Falcon Invoice Discounting: The best investment platform in india for investors
CGMA Performance integrated risk report for BOD
1. Integrating risk
into performance
Reporting to the
board of directors
BUSINESS PROCESSES
Internal business processes
The mission
LEARNING AND GROWTH
Employee training
Corporate cultural training
CUSTOMER
Customer focus
Customer satisfaction
FINANCIAL
Corporate database
Risk assessment
2. Authors:
Prof Dr ir Regine Slagmulder, Vlerick Leuven Gent Management School
Maria Boicova, Vlerick Leuven Gent Management School
Two of the world’s most prestigious accounting bodies, AICPA and CIMA, have formed
a joint venture to establish the Chartered Global Management Accountant (CGMA)
designation to elevate the profession of management accounting. The designation
recognises the talented and committed management accountants with the discipline
and skill to drive strong business performance.
3. 1
Surprisingly, there has been relatively little academic
research on what information boards of directors
actually receive to fulfil their strategic monitoring
role. Furthermore, whereas performance-related
reporting benefits from a long-standing research
tradition in the management accounting literature,
relatively limited attention has been paid to its
integration with risk – especially in relation to
boards as receivers and users of that information.
This project responds to earlier calls for research that
extends beyond the use of accounting information
for decision making by managers to examine how
other actors interface with management accounting.
For a brief summary of the theoretical considerations
used to set up this study, please refer to Appendix 1.
Objectives
The main objectives of this research were to:
• Document and analyse how performance and risk
are integrated in management reporting to the
board of directors.
• Identify leading practices of enhancing
performance management with risk, to enable
board members to perform their strategic
monitoring role.
INTRODUCTION
Since the board of directors holds the ultimate responsibility for the
company’s success or failure, board members should be adequately
informed about the company’s performance and risks.
Research methodology
The research was based on a multi-case study
approach in European companies in a variety of
non-financial industries. We focused on non-financial
companies because of the idiosyncratic nature
of risk management in financial services and the
limited availability of case studies in other sectors.
Interviews were conducted with the risk and/or
audit function, and with at least one member of the
board. The purpose was to document the process of
risk and performance reporting to the board, and to
identify what information actually reaches the board
of directors. For each company we also studied the
board demographics and other criteria, such as
number of board meetings and level of attendance
at those meetings, as proxies for board involvement
in the company’s strategy process.
• There is an increased awareness by board
members of the importance of explicitly
considering risks in their decisions.
• Companies have established both separate risk
reporting to the board as well as reporting that
links risk with performance and strategy.
Key ConclusionsS
• There is a tendency to look at risk both from a
negative angle (potential threats) and a positive
angle (potential opportunities).
4. Integrating risk into performance – Reporting to the board of directors2
• The case studies provide evidence of significant
variation in companies’ risk reporting practices,
both in terms of the content and the structural
aspects of risk reporting. The field observations
suggest that risk reporting in companies can be
put on a continuum, with limited reporting at
one end of the spectrum and elaborate reporting
at the other. (Note that the extreme case of zero
reporting was not observed in practice, because
a minimum level of risk reporting to the board
is mandatory in most European countries.)
• We observed that boards generally seem to be
very aware of the importance of considering
risks in their decisions and in their performance
evaluations. Board members tend to perform their
own implicit assessment of strategic risks when
they discuss new strategic initiatives. Such board
risk assessments are usually not formalised, but
are part of the regular discussions on long-term
strategy and potential uncertainties related to
that strategy.
• With respect to integration of risk and
performance in strategic decision making, we
found that it is common practice by management
to identify and report risks to the board as a part
of MA proposals, business development plans,
or strategic reviews. Such integrated reporting
typically comes on top of the specialised reporting
that focuses specifically on (operational) risks.
• Through the involvement of the internal auditor in
risk management, the integration between risk and
performance is achieved also in the audit reports
that go to the board of directors. On the board side
it is the audit committee that is most frequently in
charge of the risk management, which also adds to
an integrated view on both risk and performance.
• In most companies, we observed that risks are
viewed not only in a negative light (ie, as a threat),
but also from a positive perspective (ie, as value-
creating opportunities).
The reporting on risks is thus closely intertwined
with reporting on potential opportunities, in this
sense providing a close integration between risk
and performance.
“In our dashboard risk we have the orange-red
part and the green-greener part, and when we
do our risk assessments we always work on both
parts. We clearly have more risks listed than
opportunities, but there are frequently opportunities
in the dashboard where people can improve even
more than planned.”
– Risk officer
• To ensure that the integration with performance
is achieved even in the presence of separate risk
reporting, it is considered good practice to align
the timing of risk reporting with that of budgeting
and strategic planning, which provides for relevant
progress reports at regular intervals.
In order to contextualise the research findings,
we explicitly asked all interviewees about their
company’s risk appetite. More specifically, we
wanted to investigate whether the company had a
defined risk appetite and how it was approved. Some
practitioner reports1
emphasise that “designing risk
management without defining your risk appetite is
like designing a bridge without knowing which river
it needs to span.” Such a stance suggests that defining
the company’s risk appetite is actually a crucial first
step. However, observed practice shows
a less categorical position. Whereas risk management
procedures are in place in all companies we studied,
the formal definition of risk appetite remains a fairly
rare practice.
Overall, our field study observations demonstrated
a continuum in terms of levels of definition and
approval of risk appetite, ranging from no definition
at all to some attempts at formal definitions by the
board of directors – with most companies being at
the lower end of the spectrum. In those companies
Main findings and their implications
for practical application
The main findings from the research can be summed up as follows:
5. 3
that favoured a more integrated view on risk,
the attitude towards formalisation of risk appetite
remained fairly reserved. One potential reason
could be that companies might prefer to stay flexible
and adjust their risk appetite based on the particular
project and/or strategic initiative at hand, and as a
consequence avoid too much ex ante formalisation.
In any case, our research findings seem to hold
irrespective of the level of the definition and
formalisation of risk appetite.
For the management accounting professional dealing
with risk reporting to the board, we can conclude
that the design of the management reporting has to
be aligned with the expectations of the board. It is
no longer sufficient to provide reporting that solely
focuses on performance, while ignoring the risks
that may affect the company’s results. Although this
does not necessarily mean that large amounts of
extra information need to be produced, it definitely
signifies that the scope and quality of board level
information has to increase. Some companies
address this issue by explicitly redesigning the way
they present the information to the board members,
whereas others limit themselves to shifting the
tone and emphasis in their reporting. In any case,
the fact that board members become increasingly
aware of the importance of considering risks in their
decisions, provides a strong signal to practising
accountants and controllers to enhance their
reporting with relevant risk information.
6. 4 Integrating risk into performance – Reporting to the board of directors
CONCLUSION
Firstly, we indeed observed an increased general
awareness by board members of the importance
of considering risks in their decisions, which is
usually attributed to the current economic crisis.
However, most of the board members we
interviewed noted that they had always been very
aware of the risks inherent in the business and had
already been taking them into account. It seems that
what was previously done in a more implicit manner,
has simply received greater attention and been
subjected to increased formalisation.
“Talking about risk for me is not something new;
it has always been a part of the on going
management control in the company.”
– Board member
Another interesting lesson learned concerns the
observed tendency to look at risk from a negative
angle (as potential threats) as well as from a
positive angle (as potential opportunities).
This means that companies not only follow the
compliance requirements, but also consider risk
management to make an important contribution to
the strategy process. Such a holistic approach, where
both the negative and the positive side of risk are
taken into account in decision making, significantly
enhances the quality and breadth of strategic
decisions taken by companies.
Finally, we observed that companies establish
both separate risk reporting to the board as well as
integrated reporting that links risk with performance
and strategy. The separate, specialised risk reporting
seems to be a rather recent trend. The integrated
reporting, and more specifically the integration of
risk into performance, and even more specifically
strategy, has been common practice in successful
companies for quite a long time. Recently, however,
this integrated reporting has become somewhat
more prominent, fuelled by expectations from
various stakeholders.
While the integrated reporting does not specifically
focus on risks, and might thus be somewhat skewed
towards a positive outlook, we concluded that
such an approach enables the recipient to see the
“big picture”. The fact that integrated reporting
provides risk information in the context of other
types of information on performance, strategy and
operations, adds to a more in-depth understanding
of how the business is doing. In contrast, while
separate risk reporting zooms in specifically on the
risk aspects of the business, it has the propensity to
be much more compliance driven. Our respondents
emphasised that specialised risk reporting tends
to lead the company into a compliance trap, with
the whole risk management turning into a “box-
ticking exercise”. The above considerations drive our
preference towards integrated reporting as a superior
approach towards risk reporting to the board, as
it allows to break through functional silos in the
company and put the information in perspective,
thus enabling more effective decision making.
In our research we did not detect a single best
practice of integrating risk and performance
reporting. Nevertheless, some of the practices
observed in companies show that there is definitely
value to such integration:
• An update on risks and trends was included in
the yearly overview of the control environment,
investments and key performance indicators
(providing links with different risks).
• Strategic site reviews were produced, containing
information on such strategic issues as resources,
utilisation, health and safety, community, number
The main lessons learned from this research are that (1) even though the
increased attention to the formalisation of risk management in companies
seems to be a recent trend, it is only partly to be attributed to the economic
crisis; (2) there is a tendency to look at both the negative and the positive
side of risk; and (3) companies establish both separate and integrated
reporting to the board on risk.
7. 5
of complaints, staffing and risks gathered per site
and reported in a consolidated way.
• Integrated reports were sent to the board on the
company’s aggregate exposure both on the asset
side and the liability side to the financial markets,
reflecting “the big risk questions”.
“To integrate the notion of risk into our planning
and budgeting cycle, we request our country
managers to present no more than ten slides during
the annual budget presentations, but one of those
slides has to explicitly focus on risk.”
– Senior VP
• Performance reporting to the board was
benchmarked against the company’s strategic
perspective, the attainment of planned results,
and in comparison with industrial and budget
forecasts (with explicit consideration of risks)
or, alternatively, was presented in the context
of general trends in the sector and in comparison
to the relevant information available about
competitors (which also implicitly included
risk elements).
• While we have not directly observed the pure
scenario planning and budgeting in our case
companies, some elements of this approach were
witnessed in at least half of our sample. Scenario
planning and budgeting are part of the strategic
reflection loop, where managers have to come up
with draft performance objectives and then think
over potential threats to the realisation of those
objectives. The specialty of this approach lies in
that it has to answer the “what if…?” question
and further calculate the estimates accordingly,
taking into account all the uncertainty elements.
Possible tools that can be used for this exercise
are decision trees or Monte Carlo simulation to
calculate, eg the best, the worst and the “seemingly
realistic” scenario. From the board perspective, the
scenario planning and budgeting approach gives
a more solid input for further board discussions
on potential strategy and risks, which in its turn
contributes to improved decision making.
To conclude, there is a range of ways how the
integration of risk and performance information,
as well as strategic information, can be achieved in
practice. Risk-enhanced performance management
must evolve from an ad-hoc event under pressure of
the economic downturn, to a continuous process that
must be embedded within the company’s governance
processes. Unfortunately, many companies’ efforts
in the area of performance and risk management
seem to focus too much on meeting regulatory
requirements (“ticking the boxes”) and not
enough on how to integrate performance and risk
management for more effective strategic decision
making. The lessons learned from this research
allowed us to provide some initial recommendations
to management accounting professionals faced with
the challenge of designing (or re-designing) risk
reporting to the boards of their companies.
FIGURE 1: Risk assessment
Exceptional
Almost
impossibleUnlikely
Fairly
likely
Highly
probable
Almost
certainProbable
ExceptionalSignificantSignificant Moderate ModerateNegligibleNegligible
Impact
Occurrence
Increasing opportunity Increasing threat
8. 6 Integrating risk into performance – Reporting to the board of directors
References and further reading
• CIMA (2003), Performance Reporting to Boards:
A Guide to Good Practices, CIMA report, London.
• CIMA (2006), Risk and management accounting:
best practice guidelines for enterprise-wide internal
control procedures, CIMA Research executive
summary series, London.
• Van der Stede, W.A. (2009), Enterprise governance:
Risk and performance management through the business
cycle, CIMA Management, 83(3), pp. 24-27.
• Woods, M. (2010) Reporting and managing risk:
A look at current practice at Tesco, RBS, local and
central government, CIMA Research Executive
Summary series, Vol 6, issue 8, London.
Footnotes
1
EY, 2010 Risk appetite: the strategic balancing act.
2
Johanson, D. (2008), Corporate governance and board
accounts: exploring a neglected interface between boards
of directors and management, Journal of Management
and Governance, Springer, 12(4), pp. 343-380.
9. 7
Appendix
Appendix 1 – Theoretical
foundations of the research
While the availability of accurate and relevant
information is recognised as an integral part of
efficient board governance ( Johanson, 2008),2
researchers’ understanding of management reporting
systems with respect to the board and the conditions
influencing their design is relatively limited. This
is surprising, given that the design of companies’
internal reporting systems has been widely studied
in the management accounting literature.
In contrast with companies’ comprehensive
reporting on financial (and non-financial)
performance, their management information
systems are seen as requiring significant
improvement when it comes to risk. While board
members are not expected to be involved in the day-
to-day risk management, they are assumed to know
what inherent and emerging risks may negatively
impact on the company’s performance. Despite the
fact that risk management has recently attracted
increased boardroom attention, little is known about
whether and how companies integrate performance
and risk into their reporting to the board.
A common assumption in the management
accounting literature is that there is no one-size-
fits-all approach to internal reporting, and that the
specific approach adopted by any given company
is dependent on a number of contingency factors.
For example, among the reasons behind variations
in sophistication of performance and risk reporting
to the board might be such variables as company
size, industry, type of control, or level of board
involvement in the strategy process, leading to
different information requirements.
In sum, the extant literature has extensively covered
topics related to internal reporting for managerial
use on the one hand, and elements of board
effectiveness on the other, but there are few studies
that combine the two research areas. Given the
board’s strategic monitoring role and the importance
of considering both performance and risk in board-
level decision making, investigating the content and
process of board reporting constitutes an interesting
research theme.
Appendix 2 – Overview of the case
studies findings
In each of the companies studied during the first,
exploratory phase of the research, we observed that
the companies established separate reporting and
also frequently separate reporting lines to deal with
risk. All companies established a risk management
system at the company level that was the source of
input for the subsequent risk information flow. In all
cases, the management team was actively involved
in the risk assessment exercise and was generally
held responsible for managing risks in their
respective business unit, country or region. This was
considered to be an integral part of doing business.
However, in all of the companies we studied there
was also a clear separate reporting line up to the
board on identified risks. In most cases the risks
reported were limited to the top ten or top 15
risks and were mostly operational in nature. The
risks were duly aggregated and those that reached
the board were truly ‘global’ in the context of the
company. The remaining risks were assumed to
be treated at the relevant management level.
We observed that all companies had a separate
function to assist the management with risk
assessment and who aggregated the information
for subsequent reporting to the board. In the
three publicly listed companies in the sample, the
reporting went to the audit committee of the board,
while in the case of a privately held company the
reporting to the board was done by the executive
management. The internal auditor was involved
in risk management in two out of three cases we
studied. In one company it was the internal auditor
who facilitated risk assessment in the company,
while in the other the internal auditor was assisted
by the head of risk and insurance, who actually did
the consolidation of the information.
Besides the establishment of a separate risk
reporting, companies also seem to integrate risk
into existing performance reporting to the board.
We identified the following leading practices
vis-à-vis integrating risk and performance:
10. 8 Integrating risk into performance – Reporting to the board of directors
• One company introduced an update on risks
and trends in the yearly overview of the control
environment, investments, key performance
indicators and follow up on them by the internal
auditor. The goal was to give board members an
overall perspective on performance and risks of
the company.
• An assessment of the inherent risks was integrated
into the CEO’s annual presentation to the
board during the strategy day. The evolutions in
customers, infrastructure, financial targets and the
proposed initiatives, as well as the risks inherent
in the proposed strategy, were identified, reported
and further discussed.
• The notion of risk was integrated into the
companies’ planning and budgeting cycle, for
example by including one slide that explicitly
focused on risk in the annual budget presentations
by the country managers.
• One of the companies introduced strategic site
reviews, where information on reserves, resources,
utilisation, health and safety, community, number
of complaints, staffing and risks was gathered
per site and reported in a consolidated way. This
review thus forced the management to go to the
plant level once a year and talk strategically about
the risks of the business.
• One company shifted the way in which the
information was presented to the board (eg,
instead of information on “20 years of reserves”,
the board of directors started to receive a report
that “85% of earnings were protected by reserves
that the company had for more than 20 years; and
2% of earnings were at risk in the property that the
company owns”). This created a better insight into
the company’s risk exposure for the board.
• Risk information was explicitly integrated into the
reporting on new strategic initiatives by the CEO
to the board.
In phase two of the research we expanded the
initial sample with three large European companies
from different countries. All three companies are
publicly listed global multinationals. As with the first
companies, we noted that there is neither a single
approach to organising risk reporting to the board
nor a single integration path with performance
reporting. The leading practices vis-à-vis integrating
risk and performance different from the ones
we already identified in phase one, include the
following:
• The companies introduced a combination of
different risk-related metrics in their performance
related compensation. These were primarily
internal financial metrics (such as real internal
growth (RIG), organic growth, EBIT or working
capital employment), but they also included
external perception metrics (such as reputational
risks, customer satisfaction); environmental
metrics (such as water consumption, GHG
emissions); and social measures (such as safety
and health figures).
• They provided integrated reports to the board
on the company’s overall asset and liability
management (the aggregate exposure both on
the asset side and the liability side to the financial
markets, reflecting “the big risk questions” such
as: what if the euro falls apart or another Lehman
bank goes under).
• Risk elements were also integrated in the
discussions and subsequent reports of the various
internal cross-functional ad hoc committees and
working groups.
• The information on performance provided to the
board was usually an evaluation in terms of the
strategic perspective, as well as in terms of the
attainment of planned results and in comparison
with industrial and budget forecasts, in which risk
elements were implicitly included. The information
was also presented in the context of general trends
in the sector and in comparison to the relevant
information available about competitors (which
also implicitly covered competition risk and
reputation risk).
• Integration with performance was also achieved
at the moment of risk assessment, where the focus
is on risks that directly affect the company’s key
value drivers.
• Articulating risk assessment within the budgeting
process was compulsory in some companies and
had to be done ahead of the budget submission.
It was mandatory to execute the four steps
(identification, assessment, response and
monitoring) for the major risks as part of the
budget process.
12. Africa
Office address:
1st Floor, South West Wing
198 Oxford Road, Illovo 2196
South Africa
Postal address:
PO Box 745, Northlands 2116
T. +27 (0)11 788 8723
F. +27 (0)11 788 8724
johannesburg@cimaglobal.com
Europe
26 Chapter Street
London SW1P 4NP
United Kingdom
T. +44 (0)20 8849 2251
F. +44 (0)20 8849 2250
cima.contact@cimaglobal.com
CIMA has offices in the following locations: Australia, Bangladesh, Botswana, China,
Ghana, Hong Kong SAR, India, Ireland, Malaysia, Nigeria, Pakistan, Poland, Russia,
Singapore, South Africa, Sri Lanka, UAE, UK, Zambia, Zimbabwe.
American Institute of CPAs
1211 Avenue of the Americas
New York, NY 10036-8775
T. +1 2125966200
F. +1 2125966213
Chartered Institute of
Management Accountants
26 Chapter Street
London SW1P 4NP
United Kingdom
T. +44 (0)20 7663 5441
F. +44 (0)20 7663 5442
978-1-85971-769-1 (print)
www.cgma.org
November 2012
The Association of International Certified Professional Accountants, a
joint venture of AICPA and CIMA, established the CGMA designation
to elevate the profession of management accounting globally.
South East Asia and Australasia
Level 1, Lot 1.05
KPMG Tower, 8 First Avenue
Bandar Utama
47800 Petaling Jaya
Selangor Darul Ehsan
Malaysia
T. +60 (0) 3 77 230 230/232
F. +60 (0) 3 77 230 231
kualalumpur@cimaglobal.com
Middle East, South Asia
and North Africa
356 Elvitigala Mawatha
Colombo 5
Sri Lanka
T. +94 (0)11 250 3880
F. +94 (0)11 250 3881
colombo@cimaglobal.com
North Asia Unit
1508A, 15th floor, AZIA Center
1233 Lujiazui Ring Road
Pudong Shanghai, 200120
China
T. +86 (0)21 6160 1558
F. +86 (0)21 6160 1568
infochina@cimaglobal.com