Reporting Risk
“An analysis of the risk paragraphs of listed companies in
the Netherlands”
Reporting Risk
“An analysis of the risk paragraphs of listed companies in the Netherlands”
by
Jelger Thomas Groenland
August 2005
University of Groningen, the Netherlands Faculty of Management and Organization
Supervisors
Dr. J. H. von Eije Drs. R. M. Daals
Faculty of Management and Organization Manager
University of Groningen Deloitte Enterprise Risk Services
Drs. D. Schaap
Faculty of Management and Organization Department of Business & ICT
University of Groningen
Dedicated to my family:
Vincent, Trudai, Tobias and Nolan.
Table of content
Table of content ...I Preface...IV Management summary ... V
Introduction... 1
Chapter overview... 3
Chapter 1 Methods ... 5
1.1 Research Question ... 5
1.2 Investigative questions... 6
1.3 Conceptual model ... 7
1.4 Supervision ... 8
1.5 Deliverables ... 9
1.6 Sources... 9
Chapter 2 Deloitte Enterprise Risk Services ... 10
2.1 Introduction to Deloitte... 10
2.1.1 Deloitte International... 10
2.1.2 Deloitte Netherlands... 11
2.1.3 Deloitte Enterprise Risk Services ... 11
2.2 Deloitte Enterprise Risk Management Practice (not available) ... 14
2.3 Conclusion ... 14
Chapter 3 Enterprise Risk Management... 16
3.1 Introduction ... 16
3.2 Risk... 16
3.2.1 Risk as both opportunity and threat ... 17
3.2.2 Definitions of risk... 18
3.3 Evolution towards Enterprise Risk Management... 20
3.3.1 Definitions of ERM ... 21
3.4 Conclusion ... 23
Chapter 4 Enterprise Risk Management Spectrum ... 24
4.1 Introduction ... 24
4.2 The Deloitte Risk Map... 25
4.2.1 The external environment... 26
4.2.2 The competitive environment... 28
4.2.3 The internal environment ... 31
4.3 Conclusion ... 34
Chapter 5 Research Design ... 37
5.1 Research population selection... 37
5.2 Data collection ... 39
5.2.1 Data from the risk paragraph ... 39
5.2.2 Data on weekly share prices ... 40
5.2.3 Beta and Standard deviation. ... 41
5.3 Data preparation... 43
5.3.1 Numbering of Industry and the sub-industry... 43
5.3.2 Preparation of the financial data... 44
5.4 Design of the qualitative analysis ... 45
5.4.1 General analysis ... 45
5.4.2 Deloitte Risk Map analysis... 46
5.5 Design of the statistical analysis ... 46
5.5.1 Reporting on risk ... 47
5.5.2 Calculating new variables... 48
5.5.3. Techniques... 49
5.6 Data level ... 50
5.7 Validity, reliability and practicality ... 52
Chapter 6 Empirical findings and limitations... 54
6.1 Qualitative analysis... 54
6.1.1 Companies per industry ... 54
6.1.2 Corporate Governance and Risk Paragraph... 56
6.1.3 Number of risk pages and percentage of the annual report ... 57
6.1.4 Risk and control framework ... 59
6.1.5 Reference to other sources... 61
6.1.6 Individual risks ... 62
6.1.7 Other findings... 66
6.1.8 Conclusion... 67
6.2 Statistical analysis... 68
6.2.1 Regression: percentage risk paragraph ... 68
6.2.2 Spearman’s rho... 70
6.2.3 Regression: Enterprise risks (dummies) ... 71
6.2.4 Pearson’s correlation ... 72
6.2.5 Regression total risks and total controls ... 74
6.2.6 Conclusion... 76
6.3 Limitations... 77
Chapter 7 Conclusion and recommendations ... 78
Bibliography ... 83
Index ... 86
Index of tables, figures and graphs... 88
Preface
This thesis is a product that follows from an internship at Deloitte Enterprise Risk Services (ERS), a department that conducts risk assessments and the implementation of risks management systems for organizations. The thesis will conclude my Business study at the University of Groningen.
The internship and the writing of this thesis has been an interesting and educational time for me, both from an academic and personal perspective. Not only did I have the opportunity to apply the theories that I learned during my study, but I also experienced what it is to be in a working environment.
During this period, several people have assisted me and advised me during the creation of this product. First of all I would like to thank Drs. Ralph Daals, my supervisor at Deloitte, for his time and dedication to help me create this thesis. I would like to thank him for all the feedback that he provided and all the insights that he shared. I would also like to thank Drs. Dick Schaap, for his help and support.
My special thanks go to Dr. Henk von Eije, my supervisor at the University of Groningen, who has helped me tremendously with his support, his knowledge and his broad experience. I want to thank him for guiding me through the process when things were tough.
Jelger Groenland
Amsterdam, August 2005
Management summary
As part of the broad discussion about corporate governance, enterprise risk management is becoming more important for organizations. Enterprise risks can affect the achievement of organizational goals and companies are required to foresee these risks and communicate these risks to the external stakeholders, particularly the shareholders of the company.
The demand for transparency and integrity in corporations has increased dramatically. It is considered the basis for good corporate governance (Dutch Corporate Governance Code 2003, p.
3). As an effect, many developed countries in the western world introduced rules and regulations for corporate governance. In the Netherlands, the Commission Corporate Governance has published a code in December 2003. Legislation on corporate governance and the incorporation of the risk paragraph in the annual reports in particular is relatively new. In the Netherlands, legislation was effective for the annual reports of 2004. The code states that listed companies in the Netherlands should report on their internal risk and controls. Because of these regulations companies include a “risk paragraph” in the annual report since 2004. The risk paragraph is the subject this research.
In this thesis 136 annual reports of Dutch companies listed on the Euronext stock exchange were analyzed. The main focus was the risk paragraph of the annual reports. Two research questions were formulated:
Research Question 1
“To what extend are companies reporting on enterprise risk and enterprise risk management in their annual reports and which types of risks do they report?”
Research Question 2
“How does reporting on risks relate to return, beta and the standard deviation of the share prices of these companies?”
Before designing the research, three topics were addressed to provide a theoretical background.
First the Deloitte Enterprise Risk Management Approach was described, which showed how enterprise risk management is evaluated. Second, the theoretical background of enterprise risk management was identified. This showed that enterprise risk management evolved from the traditional approach to an integrated, holistic approach.
The third step was to identify the spectrum of enterprise risk management. This was done by introducing the Deloitte Risk Map. The Deloitte Risk Map contains 21 risk categories and provided a comprehensive and useful overview of the spectrum of enterprise risks. This tool was later used for the analysis of the risk paragraphs.
The research was designed in two stages. The first stage was the qualitative analysis. The risk paragraphs of annual reports of 2004 were checked whether:
1. it addressed Corporate Governance, 2. a risk paragraph existed,
3. the company addressed its internal risk and control system, 4. the company described the internal risk and control system,
5. if the company described the individual risks in the risk paragraph and 6. if there was a reference to another source of enterprise risks for the company
Also the number of pages of the risk paragraph were counted and calculated as percentage of the annual report. Next, the Deloitte Risk Map was used to check which risks the company addressed and if they also reported an action toward that specific risk. This was conducted on an ordinal scale. There were three possible outcomes for each category: “No Risk” (0), “Risk, no control”
(1) and “Risk and control”(2).
The results show that 92 percent of the companies had a chapter about corporate governance, only 8 percent did not. In 77 percent of the cases, the companies did have a risk paragraph. This means than 23 percent of the companies did not report enterprise risk in their annual report. The
companies that report enterprise risk only dedicate a few pages to the topic. On average, the number of pages used for the risk paragraph was 2,89. Compared to the annual report as a total, companies used an average of 2,74 percent of the annual report for the risk paragraph. The findings also showed that most companies reported their enterprise risk management approach.
They reported their approach by communicating their risk and control framework that was in place in the organization. Most companies, 69 percent, addressed a risk and control framework in their annual report. Only 56 percent provided a description of this framework. Further findings showed that some companies made a reference to their website or their 20-F statement with regard to enterprise risks, but most risk paragraphs did not contain a reference.
The results of the individual risk analysis showed that the risks addressed most frequently arose from economic factors / financial markets, the firm infrastructure, technological developments
and legal and trade regulations. In general, the reporting on risk showed a very divers and non- uniform picture. Both quantity, intensity and the methodology of risk reporting differed between the companies.
The statistical analysis was conducted with SPSS 13. Five distinct tests were done.
1. First a single regression analysis was conducted with the percentage of the risk paragraph as the independent variable. The dependent variables were: the standard deviation of the share price, the beta, the average weekly return on shares from January 2004 to June 2005, average weekly return on shares for 2004 and the average weekly return on shares from January 2005 to June 2005. No significant results could be found.
2. The next test was a spearman’s rho test for the five dependent variables addressed above and the 21 risk categories. Some categories showed a significant correlation (2-tailed) with the average weekly return on shares from January 2005 to June 2005. The economic environment /financial markets category showed a positive correlation coefficient of 0,20 with a significance of 97%. The firm infrastructure category showed a positive
correlation coefficient of 0,23 with a significance of 99%. The physical environment category showed a positive correlation coefficient of 0,20 with a significance of 98%.
The procurement category showed a positive correlation coefficient with the standard deviation of the share prices. The correlation coefficient was 0,20 and the significance 98%. The other correlation coefficients were not significant. The economic environment /financial markets category also showed a positive correlation coefficient with the standard deviation of 0,19 with a significance of 97%.
3. The third test was a multiple regression for the 21 risk categories and the nominal findings from the qualitative analysis, corrected for industry influences. This multiple regression was done with 36 dummy variables and the five dependent variables. Because the 21 risk categories were measured on an ordinal level, dummies were used to conduct the multi regression analysis. These tests showed a positive coefficient for the return on shares from January 2nd 2004 to December 31st 2004 with a significance of 96%.
4. Fourth a Pearson’s correlation was conducted with the interval/ration variables and the dependent variables. These test showed significant result between the number of “risk
and controls” addressed in the risk paragraph and the return on share prices over the three periods.
5. Fifth a multiple regression analysis was done for the five dependent variables and the total risk and total controls addressed in the risk paragraph. The results from these tests also indicated the positive relation between the return and the total controls addressed in the risk paragraph.
Introduction
Reporting on risks in a “risk paragraph” of the annual report is a relative new phenomenon for organization. As part of the broad discussion about corporate governance, enterprise risk management is becoming more important for organizations. Enterprise risks can affect the achievement of organizational goals and companies are required to foresee these risks and communicate these risks to the external stakeholders, particularly the shareholders of the
company. Legislation on corporate governance and the incorporation of the risk paragraph in the annual reports in particular is relatively new. In the Netherlands, legislation was effective for the annual reports of 2004. Therefore, the topic of the research is relatively new and the field is in a state of development. The effects of corporate governance on the behavior of companies and its stakeholders will become more evident in the upcoming years. For now, this research is a first start on the analysis of the risk paragraph and will hopefully provide an insight into the reporting of companies on enterprise risk and how this relates to other variables. Because a large group of companies was analyzed the research will provide a good insight into this aspect of corporate governance: reporting on enterprise risks.
In recent years corporate accounting fraud caused big losses for many shareholders of these companies. Because of resulting scandals, the demand for transparency and integrity in
corporations has increased dramatically. As an effect, many developed countries in the western world introduced rules and regulations for corporate governance. The Commission Corporate Governance has published a code in December 2003 in the Netherlands. It will replace forty recommendations on Corporate Governance stated by commission Peters in 1997. The code provides guidelines and best practices for Dutch organizations. The code will apply to companies listed on the relevant stock exchanges (Euronext) and will be effective in the annual reports for fiscal year 2004. It is expected that by the summer of 2005, these companies will have published their annual reports. The best practice guidelines state that the company must have an internal risk and control system and conduct risk analysis for both financial and operational risks.
Furthermore, the code states that the board has to report on the sensitivity of the results for external events and variables. A paragraph of the annual report will address the enterprise risks that can affect the results of the company. Therefore, this will be referred to as the “risk paragraph”. This paragraph is a part of the chapter on corporate governance.
Since the code was published there has been a discussion about the effectiveness of the code.
Some argue that because it is not an imperative code, it will not be effective. The rationale behind the code is “comply or explain”. If companies decide to deviate from the code they have to explain and justify their decision. Because the code is not mandatory and it is the first year that the code is effective, it is expected that not all companies will have a chapter on corporate governance in their annual reports. Nevertheless, because Corporate Governance has become a prominent issue in the corporate world, it is expected that there will be enough companies with some sort of risk paragraph that can be used for the analysis.
Because the risk paragraph is a relative new phenomenon for organizations, the research must be considered an explorative study. It is a first step in the identification of enterprise risks by using the risk paragraph of listed companies in the Netherlands. In this context the research provides a status report on the development of the risk paragraph and identifies the areas that need further exploration.
To be able to analyze the risk paragraph a standard risk map will be used. This risk map is used by Deloitte to classify and categorize the endless list of risks that are covered by risk
management. This risk map contains different risk categories and these will be compared with the risks addressed in the risk paragraph of the annual reports. A number will be assigned to the risk categories to make it possible to process the data and compare it to the return, the standard deviation and the beta. This will provide the means to analyze the relationship between the enterprise risk and return. The data gathered from the annual reports will be processed and analyzed with the use of the software program SPSS.
Chapter overview
To provide an easy access to the document, the different chapters will be discussed here. The underlying thought for the structure of this document is to provide a document that is easy to read and guides the reader through the text. For this reason the chapter with the research design is introduced somewhat late in this document. The rationale behind this choice is to provide a theoretical overview about enterprise risk management first and to provide the reader with more insight into the topic. Because chapter three to six introduce concepts that are used later during the analysis of the risk paragraphs, it was most intuitive to structure the document in this order.
For instance, the Deloitte Risk Map is a tool for the analysis of the risk paragraphs and should be discussed before the research methods are introduced.
This thesis consists of an introduction and seven chapters. Each chapter will address an element of the research
The first chapter will introduce the methods of this research. The problem statement, the
deliverables and the sources of the research will be described. The problem statement consists of the research question and the investigative questions. First the research question will be stated. It is the start for the research. Based on this research question the investigative questions will be introduced. The investigative questions provide a step-by-step guide through the text. Each chapter will answer an investigative question. Furthermore the deliverables and the sources are described.
The second chapter will introduce Deloitte and their approach towards enterprise risk. First an overview of the company will be given and an introduction to Enterprise Risk Services will be provided. In the second part the Deloitte enterprise risk management approach will be explained.
It addresses the whole enterprise risk management approach from start to finish. This chapter has two functions: it provides the background of the company and it provides an insight into the practice of enterprise risk management.
Chapter three addresses the theoretical background of Enterprise Risk Management (ERM). The development of the field will be described. It will address the difference with the old way of practicing risk management and the “evolution” toward an integrated, holistic enterprise-wide
approach. Furthermore, in this chapter a definition of the “new” enterprise risk management approach will be stated.
Chapter four will describe the Deloitte Risk Map which identifies the whole enterprise risk management spectrum. Based on the Deloitte Risk Map the different types of risk are identified.
The map is a tool that provides a structured view on the broad spectrum of risks every company is exposed to. The chapter is also important because it will be used later to identify the risks that are reported in the risk paragraph of the company.
Chapter five will state the research design. As was mentioned earlier, this chapter is somewhat late introduced in the text. The reason for this late introduction is the background and the paradigm that has to be provided first to understand the context in which the research is
conducted. Furthermore, the Deloitte Risk Map introduced in chapter four is used in the research design and therefore it was more practical to set the order of chapters this way.
Chapter five describes the selection of the companies, the data collection method, the analysis of the data, the method of preparing the data for the statistical analysis, the data level of the collected data and the validity, the reliability and practicality of the research. The chapter will provide a complete and detailed overview of all the steps that will be made to come to these conclusions.
The sixth chapter reports on the findings of the research. It goes into the analysis of the risk paragraphs and also addresses the relationships that the risks have with the share price, the return on investment, the beta and the standard deviation. Because a distinction can be made between the qualitative and quantitative analysis, the findings will be presented in separate paragraphs.
Finally the limitations of the findings and the research as a whole will be addressed.
Chapter seven will provide the conclusion and the recommendations. The conclusion will be the answer to the research question that was the main focus of the research. Based on the conclusion recommendations will be made for further research. After the statement of the conclusion the research question will be answered and this will finalize the research.
Chapter 1 Methods
This chapter will provide an overview about the research question, the investigative questions and practical boundaries of the research. It does not include the research design, which will be
described in chapter five. This chapter will introduce the problem statement and the investigative questions that must be answered first to be able to answer the research question.
Cooper & Emory (1995, p. 560) explain that the problem statement contains the need for the research. This research is will conclude my study in Management and Organization at the University of Groningen and is conducted at Deloitte Enterprise Risk Services. Therefore, the research has two objectives. First, the research is conducted for Deloitte Enterprise Risk Services.
This objective contains the need to provide findings that Deloitte can use in their consulting activities. The second objective is to conduct an academic research for the University of
Groningen, Faculty of Management and Organization. Because an academic research starts with formulating the research question, this will be presented first.
1.1 Research Question
A research question is a fact-oriented, information gathering question (Cooper & Emory 1995, p.57). This research can be divided in two parts. First an exploration of the risk paragraphs in the annual reports of 2004 will be conducted for the companies that have to comply with the Dutch corporate governance code. Second, these findings from the risk paragraph will be related to the share price of the company. Because of this, two questions are formulated. The first question is:
Research Question 1
“To what extend are companies reporting on enterprise risk and enterprise risk management in their annual reports and what type of risks do they report?”
Research Question 2
“How does reporting on risks relate to return, beta and the standard deviation of the share prices of these companies?”
1.2 Investigative questions
The investigative questions are deducted from the general research question and must be answered before answering the research question (Cooper & Emory 1995, p.58). By extracting different elements from the main question, the investigative questions can be based on these elements.
1. What is the practice of Deloitte Enterprise Risk Services?
Because the research is initiated by an internship at Deloitte and internal information will be used to conduct the research, it is important to describe Deloitte’s enterprise risk management practice.
It will provide a background and a context in which the research is conducted and will give the reader insight about how risk management practiced. It is the identification of enterprise risk management (ERM) in practice. This question will be answered in chapter three.
2. What is Enterprise Risk Management (ERM)?
After the practice of Deloitte has been described, it will be important to provide a background about the theoretical field of risk management. When understanding the background of ERM, the research can be placed in a theoretical context. Therefore this question will be answered in chapter four.
3. How can the ERM spectrum be identified?
After the identification of both the practical and theoretical ERM field, the enterprise risks spectrum must be identified. The two previous questions deal with the approach. This question will identify what the enterprise risks are. It will provide a list with risk categories that will be used later for the identification of the risks in the risk chapters of annual reports.
4. To what extend are companies reporting their enterprise risks in their annual report?
This question must be answered to understand what the companies are reporting. The question will provide the answer about the extensiveness of the risk paragraphs.
5. What do the companies report on enterprise risk management in the risk paragraph?
Besides the reported risks, it is important to know to what extend companies report about their actions to counter these risks, which is the conduct of enterprise risk management. Answering this question will identify how much companies report on how they handle enterprise risk.
6. Which risks are reported in the risk paragraph?
This question can be answered after the analysis of the risk paragraph. It is about the pattern of the risks that can be found in the risk paragraph of the annual reports analyzed.
After all the investigative questions are answered, the research question will be answered in the conclusion. The answer on the research question will finalize this thesis.
1.3 Conceptual model
A conceptual model contains the concepts that are included in the research and identifies the relationship between these concepts. Concepts are subjects with a certain degree of abstraction. It is a visual representation (a model) of the research itself and its purpose is to identify the area of research in a compact, simplified and comprehensive manner. The conceptual model for this research is presented on the next page:
The boxes represent the concepts and the arrows represent the relationship between the concepts.
Reading the model, one should start at the top. In recent years corporate scandals have led to an increased interest for corporate governance. This has led to new rules and legislation. In the Netherlands the Corporate Governance Code was issued in December 2003. Part of the corporate governance debate is the conduct of enterprise risk management. The Dutch corporate
governance code stipulates that organization should report their enterprise risks to their
shareholders in order to be transparent and show that they are aware of the risks that can influence the goals of the company. Deloitte has extensive experience in the field of enterprise risk
management. Their practice focuses on the identification, implementation and management of enterprise risks. This is summarized as the Deloitte enterprise risk management practice. Deloitte uses the Deloitte Risk Map as a tool for this practice. In this research the tool will be used to identify the enterprise risks in the risk paragraphs of the annual reports of 136 companies. This analysis will lead to the identification of the enterprise risks that companies report in their risk paragraph. Based on this identification, a statistical analysis will be done to identify how the reporting on risk can influence the return, standard deviation and beta of the share prices of the companies.
Conceptual model
1.4 Supervision
Because the research is conducted within both a practical and academic context, supervision will provide guidance through the process. Both from the firm and academia, supervision is provided.
9 The first supervisor is Dr. J.H. von Eije, University of Groningen, faculty of Management and Organization, department of Financial Management.
9 The second supervisor is Drs. D. Schaap, University of Groningen, faculty of Management and Organization, department of Business & ICT.
9 The firm supervisor is Drs. R.M Daals, Senior Consultant, Deloitte Enterprise Risk Services.
Corporate Governance
Risk paragraph
Enterprise Risk
Annual report Deloitte Risk
Map
Deloitte enterprise risk management practice
Dutch Corporate Governance Code 2003
Enterprise Risks
Return on shares
BETA Standard
deviation (volatility)
1.5 Deliverables
This part provides the setting in which the research takes its place. It concerns the time period, involved parties, products that have to be delivered, et cetera.
The research takes place at Deloitte Enterprise Risk Service in Amstelveen, the Netherlands.
The final deliverables are:
9 A report will be delivered at the end of the period to Deloitte Enterprise Risk Services, Amstelveen.
9 A public reports will be delivered to the University of Groningen. This report will be added to the collection of the academic library. The information in these reports is publicly available and can be accessed by employees and students of the University of Groningen.
9 Two report will be delivered to both supervisors of the university.
1.6 Sources
The research will take place mostly within the Deloitte organization by desk research and expert interview. As a theoretical background for the research methods the book of Cooper & Emory (1995) will be used. To be more specific, the sources that will be used are:
9 Theory. Publicly available academic information in the form of Books, journals, electronic articles, websites, etc.
9 Internal information. The methods and models Deloitte uses to advise its clients on Enterprise Risks.
9 Annual reports. The annual reports of 2004 of the companies selected. The risk paragraph and the financial information of these companies is considered.
9 DataStream. A database that contains historical financial data about companies worldwide.
Chapter 2 Deloitte Enterprise Risk Services
1This chapter provides an overview of the firm and introduces the practice of risk management within Deloitte Enterprise Risk Services (ERS).
The investigative question that has to be answered is:
“How is Enterprise Risk Management practiced at Deloitte Enterprise Risk Services?”
2.1 Introduction to Deloitte
As an introduction to the theoretical part of the research an overview of the company will be presented here. Because the research is initiated by a question from the management (Cooper and Emory, 1995) the background in which this question arises is very important for the reader. It places the research in a context and clarifies its practical implication. The purpose of this chapter is to define the context for the research and provide the reader with background information about the company. The structure of this chapter is to start at the top with an overview of the
international organization and drill down to the sub divisions of the Enterprise Risk Services (ERS) department in the Netherlands. First the international organization will be introduced.
After this a brief description of Deloitte the Netherlands will be given. Drilling down further, the Enterprise Risk Services (ERS) department within the Deloitte will be discussed.
2.1.1 Deloitte International
Deloitte is structured in as a Swiss Verein, an association of member firms that are legally independent of one another but operate under related names. The Deloitte Touche Tohmatsu’s (DTT) board of directors is the highest governing body. They determine the strategic direction of the organization. Together with internal administrative functions, such as human resources and technology, they comprise what is referred to as DTT. The Verein sets guidelines for the member firms and provides each member firm with exclusive privileges in its specific jurisdiction. DTT does not provide service to clients as a Verein.
1 Paragraph 1.2 to 1.4 is mostly adopted text from the website and the Deloitte intranet. Some parts are co- authored with Jan Joost Bierhoff and Patrick Koen, both interns of Deloitte ERS. Parts were adjusted when needed.
2.1.2 Deloitte Netherlands
Deloitte Netherlands (hereafter referred to as Deloitte) has revenues just under 710mln and had around 7000 employees in 2003/2004, Deloitte is the second biggest professional-, financial service provider in the Netherlands. This has been the result of several significant mergers and acquisitions. In 1998 Deloitte merged with the VB Groep, an accounting firm focused on governmental and non-profit organizations. Andersen Netherlands, member of former ‘big five’
accounting firm Arthur Andersen, joined Deloitte in 2002 as a result of the Enron scandal, putting Deloitte in the number two position in the Netherlands.
Deloitte Netherlands recognizes four activities; audit, tax, consulting and financial advisory.
Deloitte’s focus in 2003/2004 has been to restore its image as an accountant. All accounting firms have been criticized in the aftermath of the Enron debacle. Critique focused on integrity and independence of the accounting firms. (Tax) Consulting services in combination with audit services exposes an accountant to ethical issues such as integrity and independence. Auditing your own advice is simply not done! Consequently, regulations came into existence that enforced a strict separation of consulting and audit activities. Hence, three of the ‘Big Four’, Ernst &
Young, KPMG and PricewaterhouseCoopers, sold their consulting activities (not Tax and financial advisory). Nevertheless, Deloitte chose to keep its consulting branch and comply with regulations to carry out its vision of being a full service accounting firm. Yet, more than half of Deloitte’s revenues are still earned with the Audit activity.
2.1.3 Deloitte Enterprise Risk Services
Deloitte offers a wide array of services in the field of risk management and control, including the IT-Auditing services. All the services combined are Enterprise Risk Services.
Reliability of business processes, information and technology is a critical aspect in organizations to support strategic and operational decision making. It is important to have a balanced approach toward risk in either eliminating or controlling it and to have global security for strategy,
organization, information, operations, environment, technology and financial management.
Based on the needs of the clients the services can be identified. These needs are divers and are contingent to the situation of the client. Examples of the risks companies have to deal with are given on the next page.
A few examples of the risks companies have to deal with are:
o False information
o Breakdown of operational processes
o Hackers
o Problems with logistics globally
o Inaccurate financial information that can influence the stock price.
The Enterprise Risk Services group is constituted from fives sub-groups. The groups that form the whole Enterprise Risk Services department are:
1. Data Quality & Integrity (DQI) 2. Security Services Group (SSG) 3. Control Assurance (CA)
4. Risk Consulting / Integrated Audit (RC / IA) 5. InVision
The five divisions can be placed on a spectrum. From DQI to RC / IA the shift in the character of the services that they deliver goes from quantitative to a more qualitative approach. At one side of the spectrum Risk Consulting offers process oriented services. On the other side of the spectrum Data Quality and Integrity can be positioned. This group is more data oriented. InVision is a group offers also internal services to the other groups and is positioned outside of this spectrum. It is visualized in the picture presented below:
Figure 1 Enterprise Risk Services sub-groups
Data Quality & Integrity (DQI) Security Services Group (SSG) Control Assurance (CA)
Risk Consulting / Integrated Audit (RC / IA) InVision
Process (Qualitative)
Data (Quantitative)
A short description of the activities of these five groups:
Data Quality & Integrity (DQI)
This part of ERS states its mission as: “to apply mathematical and statistical expertise and software skills to assist our clients in questions relating data by providing effective and efficient methods and tools.” This group uses a set of mathematical and statistical tools to investigate the integrity and correctness of their customer’s data. The core of their activities is to conduct statistical and mathematical analysis.
Security Services Group (SSG)
Deloitte & Touche Security Services Group (SSG) provides customers with an end-to-end offering that addresses the organization's need to better assess and manage risk. IT security and system security are the core activities of their services.
Control Assurance (CA)
The mission of Control Assurance (CA) is to identify and test internal control policies and procedures. They typically provide their services to clients with significant use of computers as part of an examination of financial statements or as a stand-alone engagement. This is often done in conjunction with other ERS and consulting projects. By providing monitoring and independent assessment, CA professionals help to take care that processes put in place to manage risk and run the business are functioning as intended. CA services also help clients to reduce their total audit effort by providing an independent report on controls.
Risk Consulting / Integrated Audit
Risk Management / Integrated Audit helps clients establish sustainable, internal capability to identify, assess, and manage risks to the achievement of their objectives, and the integrity and effectiveness of their processes. With their participative approach they develop ownership, accountability, and the support of each department and business unit in the organization. It builds an end product that helps people manage risks to the achievement of their objectives within a simple-to-understand risk framework. Risk frameworks map an organization's universe of risk and control, including strategic, operational, financial, and compliance risks. Using the combination of structured risk frameworks, workshops, awareness programs, reporting and accountability processes, they engage, enthuse and enable people - from members of the Board
and management, to front line employees, team leaders, and supervisors - to develop a sustainable capability to assess and manage risk and control across an organization.
InVision
InVision is a group within Deloitte that develops internet applications that support other
consulting and auditing services. All these applications are running on the same platform which establishes uniformity in the different available applications and makes it easier for people to use.
InVision delivers E-solutions for both internal and external customers.
Although a distinction of the five different groups can be made, the different groups work
together if needed. Depending on the assignment and the client the different fields of expertise are combined and people from the different groups work together.
2.2 Deloitte Enterprise Risk Management Practice (not available)
“Not available in the public version. Please contact the author or Deloitte Enterprise Risk Services for more information.”
2.3 Conclusion
After the description of the Deloitte Approach, the second investigative question can be answered:
“How is Enterprise Risk Management practiced at Deloitte Enterprise Risk Services?”
Enterprise Risk Services is a part of Deloitte, one of the biggest professional, financial service firms in the Netherlands. One of the activities of Enterprise Risk Service is Risk consulting. Risk consulting is a service that focuses on managing enterprise risks. To advise and implement risk management, Deloitte developed an approach that covers the whole process from identification of enterprise risks to the implementation of an enterprise risk management system. The Deloitte Enterprise Risk Management Approach is a structured, documented way of dealing with risks across the company, from implicit to explicit. The approach is covering the whole spectrum of enterprise risk management by conducting all phases of the enterprise risk cycle. This cycle
consists of five sequential steps. Each step must be completed in order for the next phase to start.
The steps are: “identifying risk, assessing risk, planning risk, managing risks and continuous improvement.”
Chapter 3 Enterprise Risk Management
This chapter will provide an insight into the field of Enterprise Risk Management (from here on referred to as ERM). The concept will be explained and the field of ERM will be explored from both academic and professional sources.
At the end of this chapter the following research question can be answered:
“What is enterprise risk management?”
3.1 Introduction
To understand what enterprise risk management is, it is important to understand the concept of risk. In literature a lot has been written about risk and different definitions are used. In this chapter an overview of the concept will be given and it will be placed in a relevant context. First the different definitions of risk will be identified. Second, the evolution of risk management to ERM will be described and the benefits of ERM will be explained. Third, definitions of ERM will be given to get a clear impression about the topic.
3.2 Risk
There is no universally agreed-upon definition of risk (Ross et al. 2002, p. 234). Doherty (2001, p. 137 - 144) defines risk as “the volatility of the outcome of a certain event”. From this point of view risk is the deviation of an outcome from an expected or preferred outcome. This way risk is regarded as an uncertainty about the outcome of a certain event. Originally risk has been regarded as a negative phenomena and the oxford dictionary (online) defines risk as: “a situation involving exposure to danger” or “the possibility that something unpleasant will happen”. Initially the word risk comes from the Italian word “risco” which means danger. This definition is very normative and is associated with something “bad” or something that is unpleasant. This definition only regards the downside of risk.
3.2.1 Risk as both opportunity and threat
Risk is regarded in distinct senses. In a report on behalf of the International Federation of Accountants (IFAC 1999, p13) three distinct views on risk are identified. Risk as an opportunity, risk as a hazard or threat or risk as uncertainty. These three views on risk have to be explained to give a clear context on how risk is regarded. The differences in interpretation of risk strongly depend on the background of the people involved.
Opportunity
When risk is regarded as an opportunity, it implicitly states the relationship between risk and return. (IFAC 1999, p.13). If the organizational risk is increased, the return will also increase. It is the pursuit of the upside; creating new opportunities to create value, while controlling the
negative side of risk.
Hazard or threat
Risk can be regarded as a hazard or threat and is about the “loss” side of risk. Mostly, managers perceive risk as a hazard or a threat. When managers talk about risk they refer to things like a financial loss, a product failure, lawsuits, injury or other negative events. This downside of risk should be minimized. Because the downside of risk means the destruction of value of the company, it should be minimized by conducting risk management.
Uncertainty
Risk as uncertainty is about the variance of possible outcomes. The outcomes can be both positive as negative and is the deviation from an expected outcome. This view on risk is mostly used in academic circles. In this context, risk management is an effort to reduce the variance of the possible outcomes.
Recently authors and professionals argue that risk can be regarded as both an opportunity and a threat. According to Doherty (2000, p. ix), a paradigm shift can be recognized in the field of risk management. The paradigm has always focused on the “loss” side of risk, the negative effects of an outcome that deviate from the expected outcome.
This paradigm shift implicates that enterprise risk management is more than just eliminating risks; it is about choosing the right amount of risk for the company. This shared understanding makes companies aware that with taking more risk, a company can increase its performance.
Increasing risk will also increase opportunities for value creation. Considering this, a company should find the right balance between the risks it takes and the opportunities it creates. The company can practice risk management to find the right balance between risk and return and influence its risk position pro-actively.
From a financial standpoint risk can be seen as an opportunity to generate a profit. Successful risk management allows you to have a lower cost of capital, and if you do that, it will add value to the firm (Quinn 2005, p.35). Depending on the risk appetite of a company it can undertake profit generating actions with a certain amount of risk. The COSO ERM framework states the following about risk appetite: “Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style” (COSO ERM 2004, p.28).
3.2.2 Definitions of risk
The Committee of Sponsoring Organizations of the Treadway Commission2 uses a definition to incorporate the potential negative and positive site of risk (COSO, 2004). In their opinion risks are based on events occurring inside and outside the organization. These events can have negative implication for the company, but can also mean an opportunity. They provide the following on events, risks and opportunities:
2 This organization is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. In September 2004 they presented a framework for risk management.
Identifying events as a common background for both risk and opportunities is useful because it confirms both sides of risk.
An author that also identifies both the positive and the negative side of risk is James DeLoach. In his book “Enterprise-wide Risk Management, strategies for linking risk and opportunity” (2000) he defines risk as:
This definition is very similar to the COSO definition, but it incorporates the positive side in the definition of risk without the use of events. The definition of DeLoach provides a frame of mind that also acknowledges the positive effects of risk. Therefore, this definition of risk will be used throughout this document.
COSO ERM 2004, p. 41
An event is an incident or occurrence from internal or external sources that affects
achievement of objectives. Events can have negative impact, positive impact, or both. Events with negative impact represent risks. Accordingly, risk is defined as follows:
Risk is the possibility that an event will occur and adversely affect the achievement of objectives.
Events with adverse impact prevent value creation or erode existing value. Examples include plant machinery breakdowns, fire, and credit losses. Events with an adverse impact can derive from seemingly positive conditions, such as where customer demand for product exceeds production capacity, causing failure to meet buyer demand, eroded customer loyalty, and decline in future orders.
Events with positive impact may offset negative impacts or represent opportunities.
Opportunity is defined as follows:
“the distribution of possible outcomes in a firm’s performance over a given time horizon due to changes in key underlying variables”…”The uncertain returns can have either positive or negative values, and hence both positive and negative changes in key variables must be
3.3 Evolution towards Enterprise Risk Management
ERM is a relatively new approach to risk management. It has increasingly been given attention in the media and there is an increased interest in ERM by academics and professionals. The research conducted by Liebenberg and Hoyt shows that little was written about ERM was in the mid- nineties, but has gained rapid attention toward the end of the century. From the mid-nineties until the beginning of the new century, the number of articles about ERM grew strongly. (Liebenberg and Hoyt 2003, p. 37). In their study they investigated the number of articles about ERM and found a significant increase from 1996 to 2002.
The driving force behind the development of ERM is the shortcoming of traditional risk
management. DeLoach identifies three shortcomings of the traditional approach (DeLoach 2000, p.25):
1. Responsibility for risk management is often fragmented. A narrow focus on specific financial and hazard risk often leads to the view that risk management is a cost centre.
Because the cost centre is supposed to hedge all risks, managers regard risk management not as a part of their job.
2. The focus on discrete risks, not the business portfolio. The classic risk management model is based on the isolation of separate groups of risks in isolation. This approach misses the benefits of the relationship between risks and the natural hedge that they can have to each other.
3. Risk management as a product or a transaction. In the traditional form, risk management is regarded as a transaction or as a product. Either by using a clause in a contract or by an insurance that is bought. When risks are managed this way it is conducted aside company strategy. It is not an integral part of the strategy and therefore can add little value.
These shortcomings are familiar objections against the traditional practice of risk management.
Treating risk fragmented and neglecting the relationship between the risks are often heard complaints. Risk management used to be part of the financial department that hedged the market and credit risks and was occupied with managing the downside of mostly financial and
operational risk (DeLoach 2000). With the use of derivatives, insurance and other financial instruments risk management organizations used to hedge their risks. According to Damodaran (2005), firms are paying too much attention to risk hedging and not enough to risk management.
Even financial scholars like Froot and Stein (1998, p.57) argue that not all risk can be hedged in
the capital market. Unlike risk hedging, which is the job of the chief financial officer, risk management should be on the agenda of everyone in the corporation.
Many authors argue that this is the biggest disadvantage of traditional risk management, that it treats risk in silos without an integrated approach (DeLoach 2000). Liebenberg and Hoyt argue that managing each risk class in a separate silo creates inefficiencies due to lack of coordination between the various risk management departments. (Liebenberg and Hoyt 2003, p. 41). ERM is a solution to this problem. It considers the whole company and risk management is part of
everyone’s job (DeLoach, 2000). According to Damodaran (2005) the key to success lies not in avoiding risk but in taking advantage of the opportunities offered by risk.
In the new environment where changes follow each other rapidly, risk should be considered in relationship with each other. Rapid changes that can be considered major drivers for ERM are:
Globalization, industry consolidation, deregulation, increased regulatory attention toward Corporate Governance and the progress of technology that enables better quantification and analysis of data (Liebenberg and Hoyt 2003). These are major drivers for ERM. One of the important drivers of ERM is the increased regulatory attention towards Corporate Governance as a reaction to the recent accounting scandals. Examples of new regulations are the Sarbanes and Oxley act for US and US listed companies and the report of commission Peters in the
Netherlands. These regulations have all increased the attention towards ERM. James Lam (2000) puts it more boldly. He states that ERM is becoming the best-practice standard because the traditional approach to manage risk did not produce effective results (Lam 2000. p. 2).
3.3.1 Definitions of ERM
Different elements of ERM are already described in this chapter. Using an integrated approach, making risk management part of everyone’s job, taking advantage of opportunities offered by risk and considering the whole enterprise has already been discussed. These are all characteristics of ERM. Quinn (2005) argues that at the most basic, ERM is a mean of determining all the risk a company faces, both currently and in the near and long-term future – regardless of whether those exposures have been historically insurable or able to be hedged through the financial markets (Quinn 2005, p. 34). Puschaver and Eccles (1996) argue that risk management in the full sense is “is seeking the upside while managing the downside.” To provide a clear impression about the concept, two risk definitions will be explored.
First, the COSO ERM framework provides a definition for ERM:
This definition regards the responsibility for risk management as part of the job of the management team.
Another definition of ERM is provided by DeLoach. He defines ERM as:
A strong element in this definition is the statement about the value creation process of the company. It also stresses the alignment of all elements in the organization. When combining this definition with the definition of risk, ERM can be regarded as a process in which both the positive as the negative side of risk have to be managed in order to create value. Therefore, when referring to ERM, the definition of DeLoach will apply. The aspect of value creation will be explored in further detail in the next paragraph.
3.3.2 Limitations of ERM
Although an increase can be recognized in the articles written about ERM the critics argue that it is still in its infancy, both in theory and in practice (Quinn, 2005, p.34). Not all organizations have an ERM program in place and extensive academic research has to be done in this field. A survey funded by the IIA Research Foundation found that fewer than half of the responding organizations did not have a risk management program (Beasley et al. 2005, p. 67). Even among these more advanced practitioners, however, the focus of enterprise risk management rarely
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
“A structured and disciplined approach: it aligns strategy, processes, people, technology and knowledge with the purpose of evaluation and managing the uncertainties the enterprise faces as it creates value.”
“ERM means the elimination of functional, departmental and cultural barriers”.
encompasses more than financial, hazard, and operational risks (Slywotzky and Drzik 2005, p.
80). This criticism shows that the ERM field is still developing.
3.4 Conclusion
As a result of the previous text, the first investigate question can be answered:
“What is enterprise risk management?”
ERM is a relatively new approach towards managing risks. It evolved from a more traditional risk management approach, which was focusing mostly on financial and operational risks. Recently academics and professionals are considering both opportunities and threats as part of risk management. In its new form, risk management is seeking the upside while managing the downside. ERM can be defined as:
“a structured and disciplined approach: it aligns strategy, processes, people, technology and knowledge with the purpose of evaluation and managing the uncertainties the enterprise faces as it creates value.”
Although the amount of academic research is still little, an increase is noticeable recently. Driven by the need for transparency and corporate control, ERM has gained more acceptance in the academic and corporate world.
Chapter 4 Enterprise Risk Management Spectrum
This chapter will identify the risks that are considered in the field of ERM. Paragraph 4.1 introduces the topic of this chapter and provides the structure. Paragraph 4.2 will describe the Deloitte Risk Map (will be referred to as “the Deloitte Risk Map”). Paragraph 4.3 will present the findings and provide an answer to the following research question:
“How can the ERM spectrum be identified?”
4.1 Introduction
In the previous chapters the definitions of risk and ERM have been provide. As been explained in these chapters, the process of ERM covers risk throughout the entire organization. Therefore the complete range of risks considered by ERM is extensive. The purpose of this chapter is to identify the risk spectrum that is covered by ERM. The identification of these categories will be a first step for the identification of all enterprise risks. Because the spectrum of risks is as divers as there are companies, no list can be exhaustive. Therefore, this chapter will identify the main risk categories that provide order in the limitless spectrum and which can be used as a tool to identify the risks for a specific company. Deloitte also developed an extensive list of eighty risks that are related to the risk categories. To keep this chapter comprehensive and readable, this chapter will only address the risk categories and the underlying thought. These categories are sufficient to be used as identification for enterprise risks.
Next, the Deloitte Risk Map will be introduced and the categories will be explained.
