The role of risk management in integrated reporting

(1)

Amsterdam Business School

The role of Risk Management in Integrated

Reporting

Master Thesis Accountancy and Control

Student:

Maxime N. Hoogendijk

Student number:

10001182

First supervisor:

C. Clune

Second supervisor:

Prof. Dr. B.G.D. O’Dwyer

Date:

June 18

th

, 2015

Word count:

14.895 Master of Science Accountancy & Control, variant Accountancy

Faculty of Economics and Business, University of Amsterdam

(2)

Statement of originality

This document is written by student Maxime Nicolette Hoogendijk, who declares to take full responsibility for the contents of this document.

I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.

The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.

(3)

Abstract

Purpose – The purpose of this paper is to deepen and advance the understanding of the role of risk management in Integrated Reporting within a Dutch Big Four firm.

Design/methodology/approach – The paper presents a case study examining the role of risk management in Integrated Reporting. Specifically, it assesses the collaboration between the risk management department and the sustainability assurance department of a Big Four firm in the Netherlands (GZP). Nine in-depth interviews were conducted at both departments to develop an understanding on these matters. The process of risk management within an emerging audit space as Integrated Reporting is conceptualized using Power’s theory “The Risk Management of Everything” (2004).

Findings – The case study provides a contradicting view on the collaboration between the risk management department and the sustainability assurance department in performing risk assessments of (potential) clients in comparison to prior research. Within GZP the two departments do not cooperate, instead all assurance departments assess risks themselves by using a globally designed risk management tool. The paper unveils the elements of this tool and the preference of the interviewees with regard to risk management.

Originality/value – The paper responds to calls to further develop an understanding of the role of risk management in new audit spaces – in this case Integrated Reporting. It is unique in deepening the understanding of the importance and emergence of Integrated Reporting as a whole and is the first in the field to examine the role of risk management in Integrated Reporting. The findings contradict with prior literature, which questions and provides a different perspective on existing theory.

Keywords – Integrated Reporting, Risk Management, Big Four Accounting firm, Intelligent Risk Management, new audit spaces, new forms of assurance

(4)

Acknowledgements

I would like to take this opportunity to thank my supervisor C. Clune for his support during the whole process of conducting research and writing this thesis, his useful and inspiring comments to improve this thesis in the best ways, for his understanding during some difficulties faced during the process and for his enthusiasm that encouraged my own enthusiasm as well.

I am very grateful to the nine interviewees of this study for their time, the knowledge that they were willing to share and their enthusiasm during the interviews.

I would like to thank my future employer for giving me the opportunity to get access to the interviewees during my internship and therefore making it possible to write my thesis as good as possible.

I would like to thank my family and friends for their support and patience in the last months while conducting this research and writing the thesis.

(5)

Dutch summary

Het doel van deze paper is om een dieper en beter begrip te krijgen van de rol die risk management speelt in het – relatief – nieuwe concept Integrated Reporting binnen een Nederlands Big Four accountantskantoor.

Door middel van een case study wordt de rol van risk management in Integrated Reporting onderzocht. Dit wordt gedaan door te kijken naar de samenwerking tussen de risk management afdeling en de sustainability (duurzaamheid) assurance afdeling van een Big Four accountantskantoor (codenaam GZP). Om hier inzicht in te krijgen zijn negen interviews afgenomen met medewerkers van beide afdelingen. Het proces van risk management in een opkomende markt als Integrated Reporting wordt geconceptualiseerd door de theorie “The Risk Management of Everything” van Power (2004) te gebruiken.

De uitkomsten van de case study zijn in strijd met eerder onderzoek. Waar eerder bleek dat de risk management afdeling en de sustainability assurance afdeling samenwerkten om tot een betrouwbare risico inschatting te komen voor elke (potentiële) klant. Uit de interviews van deze case study blijkt echter dat er feitelijk geen samenwerking is tussen de twee en dat elke assurance afdeling zelf de risico’s inschatten die verbonden zijn aan haar klanten. Om dat te doen gebruiken zij een ‘risk management tool’, die is ontwikkeld door GZP en die wereldwijd is ingevoerd. In deze paper worden de elementen van deze tool verder toegelicht en uitgelegd waarom GZP deze manier van risk management verkiest boven een samenwerking tussen de risk management afdeling en de assurance department.

Deze paper geeft gehoor aan de vraag om meer onderzoek naar de rol van risk management in nieuwe gebieden van accounting, in dit geval Integrated Reporting. Uniek aan deze studie is dat het bijdraagt aan het tot nu toe beperkte onderzoek op het gebied van Integrated Reporting in het algemeen. Daarnaast zijn de uitkomsten in strijd met vorig onderzoek, wat een nieuwe perspectief biedt op huidige theorie en daarnaast vragen opwerpt wat betreft de volledigheid en juistheid van deze theorie.

(6)

Abbreviations

AICPA American Institute of Certified Public Accountants

FASB Financial Accounting Standards Board

GZP Code name for the Big Four firm where interviews were conducted

IASB International Accounting Standards Board

IFAC International Federation of Accountants

IIRC International Integrated Reporting Council

IR Integrated Reporting

RMD Risk Management Department

(7)

1 Introduction

Integrated Reporting anticipated to revolutionize the future development of corporate reporting (Humprhey et al., 2014). Initiated by the International Integrated Reporting Council (IIRC), the aim is that Integrated Reporting eventually will become the international corporate reporting norm. However, today, Integrated Reporting is still in its infancy. Frameworks are still underdeveloped and guidelines are vague. Therefore, it is difficult for auditors to provide assurance with such reports, let alone reasonable assurance. For Integrated Reporting to satisfy the ambition of the IIRC, this is inevitable. Along with the need for assurance, risk management becomes important; risk management facilitates the operationalization of assurance in Integrated Reporting. Although research on Integrated Reporting is expanding rapidly, the role of risk management in the development of Integrated Reporting is still not exposed. Prior research reveals that the risk management department of a professional service firm assesses risks for (potential) clients’ financial information. The emergence of new audit spaces such as IR asks for new forms of assurance and a more extensive view on risk management in these new spaces. O’Dwyer et al. (2011) suggest that risk assessments on non-financial information can lead to a difference in opinion between the assuror and the risk assessor, because the latter often fails to “fully understand the ‘true’ nature of [non-financial] assurance or the credentials that [assurors] as specialists in the field brought to work” (p. 47). This can lead to high-risk assessments that result in the provision of a limited level of assurance, while the work performed by the assurors would suggest otherwise.

The aim of this study is to provide an in-depth understanding of the role of risk management in Integrated Reporting. Specifically, it focuses on how the risk management department (RMD) and the sustainability assurance department (SAD) of the case study’s Big Four Firm (code name: GZP) collaborate in assessing risks for (potential) clients. This is achieved by conducting in-depth interviews at RMD and SAD of GZP. The case study illustrates how a Big Four firm structures its risk management process so that it includes all aspects of the risks of (potential) clients in this new audit space. The paper draws theoretically on Power’s (2004) “The Risk Management of Everything”. He introduces the idea of ‘intelligent risk management’, where risk management focuses on balancing quantitative techniques and models, and more qualitative principles such as narrative and images. In the case of Integrated Reporting, including such qualitative principles is essential because it consists of non-financial, unquantifiable data.

(9)

A total of nine interviews were conducted at RMD and SAD. GZP was selected for this case study because it is one of the first Big Four firms with a separate department to provide assurance on sustainability issues (SAD). The interviews were conducted at Dutch offices of GZP because the Netherlands in one of the leading countries in the emergence of Integrated Reporting. It furthermore is a different Big Four firm than in the case of the O’Dwyer et al. paper (2011), which responds directly to their call to study different Big Four firms and provides another insight in the role of risk management.

The paper responds to calls to further develop an understanding of the role of risk management in new audit spaces – in this case Integrated Reporting. It is unique in deepening the understanding of the importance and emergence of Integrated Reporting as a whole and is the first in the field to examine the role of risk management in Integrated Reporting. Furthermore O’Dwyer et al. (2011) discuss the role of risk management in sustainability reporting, but calls for further research on the quickly evolving audit spaces regarding risk management. This paper responds directly to that call.

In doing so, I make the following contributions. First, this is the first study that has examined the role of risk management in the Integrated Reporting assurance process. I do this by examining how risk assessments are performed for Integrated Reporting clients and what role RMD plays in assessing those risks and how it cooperates with SAD. Second, existing literature into how professional service firms operationalize new development of Integrated Reporting is further developed in this study. I do this by examining the development of Integrated Reporting at GZP and more specific SAD. The difficulties of providing assurance, the underdeveloped or vague guidance and the emergence and demand for advice in in such a new audit space are addressed. Third, findings provide contradictory insights to existing literature on the collaboration between the risk management department and the sustainability assurance department in performing risk assessments of (potential) clients in comparison to prior research. Within GZP the two departments do not cooperate, instead all assurance departments assess risks themselves by using a globally designed risk management tool. The paper unveils the elements of this tool and the preference of the interviewees with regard to risk management.

The remainder of this paper is structured as follows. In chapter two relevant literature is discussed in order to develop a clear understanding of related concepts and prior literature is elaborated on the role of risk management in IR. Chapter three contains a theoretical framework, based on Power’s 2004 book “The Risk Management of Everything” which

(10)

describes the growing importance of risk management for organizations. In chapter four the research methodology and case context is discussed. Chapter five contains the analysis of the research findings. In chapter six the findings are further elaborated in the discussion and a conclusion is formed.

(11)

2 Literature review

This section provides an overview of existing literature. Providing assurance in new audit spaces has been researched before, but focused mainly on sustainability reporting. While Integrated Reporting is coming more and more to the attention of researchers, the new form of assurance this audit space requires is still underexposed.

This chapter consists of two main sections. In section 2.1 Integrated Reporting and the assurance on Integrated Reporting are discussed. In section 2.2 new forms of assurance are discussed and the role of risk management in new forms of assurance is elaborated.

2.1 Integrated Reporting

Since the International Integrated Reporting Council (IIRC) was established less than five years ago, Integrated Reporting (IR) has been promoted as a way of reporting more concisely and strategically in order to attract medium and long-term investors and promote longer-term decision-making (IIRC, 2014a). Integrated Reporting is defined as:

A process founded on integrated thinking that results in a periodic integrated report by an organization about value creation over time and related communications regarding aspects of value creation. (IIRC, 2014a: 3).

IR leads to an integrated report, which is a concise communication about how an organization’s strategy, governance, performance and prospects, in the context of its external environment, leads to the creation of value in the short, medium and long term (IIRC, 2014a). The long-term vision of the IIRC is “a world in which integrated thinking is embedded within mainstream business practice in the public and private sectors, facilitated by Integrated Reporting as the corporate reporting norm” (2014a, p.5).

The IIRC argues that integrated thinking is achieved when an organization considers all various operating and functional units in their decision-making and actions to be able to create value over short, medium and long term. A range of factors should be taken into account when integrated thinking is incorporated. These factors include the capitals that an organization uses or affects the capacity of the organization, the business model and strategy of the organization, the organization’s activities and financial and other performance (2014a, p.5). The more integrated thinking becomes common within an organization’s activities, the more the connectivity of information will flow into decision-making, analysis and reporting.

(12)

To be able to fulfill the long-term vision of the IIRC, IR has different aims. First, IR aims to improve the quality of information that is made available to providers of financial capital. Second, IR should enhance accountability and stewardship for the broad base of capitals. IR also should promote a more cohesive and efficient approach to corporate reporting. Finally, IR aims to support the creation of value over the short, medium and long term.

The IIRC introduced IR as a solution for the missing link between financial and non-financial reporting (Humphrey et al., 2014). Over the past decade, the number of reports that included sustainability information, as well as the interest of the investment community in sustainability information, grew substantially (Eccles et al., 2012). IR attempts to integrate sustainability and other non-financial information with financial information into one report. It does not only focus on the longer term and value of corporate reporting, but also on the social well-being and longer-term sustainability of businesses. The field of corporate reporting is broad and up till now somewhat unstructured because of various regulations and a wide range of actors (Malsch & Gendron, 2013). These actors include: the Big Four professional service firms; international and national accounting bodies (such as the IFAC, FASB, IASB and AICPA); international and national regulators; and consulting and advisory firms.

The long-term vision of the IIRC entails that IR is going to be the corporate reporting norm. Now, there are multiple national corporate reporting initiatives, but the Framework is aimed to incorporate such initiatives into one general framework for corporate reporting. In this way, organizations are able to report one integrated report instead of numerous, disconnected communications. Such a report should combine emphasis on conciseness, strategic focus and future orientation in order to apply connectivity of information.

2.1.1 Assurance on Integrated Reporting

An assurance engagement is defined by the IAASB as an engagement in which a practitioner aims to obtain sufficient appropriate evidence to be able to enhance the degree of confidence of the intended users of a report (IAASB, 2005). Existing assurance standards cover a broad set of subject matters, but since Integrated Reporting is a new form of reporting that covers extensive matters, existing assurance standards are not sufficient. The IIRC (2014b) defines an assurance engagement on an integrated report should entail “the expression of a conclusion on whether the integrated report is prepared in accordance with the Framework” (p.12). The IIRC argues there should be suitable criteria to guarantee assurance in Integrated Reporting.

(13)

These criteria should have characteristics as relevance, completeness, neutrality, reliability and understandability (2014b, p.13).

Assurance is difficult to provide for IR. The IIRC identifies issues with regard to this (2014b). Specifically, it argues that some specific areas are “difficult to address under existing assurance frameworks that would be helpful for assurance standard setters to address in the development of assurance standards or guidance with respect to Integrated Reporting” (p.34). These areas include materiality, reporting boundary, internal control considerations, connectivity matters, assessing completeness, assessing narrative reporting (including future-oriented statements), using the work of others, and the form of an assurance report. Materiality is an assurance issue that is under a lot of scrutiny. This is elaborated first, followed by a brief discussion of the other assurance issues.

2.1.1.1 Materiality in Integrated reporting

Organizations are confronted with a wide range of topics on which they could report. Relevant topics are those that may reasonably be considered important (material) for reflecting the organizations’ economic, environmental and social effects, or influencing the decisions of stakeholders, and are therefore of potential value to include in the report (GRI, 2013).

Traditionally, materiality was defined from the perspective of financial reporting, but now there is a growing movement towards a more extensive definition that suggests including disclosure of the risks and opportunities posed by sustainability issues such as human rights, supply chain integrity and climate change (Murninghan, 2013). This results in the demand for a wider, more sophisticated materiality framework that makes materiality no longer restricted to financial indicators but now includes a range of sustainability issues. As a whole, this should lead to a truer picture of the “value” of a business (Murninghan, 2013).

In financial reporting, materiality is commonly seen as a threshold for influencing the economic decisions of those using an organization’s financial statements, in particular investors and shareholders. When non-financial information is included, a wider range of stakeholders is involved, which makes it more difficult to apply one threshold for all elements of the integrated report. Materiality for non-financial reporting is not limited only to those matters that have a significant financial impact on the organization (GRI, 2013).

Determining materiality for aspects of an integrated report includes considering economic as well as environmental and social impacts that go beyond a certain threshold in

(14)

affecting the ability to meet the needs of the present without compromising the needs of future generations (GRI, 2013). These material matters often have a significant financial impact in the short term or long term on an organization. Therefore, they also could be considered relevant for stakeholders who focus strictly on the financial condition of an organization (IIRC, 2013).

Preparers of integrated reports use materiality for two reasons. First, it is used to determine what should be included in an integrated report. Second, materiality levels or thresholds are used to guide the preparer’s judgments in assurance engagements (IIRC, 2014b). The use of materiality in Integrated Reporting is more difficult than in traditional financial reporting, since it should be applied from a qualitative perspective. The IIRC (2014b) argues that additional guidance is needed on how to use materiality in Integrated Reporting, specifically for how to define a material error, how to consider the risk of the material error, how to establish materiality levels for an assurance engagement, how to apply qualitative concerns and how to assess cumulative misstatements.

2.1.1.2 Other assurance issues in Integrated Reporting

As discussed above, other assurance issues in Integrated Reporting include reporting boundary, internal control considerations, connectivity matters, assessing completeness, assessing narrative reporting (including future-oriented statements), using the work of others, and the form of an assurance report.

The reporting boundary is described by the International IR Framework (the Framework) as “the boundary within which matters are considered relevant for inclusion in an organization’s integrated report” (IIRC, 2014b, p.34). Difficulties that appear when determining the reporting boundary could include whether the report includes information obtained from others, how to design procedures regarding this information and how sufficient appropriate evidence can be obtained.

Relying on internal control mechanisms is also an issue in Integrated Reporting. Practitioners adopt a control reliance strategy when auditing financial statements during the planning phase of the audit. Since Integrated Reporting can be based on other systems than only financial systems, it is difficult to adopt a control reliance strategy. Questions that may arise include whether the strategy is appropriate or not and if the different types of information (systems) can be tested.

(15)

The IIRC (2014b) argues that it would be helpful if assurance guidance of connectivity were addressed. It is important that sufficient connectivity is established in an integrated report regarding the nature and extent of procedures, as well as to information outside the integrated report.

How to assess completeness in an integrated report is also an assurance issue. More principle-based guidance should be developed in order to answer this question.

Some disclosure in an integrated report might be referred to as narrative reporting. To limit the potential for subjectivity – as this may require a high degree of professional skepticism and judgment – evidence on matters such as future orientation and risk reporting should be enclosed. An integrated report should therefore disclose “how key stakeholders’ legitimate needs and interests are understood, taken into account and responded to” (IIRC, 2014b, p.20).

Because an integrated report reports on a variety of aspects of an organization, it is unlikely that the assurance practitioner has experience on all these aspects. Therefore, it is very likely that an integrated report includes work of others – experts, other assurance practitioners, internal auditors. To be able to place reliance on the work of others, it is important to consider whether there is access to the evidence of the work of others and to consider the assurance quality, materiality and risks, and context of the work of others (IIRC, 2014b).

It is important to consider the above described issues when performing risk assessments for new forms of assurance as IR. The next section elaborates on the role of risk management in new forms of assurance.

2.2 New forms of assurance

Auditing has changed dramatically over the past four hundred years. Where in the 1500s and before the main task of auditing was to detect fraud, nowadays it is more important to determine that the financial position of an organization is stated ‘true and fair’ (Brown, 1962). Professional (Big Four) accounting firms traditionally are active in business areas as auditing, taxation, and insolvency (O’Dwyer, 2011). Over the past two decades, these firms have successfully tried to penetrate new markets such as environmental auditing and more recently sustainability reporting. Because of the growth and international attention for new non-financial forms of reporting – such as sustainability assurance – it is becoming more and more

(16)

important to see how assurance practitioners have attempted to construct a new form of assurance on these forms of reporting and furthermore, how it can be made auditable.

Power (1996, 1999) argues that it is the practitioners that make new areas auditable. In this case, the practitioners are Big Four accountants and non-accountant assurors – specialist consultancies and certification bodies. To make it possible to audit new markets, stable and legitimate knowledge should be applied to an auditable environment (O’Dwyer, 2011). The findings of O’Dwyer (2011) on the case of sustainability assurance show that this is achieved on a trial and error basis. The difficulties of attempting to provide assurance in non-financial reporting such as sustainability reporting include that it involves a lot of qualitative data (instead of quantitative data in financial reporting) for which the traditional audit techniques cannot be applied.

Current guidance on providing assurance for non-financial reporting is vague and underdeveloped. For example, AA1000S and ISAE 3000 have developed some broad parameters for non-financial data, but lack to provide detailed guidance to different reporting contexts (O’Dwyer, 2011). The IAASB attempted to create a sustainability assurance standard, but it cannot be used for every organization because “the relevance of [sustainability-related] issues changes over time” (p.57) and does not address all of the assuror’s concerns (Wallage, 2000).

The difficulties of providing assurance as discussed above and the current vague guidance makes the assessment of non-financial reporting highly subjective and judgmental, and reliant on “feeling” and tacit knowledge. O’Dwyer (2011) argues that in order to improve assurance clients should help to create auditable environments and implement adequate information systems. To develop this, assurors should first rely on their experience in financial audit and use their financial audit training and techniques – e.g. hard performance data – and on internal control procedures, in order to gain forms of expertise that could drive more innovative assurance practices, because knowledge and experience are built during the process (Wallage, 2000).

2.2.1 Legitimacy of new assurance forms

Legitimation processes and issues of legitimacy are essential in both developing and understanding assurance practices (O’Dwyer et al., 2011). The objective of legitimation processes is to justify the work professions undertake and how it is undertaken. In these

(17)

processes different values – including individual, political and economic values – are used to legitimate work or practices.

The definition of legitimacy is not clearly developed. Power (2003a) argues legitimacy is the co-evolution of audit/assurance practice and legitimations of practice, but a clear meaning of terms as ‘legitimate’ and ‘legitimacy’ is not given. Suchman defines legitimacy as “a generalized perception or assumption that the actions of an entity are desirable, proper or appropriate within some socially constructed system of norms, values, beliefs and definitions” (1995, p.574). He further says that legitimacy is a case of how observers perceive an organization, so legitimacy is possessed objectively, but created subjectively. The broad and/or unclear definition of legitimacy makes it possible to agree phenomena with a legitimacy explanation while it should not. A legitimation process should be developed carefully to account for this. This involves identifying key audiences and employing various strategies to gain support (Abbott, 1988; Suchman, 1995). When developing new assurance practices, three key audiences can be identified. The audiences include audit/assurance clients (auditees), the ‘external world’ and the ‘internal world’. The ‘external’ world contains non-client users of the audit reports/assurance statements, where the ‘internal world’ comprises internal audiences within auditing or assurance firms (O’Dwyer et al., 2011).

To secure legitimacy with the first key audience, ‘clients’, new audit methodologies were developed to provide assurance for the client. This includes new/improved, ‘auditable’ internal information systems to create auditable environments, and accounts/reports being discussed within the audit process by auditees and auditors with the result that those accounts/reports are co-produced by both parties (Power, 1996). To legitimize new assurance practices with the ‘external world’ it is important that practitioners create and manage the expectations of potential users. To do this, users should be educated – especially since prior research has shown gaps in expectations in new forms of audit such as sustainability and environmental audits (Power, 1999). Securing legitimacy with the third key audience, the ‘internal world’, is often ignored in prior research (Kumar & Das, 2007), but very important because securing legitimacy can be difficult even for auditors within their own professional service (O’Dwyer et al., 2011).

In order to develop a new form of assurance, it is furthermore important to employ various strategies to gain support from the key audiences. Suchman (1995, pp. 587-592) recognizes three forms of strategy to build legitimacy: the first form involves efforts to

(18)

environment; the second form regards efforts to select among multiple environments in pursuit of an audience that will support current practices; and the third form is about efforts to

manipulate environmental structure by creating new audiences and new legitimating beliefs.

The first strategy to build legitimacy, a conformist strategy, is perceived the easiest, because managers only have to position their organization within a preexisting institutional system. The second strategy is more proactive than the first and is used if managers want to avoid their organization to have the same image as the environment. In this form of strategy, selecting an environment that will grant the legitimacy of the organization (taken-for-grantedness) is the simplest. The third strategy, manipulate environments, is the most difficult way to build legitimacy and will only be used if the first and second strategy do not suffice. This is the case for innovators or innovative environments – they often need to intervene in a cultural environment in order to create foundations of support. Concrete examples of this strategy are advertising, lobbying and scientific research.

2.2.2 The role of Risk Management

As discussed above, securing legitimacy with the ‘internal world’ is very important but often ignored even though the development of non-financial reporting is heavily influenced by the ‘internal world’. Within the ‘internal world’, especially the Risk Department of a professional service firm plays an important role because this department is responsible for approving all assurance practices and statements of all professional services of the firm by making a risk assessment. O’Dwyer et al. (2011) identify several issues or threats and potential solutions for achieving internal legitimacy for sustainability assurance. This is not the same as IR, but provides a good example of how risk management plays a role in new forms of assurance.

Traditionally, the Risk Department assesses risk for financial data/reports. When professional firm assurors started to try to provide assurance on non-financial data/reports, such as sustainability reporting, they asked the Risk Department for a risk assessment on this – often qualitative – data/reports. This lead to a difference of opinion between the assurors and Risk Department colleagues on the level of risk attached to this kind of data/reports. It appeared that the Risk Department often failed to “fully understand the ‘true’ nature of sustainability assurance or the credentials that they [assurors] as specialists in the field brought to this work” (O’Dwyer et al., 2011). Because of the different knowledge and concepts used by the two departments the Risk Department often identified sustainability reporting as high risk, which resulted in a ‘limited assurance’ level, although the amount of

(19)

work performed would suggest otherwise. The Risk Department argued that reasons for high risk assessment on such assurance engagements were the potential legal and reputational risks which could lead to litigation and the high level of professional judgment as a result of the nature of the data – qualitative – and the absence of an agreed framework. The two departments did agree on the fact that non-financial assurance differs from traditional financial assurance, so that the financial audit methodology cannot be copied for non-financial reporting such as sustainability reporting or IR.

The key to a more successful cooperation between assurors and the Risk Department lies in more direct, ongoing contact between the two. Discussions around the nature of assurance statement structure and content should take place in order to clarify the ‘true nature’ of sustainability assurance. Part of convincing the Risk Department involves assurors attempting to legitimate their own credentials. O’Dwyer et al. (2011) argue that an important role could be for an auditor in the sustainability assurance department who formerly worked as a financial auditor. He can act as a bridge between the Risk Department and the assurors, because he is comfortable with accountant’s language and able to compare risks of sustainability assurance to risks of financial assurance. In the case of the O’Dwyer et al. paper (2011) the assurors were very experienced, which helped the Risk Department to place greater trust on their professional judgment – as discussed above another issue in achieving internal legitimacy. O’Dwyer et al. (2011, p.48) conclude from their case study that in order to achieve internal legitimacy, the sustainability assurance report structure and content should be somewhat standardized, allowing for greater expansion in content and more scope for positive opinions.

In section 3 the theory used for this thesis will further elaborate on the role of risk management in legitimizing new forms of assurance. Therefore Powers book ‘The Risk Management of Everything’ (2004) will be used.

(20)

3 Theoretical framework of the paper

The objective of the paper is to gain an understanding of the role of risk management in (the process of) Integrated Reporting. As discussed in paragraph 2.2.2, the internal world of a professional service firm – and especially the risk management department – plays an important role in securing legitimacy of a new assurance form. The risk management department makes risk assessments for all assurance engagements, financial and non-financial. If the department does not fully understand the true nature of a non-financial engagement, it is more likely that the engagement will be assessed as high risk while it should not be regarding the work performed. To minimize the knowledge and understanding gaps between the risk management department and the respective assurance department, ongoing communication is a key (O’Dwyer et al., 2011).

To further develop an understanding of the interaction between the two above described departments and what importance should be placed on risk management in the provision of assurance on integrated reports, this research will be conducted using theory on the emergence of risk management. The main focus of the theory used in this thesis will be Power’s 2004 book “The Risk Management of Everything”. With this title, Power means “that more events and things are being seen and described in terms of risk” (p.13). The important question related to this is “how do we know risk and what are the social and economic institutions which embody that knowledge?” (p.14).

3.1 Introduction to Risk Management

The foundation for risk management lies in the fact that organizational practices need to deal with uncertainty. Scandals and crises of the past ten years have been facilitators for broadening the scope of risk management, involving both traditionally areas as health and safety and new objects of concern. In addition, the view on organization governance and corporate responsibility changed and together with technological changes in information systems, new risk management possibilities arose. As a result, risk analysis has been incorporated within a larger accountability and control framework and a ‘good’ organization is one that has “a broad and formal risk management programme” (Power, 2004, p.11).

Power (2004) further discusses the increasing attention for secondary risks compared to primary risks. The latter, also called real risks, are a firm’s risks for which experts have knowledge and training. These risks are accounted for by an internal control system, such as compliance violation alerts, and thereby become system risks that are easy to understand and

(21)

follow. The former however, shows a shift in the risk culture, because experts are being made increasingly accountable for what they do and therefore are now becoming more preoccupied with managing their own risks (p.14). Power (2004) provides a clear example to distinct primary and secondary risks. He argues that in case the CEO of a firm incurs, but does not pay personally, parking fines. The primary risk to the firm, financial loss in this case, is probably very small and not material. The secondary risk however is much higher, because the reputation of the firm is at stake.

Especially reputational risks are becoming more significant and the concept of materiality to that respect changed; financially immaterial events could have huge influence on the organization. As O’Dwyer et al. (2011) argued, the higher the probability on reputation loss, the higher the risk of litigation. Professional service firms would want to avoid litigation at all times and therefore will be more preoccupied with managing their own (reputational) risks. In that way, professional service firms try to predict and respond to a future they cannot know. “A new politics of uncertainty” (Power, 2004, p.15) is required to cover this shift. 3.2 The manifestation of Risk Management within organizations

Risk management is focused on outcomes and performance in both the public and private sector. In both sectors, risk management is part of a new style of accountability and organizational control. It can be argued that the state (public sector) is becoming a risk management state, but since this thesis focuses on the private sector, this will not be elaborated.

In the private sector, organizations try to link investments in control activities to organizational objectives and furthermore focus on enterprise-wide risk management (ERM). Before the Sarbanes Oxley Act (SOX) was enacted in 2002, internal control could be seen as some kind of organizational common sense. After 2002, internal control systems became more risk-based. Good internal controls on a wide range of areas were regulatory incentivized. Examples of these areas are business continuity, solvency and capital adequacy, safety, health care, environment, etcetera. As a result, private internal control is now an issue for public policy and formal law. The fact that internal control systems became more risk-based caused that risk management was broadened into every aspect of the organizational life.

Power (2004) identifies three answers to the questions why private internal control has become so public and why internal control changed into risk management. First, he argues that ideas on regulations became more risk-based itself. This means that regulators

(22)

acknowledge that failure is possible and they therefore are more preoccupied with their own secondary risks. A second answer can be found in insurance. When risk management – especially regarding secondary risks – becomes more important, organization would want to try to transfer risk as much as possible. But specifically for reputational and political risks this is difficult, which makes organizations want to self-manage these risks as well as possible. A third answer to the question lies in the response of organizations to the scandals and crises over the past decade. Organizations created new risk accountability structures to provide public and private reassurance. For instance, conditions for risk inspection were created by the International Safety Rating System. Via the inspection of control systems the auditing a public control is achieved.

Over the past decade the private world of internal control systems changed tremendously and was formed towards risk management. The next paragraph focuses on the troubles or risks of this change.

3.3 The risks of Risk Management for organizations

As a consequence of the increasing attention towards secondary or reputational risks, ‘operational risk’ was invented. The Basel Committee, the transnational policy body for banking supervision, defined operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events (2001). This definition can apply to a wide range of areas within an organization, and therefore has helped organizing a new, broader approach to risk management. Moreover, operational risk characterizes the new risk management wherein the goal is to “make visible and manageable essentially unknowable and incalculable risks” (Power, 2004, p.30).

Naturally, the move from organizations focusing on primary social and economic risks to secondary personal and reputational risk is not without any risks itself. Power discusses a potential worst-case scenario wherein expert judgment only is some form of defendable compliance. This would cause some “major risks to society in which the most pressing and unpredictable problems cannot be solved without the effective clarifying of expert knowledge and judgment” (2004, p.42).

A first risk can be found in internal control systems itself. These systems are getting more and more complex, trying to incorporate every aspect of the organization. But these controls are a result of subjective developers and therefore hard to control. Furthermore these systems are inward looking and could be based on wrong assumptions of what the public

(23)

wants to be assured. Last, internal control systems did not prevent past crises, and even with continuous improvement, it is to be expected that they cannot prevent those in the future. Another worry, regarding reputational risks, is that organizations may get over-responsive to public concerns and begs the question ‘how responsive firms should be’. The growth of secondary risk management should be limited; the paradox in this is that if everything may impact on an organization’s reputation, the risk management of reputation is the risk management of every other aspect of the firm.

3.4 Introduction to intelligent Risk Management

A solution to above described troubles in ‘new’ risk management can lie in ‘intelligent risk management’. The challenge for policy-makers is to find the right balance between risk management and internal control in order to create a legitimate ‘intelligent risk management’ system. This concept suggests that risk management should focus on balancing quantitative techniques and models, and more qualitative principles such as narrative and images. Examples of the latter are scenario building, where (risk) managers identify possible risk events and think of solutions, and so-called ‘risk talks’ organized by the Board, to map and discuss risks critically. The idea is to create a wider organizational narrative of a particular risk that transcends the formal control systems. An appointed risk expert should guide this process.

Now, organizations try to cover or transfer risks as much as possible, and do so by using quantitative complex systems. Intelligent risk management will “embed [these] quantitative techniques in organizational learning processes and diagnostic stories, whereby retrospective accident and error analysis can be harnessed for future planning” (Power, 2004, p.55).

For intelligent risk management to be implemented successfully, it should meet the following conditions. First, as argued above, (quantitative) control systems should not be the only thing managers pay attention to. Instead, it should be part of broader organizational narratives of uncertainty. Second, risk management should be characterized less by rules-based systems, and more by learning and experiment. It should be less organized in systems and more ambiguous. It should focus less on quantitatively trying to predict the future but more on qualitative capacities to imagine alternative futures. A critical note that should be mentioned is that a widespread realization of intelligent risk management faces many barriers. For instance, SOX legislation obligates risk management to be strict and rules-based.

(24)

The above described change in risk management over the past decade provides a basis to examine the role of risk management in new audit space Integrated Reporting. Internal control systems became more risk-based and good internal controls on a wide range of areas were regulatory incentivized. With the emergence of IR, again new aspects should be risk-assessed and accounted for in good internal control systems. This theory helps in order to answer the research question of this study – what is the role of risk management in IR – by describing the growing importance of risk management for organizations. It furthermore clearly identifies areas that should be included in risk management in order to be complete. Examples of these areas are business continuity, solvency and capital adequacy, safety, health care and environment. These areas can be matched one-to-one to the areas that the IIRC discusses to be included in an integrated report.

(25)

4 Research methodology

In this chapter, the research methodology is discussed. First, the difference between quantitative and qualitative research is briefly described, followed by the reasoning of the choice for qualitative research. The research method is elaborated in section 4.2. In section 4.3 the research design is explained; the setup of the interviews is discussed, followed by the people interviewed. In the last section, the data analysis is elaborated.

4.1 Quantitative versus qualitative research

In the field of research, quantitative and qualitative research can be distinguished (Ahrens & Chapman, 2006). The main differences between the two are summarized in table 1 below. There is no superior methodology since the chosen methodology depends on the preferences of the researcher (O’Sullivan, 2010).

Table 1: Distinctions between Quantitative and Qualitative Research

Quantitative Qualitative

Numbers Words

Point of view of researcher Point of view of participants

Researcher distant Researcher close

Theory testing Theory contextual and/or emergent

Static Process

Structured Unstructured

Generalization Contextual understanding

Hard, “reliable” data Rich, deep data

Behavior Meaning

Artificial settings Natural settings

Source: O’Sullivan, 2010, p.67

The difference between the types of methodologies can be found in the knowledge the researcher has in the certain research field. A quantitative researcher wants to define or explain what is seen in the field, while a qualitative researcher wants to describe the field as a social reality by observing. With qualitative research, there is interaction between the researcher and the field. The researcher might not be able to control his observations, but he can learn from unexpected interactions with the field (Roethlisberger and Dickson, 1949).

(26)

4.1.1 Criteria of qualitative research

In order to be able to evaluate the quality of qualitative research, criteria as authenticity and trustworthiness are proposed (Bryman, 2008). Authenticity is achieved when the true viewpoint of participants are presented in the research (Lincoln & Guba, 1985). Trustworthiness consists of four different aspects: credibility, conformability, dependability and transferability. The first, credibility, is achieved when the findings represent the truth. The second, conformability, relates to the objectivity of the researcher. The outcomes of the research should not in any way be influenced by the researcher. The third aspect is dependability. This is achieved when the researcher’s findings are applicable to other times. The last aspect, transferability, is achieved when the researched is able to apply his findings in other situations as well.

In this research, respondent validation is applied. This means that the findings are returned to the participants to confirm the findings.

4.2 Research method

Since the concept of IR is a recent field of study, prior research is still limited. This study is explorative in developing an understanding of the role of risk management in IR. Qualitative research is used to be able to develop an in-depth understanding on these matters and is therefore seen as an appropriate method for this new research area. More specifically, interviews are conducted to develop an answer to the research question. In this case study, interviews are conducted with interviewees from the Sustainability Assurance Department (SAD), responsible for providing assurance and giving advice on Integrated reports, and with interviewees from the Risk Management Department (RMD).

Three interview methods can be distinguished: unstructured, semi-structured and structured interviews (Patton, 2002). When an unstructured interview is conducted, no interview outline is used. Nothing is set beforehand, so the interview is very open. A semi-structured interview is done when the interview outline consists of open questions, and the interviewer is given room to interact and differentiate from the interview outline. The answers to the questions are open. Structured interviews have an interview outline with a yes or no answer. This method is mostly used in quantitative research (Patton, 2002).

In this study, semi-structured interviews are used. Clear themes and some questions are set up front, but when other relevant questions come to mind during the interview or the

(27)

interviewee brings up related subjects, it is included in the interview as well, in order to develop a thorough understanding of the researched matters.

4.3 Research design

In this section, the research design is discussed. First, the way the interviews were conducted is further elaborated. Second, the interviewees are introduced; how and why they were chosen and how the researcher got in contact with the interviewees.

4.3.1 Interviews

In order to conduct semi-structured interviews, interview outlines were developed. With an interview outline, the researcher is able to ask precise questions and to respond fast to relevant questions to be provided with as much information as possible. The questions in the interview outline are developed in such a way that the research question of this study can be answered. The interview outline is divided in themes that relate to the research question, each theme then exists of more specified questions to cover the theme. The themes included in the interview outline are: general, with questions regarding the interviewee personally, the firm (GZP) and his or her department; guidelines and frameworks, with questions regarding used guidelines and frameworks for risk management and integrated reporting, the way they are trained in these guidelines, the usefulness and history of the guidelines; the role of risk management in reporting (generally), with questions regarding risk assessments and how departments work together internally to do these risk assessments; a specific theme for RMD and SAD, where the RMD part includes questions relating to their experience with risks in IR (and other forms of non-financial information) and how a risk assessment to such an engagement is established, and where the SAD part includes questions regarding the development of IR, how assurance on integrated reports is provided and which available guidelines are used to do so. The last theme, applicable for both departments, regards the perspective of the interviewee on the future of IR and how risk plays a role or is going to play a role in this. The final interview outline (that changed a bit during the process of conducting interviews) can be found in appendix B.

In the process of conducting interviews, it appeared relatively quick that the literature and theory as discussed in chapter two and three, does not correspond to the answers given by the interviewees. Therefore, over the course of the interviews, the questions where changed to more relevant questions, including discussing with the interviewees why the role of the risk

(28)

management appeared to differ from literature in practice. In this way, an answer to the research question could be formed, although the results are quite different than expected.

The interviews took place between the 21st of April and the 7th of May, 2015. The interviews were conducted in Dutch, except for one that was conducted in English. The interviews were recorded by a mobile recording device. The interviews took place at the office of GZP.

The recorded interviews were transcribed using software of Atlas.ti. The finished transcripts were sent to the interviewees to be confirmed. This confirmation is important to make sure the interviews provide a ‘true and honest’ view of the opinion of the interviewees.

4.3.2 Interviewees

In total nine interviews were conducted with interviewees from SAD and RMD of GZP, in order to develop an in-depth understanding on the role of risk management in IR from different perspectives. Four interviews were conducted with interviewees from SAD and five with interviewees from RMD, from which one also works on project basis at SAD. The interviewees of different function levels and different work experiences were selected, so the department as a whole is represented as complete as possible. When the interviewees were contacted, a brief explanation of the study and the aim of the study were provided to manage expectations upfront. The interviewees were assured that the interviews would be conducted anonymously, so they could answer as free as possible. In table 2 an overview of the interviewees is provided. The interviewees are named ‘I1’ to ‘I9’ to assure anonymity.

Table 2 Overview of interviewees Number

interview

Department Function Location of Interview

Date Duration

I1 SAD Manager Amsterdam April 21 46 min

I2 RMD Advisor Amsterdam April 23 33 min

I3 RMD Senior Advisor Amsterdam April 24 37 min

I4 RMD Advisor Amsterdam April 29 41 min

I5 SAD Partner Amsterdam April 29 29 min

I6 SAD Senior Auditor Rotterdam April 30 38 min

I7 SAD Senior Advisor Amsterdam May 1 26 min

I8 RMD Senior Advisor Amsterdam May 6 33 min

I9 RMD/SAD1 _{Senior Advisor} _Amsterdam _{May 7} _{37 min}

(29)

SAD is divided in two sub departments; an advisory part and an assurance part. In total SAD consists of approximately 50 employees, from which 15 are part of the assurance cluster. Three interviews were conducted with interviewees from the assurance cluster and two with interviewees from the advisory part. Those two are both experienced in assurance as well. GZP was selected to do the interviews at because it is one of the first Big Four firms to have a separate sustainability assurance department that focuses on IR. The Netherlands is one of the most developed countries regarding IR, so therefore the interviews were conducted at Dutch offices of GZP.

4.4 Data analysis

It can be a challenge to retrieve relevant, reliable data from qualitative research (O’Dwyer, 2004). As discussed above, the recorded interviews are transcribed with the use of transcription software of Atlas.ti. With this software, you are able to rewind your recording to make sure you transcribed the spoken text correctly. Finished transcriptions provide the researcher with much, unstructured data. To be able to draw conclusions from this data, the method O’Dwyer (2004) offers is used. This method consists of three phases: data reduction, data display and data interpretation. These phases are discussed separately below.

4.4.1 Data reduction

The first phase of data analysis consists of three steps itself. Data reduction first involves getting a general overview, which means listen to the recordings and read back the notes made during the interview. This helps to identify potential key findings. In the next step, recording initial themes, important themes can be identified. Here it is important the themes in mind that were perceived important upfront, and analyze if new important themes arose. Codes are used to mark the different identified themes. In the last phase of data reduction, the reflection phase, all transcripts are read carefully to see if all important themes are covered in the codes.

4.4.2 Data display

To be able to display retrieved data in a structured manner, a matrix is developed. This matrix includes the identified important themes and related codes and the number of times the codes are mentioned by the interviewees. The matrix is provided in Appendix C.

(30)

4.4.3 Data Interpretation

The last phase of data analysis consists of several steps. First, it is important to review all used data, methods and notes again to make sure nothing is missed and a ‘big picture’ is seen. Next, the information from all previous steps is used for a ‘thick’ description of the findings. This is followed by contextualizing the ‘thick’ description, to make clear that analyzing data is not a straight-forward process. This is important to convince readers that the retrieved information gives a true and fair view of the observations. Last, the story from the data needs to be written by ‘employing the analytical lens’. Important themes and key findings are used as a lens to report the analyzed data. This story can be seen as a summary of the interview transcripts, supported by interview quotes.

(31)

5 Research findings

In this section the research findings are presented. The findings can be divided into the five main themes of the interviews. First, a brief description of the interviewed departments is given to develop an understanding of the setting. Next, the guidelines and frameworks used by the departments to assess risks are elaborated. Third, the role of risk management in reporting in the case of GZP is discussed, which includes a general description of risk management within GZP and a more specific description of risk management in Integrated Reporting within GZP. Thereafter, the understanding of risk management during the audit of an Integrated Report is deepened. Last, the future of IR as perceived by the interviewees is discussed and needed change to improve IR is elaborated. These themes and the relating codes can be found in Appendix C.

5.1 Departments

As discussed in the previous chapter, the interviews were conducted with interviewees from two departments of GZP: the Risk Management Department (RMD) and the Sustainability Assurance Department (SAD). The interviewees were first asked some general questions about personal matters as work experience and education and questions regarding the firm and department they work for. To provide with some contextual background, characteristics of both departments are first discussed.

SAD consists of approximately 50 workers, from which 15 work within the assurance cluster and 35 within the advisory cluster. The department exists only 2 to 3 years. The education of people within SAD is much differentiated.

“You should distinguish the assurance cluster from the advisory cluster. Within

assurance, most people come from the traditional financial audit, with maybe some exceptions. But the distinction with advisory is much bigger, there they have for example people with an IT or CSR background. You also see a difference in way of thinking there, but the different aspects of advisory projects asks for different-schooled people.”(I6, SAD)

“Within the assurance cluster, the client says, this is what we have done, could you

provide assurance so that our stakeholders know it gives a true and fair view. Within the advisory cluster, the client can have very different questions. For example, a

(32)

client wants to include sustainability in their strategy and asks SAD for help.”(I7, RMD).

Within the assurance cluster, assurance is provided to non-traditional reports. Examples of these are sustainability and integrated reports, and other kind of non-financial reports or information.

“Providing assurance can be difficult sometimes, because everything is so new. Not only

for us, but especially for the firms. Where in financial audit everything is more or less set, here providing assurance can be a search.” (I1, SAD)

The advisory cluster advises clients on their non-financial information issues. An example is the transparency benchmark, which is introduced by the ministry of economic affairs.

“It tests how transparent firms report, especially related to non-financial performance. GZP was asked to judge annual reports on the non-financial characteristics of the benchmark.” (I9, RMD/SAD)

RMD is part of the Advisory department of the Netherlands and Belgium. In total, this department consists of approximately 400 workers, from which 300 work in the Netherlands. RMD has 70 workers, from which 38 work in the Netherlands. The cooperation between Belgium and the Netherlands is not very intense yet, but goal is to intensify this over the next 5 years. Within RMD, three subdivisions can be distinguished.

“First, you have internal audit. This seems to be close to external audit, but external audit mostly has a financial view while internal audit has a more operational view. We can, for example, give recommendations that something might be inefficient, while with external audit the focus is on financial risks. Furthermore, we do not only audit financial aspects of a firm, but also for example an HR or IT department. Second, you have GRC, Government, Risk and Compliance. Here we look at how risk management is built, including typical functions related to this – for example business continuity management and internal audit. Last, we have internal control. This includes the controls in processes and if those are complete and correct. We do not only say if

(33)

something is correct, but also give advice on how something should work and what should be changed.” (I3, RMD)

In this section, a clear understanding is developed regarding the context of the departments the interviewees work at. In the next section, guidelines and frameworks the departments use are elaborated.

5.2 Guidelines and frameworks

The above described departments use several guidelines to make sure their work is in accordance to applicable laws and regulations, both externally as internally imposed. At RMD, COSO is perceived to be the most important guideline. Furthermore the ISO guidelines (International Organization for Standardization) are used intensively and for internal audit the IIA (Institute of Internal Auditors) is followed.

The frameworks and guidelines used by SAD are more related to the provision of assurance on non-financial information such as IR. For such projects two guidelines are used most. First, GRI (Global Reporting Initiative) is used extensively. GRI is the current endorsed standard for sustainability reporting which mission is “to make sustainability reporting standard practice by providing guidance and support to organizations” (GRI, 2015). Additional guidance is provided by NV COS, the Dutch additional regulations on auditing and other standards.

The IR Framework as developed by the IIRC is not used (yet) by GZP because it is not fully developed and endorsed yet.

“If the Framework is not fully developed for reporting yet, it is very difficult to use for assurance as assessment guideline. So we still use GRI, although we are struggling a lot with that. Because organizations are starting to prepare integrated reports according to the Framework of the IIRC, but we cannot test according to that. The thing we do is using elements of the Framework, because GRI does not cover all matters of an integrated report. In a report we add a statement that says: we test according to GRI and the internally developed reporting criteria from organization X that are further explained on page X. In those criteria the company can state they use certain elements of IIRC.” (I1, SAD)

The role of risk management in integrated reporting

Amsterdam Business School