this information nor what they will do with it.

The FRC has missed another opportunity to research and think deeply about why companies get into difficulties and how it can reduce the likelihood of this happening. Clear corporate governance is probably a ‘good’ thing for all companies, but there is little evidence that it actually leads to better outcomes. The corporate governance principles proposed for private companies are well-meaning and are hard to disagree with, but, as currently written, are not specific enough to be other than a gentle nudge to companies, and more likely a cause of more boiler-plate wording in annual reports. A few specific questions for companies to answer would give clearer disclosure. The Principles need also to be applied to the actual governance of companies, rather than their legal structures.

 

  1. What is the objective?

It is not clear what the objective is of this exercise. Paragraph 2 talks about a loss of public trust in big business. Paragraph 3 refers to the ‘privileges of limited liability status’ and lower reporting and accountability requirements than listed companies, highlighting public interest in whether companies ‘operate in a sustainable and responsible manner’. The Consultation Questions explain that ‘The Principles and the guidance are designed to improve corporate governance practice…’ Presumably, the assumption is that ‘good’ corporate governance will build public trust. Sadly, the evidence from the listed arena is that this is not true. Carillion, for example, complied very closely with the Corporate Governance Code.

The foreword explains that the Principles are intended to help companies comply with a new legislative requirement on governance. The FRC is simply responding to a government edict. Without a clear objective, it is not easy to test whether the principles meet their aim, other than to turn a vague statutory requirement into something that companies can comply with.

There is no estimate of how many companies will be caught by those provisions, nor how much it will cost to comply, and least of all any idea of what the benefit will be.

 

  1. Are the Principles sufficiently specific to achieve the objective?

The Principles themselves are a set of very high-level statements, with which it is difficult to disagree. It’s unclear how a company can realistically claim not to comply with them. Turn each of the sentences into the negative and see who would claim that this applies to them;

  1. The board does not promote the purposes of the company.
  2. The board does not have an effective chair. The size of the board is not guided by scale & complexity of the company.
  3. The board does not have a clear understanding of its accountability and terms of reference.
  4. The board does not promote the long-term success of the company.
  5. The board does not promote executive remuneration aligned to sustainable long-term success of the company.
  6. The board does not have meaningful engagement with material stakeholders.

 What status does the more specific “guidance for consideration” have? It appears to be largely discursive, so would not need to form part of a company’s assessment as to whether it complies with the principles.  It seems that the FRC has pulled back from being too prescriptive, but in doing so has ended up with principles that, whilst undoubtedly worthy, are largely motherhood and apple pie.

 

  1. Do the Principles and guidance take account of the various ownership structures of private companies?

The Companies (Miscellaneous Reporting) Regulations 2018 confuses legal structure and governance. Legislators appear to believe that every company has a board that manages that individual business on a day to day basis. This may be true of some independent companies, but it doesn’t take account of group structures. A number of subsidiary companies may together constitute a group, which is managed by a board at that level. The size tests apply at company, rather than consolidated level. Yet many holding companies do not directly employ significant numbers of employees, not have large revenue themselves. The Regulations will therefore miss some large groups that are presumably the principal intended target of this legislation. It may also cause subsidiaries to invent bogus governance to comply or have to explain why they don’t comply.

The FRC should make it clear that the Principles apply to the board that actually constitutes the main governance for each entity, irrespective of the legal structure, provided that this is explained and disclosed in each company annual report. A subsidiary could simply report that its main governance structure sits with a parent entity and that details will be found in that company’s report and accounts.

The FRC should also clarify that the tests for the need to comply (employee numbers, turnover and net assets) should apply to the consolidated accounts, rather than the parent company alone.

 

  1. What more could be done?

To make these proposals have any meaning, the FRC should consider making adequate disclosure a key part of the Code. I appreciate that this is implied, but it should be made explicit and specific. The proposals in the guidance could be backed by a small set of simple disclosure requirements;

Purpose

  1. Describe the values by which the Board and the Company operate.
  2. How does the Company promote behaviour in line with its values whilst discouraging misconduct and unethical practices?

Board composition

  1. How are board members appointed and what relationship does each have with the shareholders or parent group?
  2. What does each board member bring to the board?

Board responsibilities

  1. Describe how the board governs the company, including through use of subcommittees.
  2. How does the board ensure that the company systems and controls work effectively?

Opportunity and risk

  1. How does the board evaluate and manage risk?
  2. What is the board’s appetite for risk?

Remuneration

  1. How does the board set remuneration for directors and senior executives?

 

This list of disclosure questions should be kept short and high level. The risk is that everyone will want to add a question, but the longer the list the greater likelihood of a box ticking mentality and boiler plate answers. This should be the minimum number of questions that a company would need to answer to give adequate disclosure on the Principles.

 

 

 

How a bow-tie can smarten up corporate risks

BowtieImagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?

Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.

Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.

Typical risk analysis in an annual report

The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;

“Adoption of rigorous policies and processes…”

“Regular performance reviews…”

“Deployment of high quality people..”

These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.

The bow-tie model

If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.

Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.

Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.

We now look at causation of events;

Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.

Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.

And there are the results of an event happening;

Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.

Recovery barriers:  These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.

And then there are escalation factors;

Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.

This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.

An example of a corporate risk

Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;

Bow tie diagram

This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.

If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.

What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.

This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.

Annual Report

The full model would be too big to include in an annual report, but could be summarised in this way;bowtieannreport.jpg

This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.

Summary

Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.

 

Simon Laffin

1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.