ICSA Subsidiary Governance Conference

Assessing corporate culture at subsidiary level
Richard Sheath
12 October 2016

Culture: core questions for the Board (1)
WHERE DO WE WANT TO GET TO?
Is there a governance structure that supports oversight and
strategic leadership around culture?
Working out where we
need to get to
Looking at what we’re
doing as a board
1

Culture: core questions for the Board (2)
HOW CAN WE BE SURE IT IS COMING TOGETHER?
How do we build evidence so we can know are where we
need to be?
need to get to
doing as a board
Assessing what management are doing to embed
the right behaviours
Building a picture of
behaviours
Looking into the
organisation
1

Culture: core questions for the Board
need to be?
need to get to
doing as a board
What do we want to
achieve and why?
What role do we need to
play?
How does this fit with
executive responsibilities?
What governance structure
needs to be in place?
How do we…
• currently exercise
oversight?
• provide leadership on
behaviours?
• discuss the strategic
imperatives &
implications?
• consider behaviour as
part of our decision-
making?
• communicate our
objectives and
concerns?
• assess behaviour roots
of
performance/problems?
What are the gaps: where
we are and want to get to?
Assessing what management are doing to embed
the right behaviours
Building a picture of
behaviours
Looking into the
organisation
How do we get a view of the executive approach/actions?
How do executives manage behaviours downwards?
How does our incentive approach align?
How can we see the way cultural diversity is tackled?
How do they see what people are doing day to day?
What is the process for tackling problems?
How do we know what’s
going on inside?
How do management give
the Board insight?
How is the behaviour angle
covered in reporting?
What is used to provide us
with assurance/evidence?
How do we assess the
risks?
How do we see/discuss the
known problems?
Thinking through what
surveys are covering
Getting a view of:
• how far expectations are
understood
• how people see/react to
day-to-day behaviours
• perceptions of manager
• messages/actions
• comparison of executive
& manager behaviours
• views on what needs
escalating and how
1

Extending out to subsidiary culture
need to be?
STRATEGIC
The same questions apply…
… but the context is different
ORGANISATIONAL
How far do we want the same “culture”?
How far is the same culture achievable?
What are the risks?
How is the risk appetite being applied?
What is the environment?
What is the organisational context?
What is the group/subsidiary relationship?
How is control exerted?
How does governance oversight work?
How do information/messages flow?
2

Putting it in context
STRATEGIC
The Environment
The context is different…
ORGANISATIONAL
Group/Subsidiary
3

But then follow the same basic steps…
Reach a consensus on the need
4

Basic steps (2)
Make sure you know what you’re aiming at - for the Group and each subsidiary
5

Basic steps (3)
Recognise diversity – and work out how much you want
6

Basic steps (4)
Determine what style of leadership you expect to see at group and subsidiary levels
7

Basic steps (5)
You’ve limited reach and line of sight: so understand what management are doing
8

Basic steps (6)
Make sure executives and management are on board – at Group and subsidiary levels
9

Basic steps (7)
Think through the group relationships and how they are understood
10

Basic steps (8)
Think through the language and communication angles
11

Basic steps (9)
Work out how you are going to build the picture
12

And only then start assessing…
13

Get out there…
There’s no substitute for getting out there: site visits are a core source of insight and comfort
14

Use what you’ve got
PUTTING TOGETHER A PICTURE THROUGH A “CULTURE & BEHAVIOUR” LENS
EXTERNAL
INDICATORS
HR
REPORTING
CUSTOMERS
INTERNAL CONTROL
INDICIATORS
STAFF
FEEDBACK
SUPPLIERS
INVESTORS
COMMUNITY
NPS
Net Promoter Score
COMPLAINTS
SOCIAL MEDIA
ABSENTEEISM
TURNOVER
EXIT INTERVIEWS
TRAINING
CONTRACT STAFF
MEDIA
WHISTLEBLOWING
COMPLIANCE BREACHES
AUDIT REPORTS
SAFETY
HEALTH
ENVIRONMENT
PUT TOGETHER…WHAT ARE THESE INDICATORS SUGGESTING?
MORALE & MOTIVATION
WHAT IS EXPECTED?
WHAT DO I SEE?
HOW WE TREAT PEOPLE?
TAKING RISKS
MAKING DECISIONS
What are the surveys
actually covering?
15

And apply it to subsidiaries in the same way…
…but…
• Put it in context
• Work out with management
how to distil the picture
• Understand how
management are using the
picture/indicators
• Link to the relative risks for
each subsidiary (financial,
regulatory, reputation…)
Build the same picture… And when it comes to surveys…
• Watch the language and relevance
• Work out how you’re going to use the data
16

© Independent Audit Limited 2016
CONTACT:
Richard Sheath: +44 (0)20 7220 6583 | richard.sheath@independentaudit.com
4 Bury Street | London | EC3A 5AW | +44 (0)20 7220 6580 | www.independentaudit.com
Registered in England number 4373559 Registered Office One Glass Wharf Bristol BS2 0ZX

Roseanna Rowett
Case study:
Intertek Group
plc
v1.0
Ida Woodger
12 October 2016

2
Our Heritage
1996: Inchcape
divests testing
business to
Charterhouse
Development Capital
1885: Caleb
Brett, cargo
certification
business
founded
1896: Lamp Testing
Bureau founded, later
renamed ETL
1973: Labtest
established in
Hong Kong,
initially
focussing on
textile testing
1900 2002
2015: PSI building
and construction
assurance
business acquired
2011: Moody
International
acquired
1925: SEMKO
electrical
safety testing
founded in
Sweden
1988: ETL
Testing
Laboratories
acquired
1984-87:
Caleb Brett
acquired
1992: Warnock
Hersey acquired
1994: SEMKO
acquired
1888: Milton
Hersey establishes
a chemical testing
laboratory in
Montreal, Quebec
1996-021970
Intertek Group plc
listed on the LSE
Intertek develops into an international testing business
through acquisition and organic growth
2002: Intertek
listed on the
London Stock
Exchange
2009: Intertek
enters the
FTSE 1001987: “Inchcape Testing Services”
formed
Intertek’s pioneering founders
1911: Moody
International, Oil
and Gas testing
and certification
business
1880
1927: Charles
Warnock
Company
formed in
Montreal,
Canada to
inspect steel
products
1989: Intertek
enters China

3
What We Do
What We Do Everyday
Which Economic
Sectors
Where
Assurance
Testing
Inspection
Certification
Products
Trade
Resources
100+ countries
1,000+ laboratories
40,000+ people

4
Our subsidiaries
33
joint-ventures
80
branches
312
wholly-owned
subsidiaries

5
Our group structure
Intertek
Group plc
UK entity 1
Middle East &
Africa
China
South and
South East
Asia (50%)
UK entity 2
Russia,
Europe &
Central Asia
Australasia
North
America
South and
South East
Asia (50%)

6
Our Company Secretariat support structure
Group Company
Secretary
Regional Co Sec
– North America
Regional Co Sec
– MENAP & SE
Asia
Regional Co Sec
– China
Company
Secretarial Admin
Assistant
Deputy Company
Secretary
Company
Secretarial
Trainee
Assistant
Company
Secretary
Company
Secretarial
Assistant

7
Our subsidiary governance framework
Centrally
managed – from
London HQ
Locally managed
– in country of
incorporation
Assistance from
external local
legal and
accountancy
firms as well as
the Group’s
Auditor

8
Centrally managed components
Core
Controls
Framework
Policy on
Subsidiary and
Joint-venture
company
boards
Parental
guarantee
guidelines
Group-wide
Authorities
Cascade
Blueprint
Oneworld
database –
master data
Incorporations,
liquidations
and
restructuring
8
Our core controls
Guidelines on
Powers of
Attorney

9
Regular catch
up meetings
and to-do list
Online sharing
platform
Templates &
procedures
Sharing the
load
Record keeping Handovers
Communication and management tools

10
In practice
Event / Project
 Legal paperwork required
 Internal approvals
 Local points of contact
Key Co Sec considerations
Director and
shareholder
meetings
01
 Assistance in the DD process
 Funding and paperwork
 Closing & Integration
Change of
personnel
02
 Accuracy of Blueprint data
 Verification material available for audit
 Changes throughout the year
Annual Report03
 Leaver and appointment procedure
 Consider share ownership – ESS and those held on trust
 Resulting board structure changes
Treasury and
tax projects
04
 Minutes and resolutions
 Verification process – officers, share capital, company information
 Reconciliation of accounts - local books vs centrally held accounts (Cognos)
Acquisitions05

11
Take away points
03 Don’t be a bureaucrat
02
01
Good communication
is essential
Have a clearly defined
strategy

Competition issues for subsidiaries and boards
Parents mind your children
Nicole Kar
October 2016

1
Agenda
> Application of competition law and risks to companies
> Parental liability
> Managing and mitigating risks
> What does this mean for boards?

2
Competition law – a primer

3
The basic rules
Law prohibits Who?
Abuse of dominance Undertakings
Restrictive
agreements/collusion
Undertakings (and in the UK, Austria,
Germany, Ireland) individuals

4
The smoke filled chat room
> Recent investigations have seen competition authorities push the
limits of antitrust and new regulators like the FCA take on antitrust
powers and consider requiring expansive mandatory self reporting of
competition breaches
> Focus is now beyond the classical “smoke filled room” and looks e.g.
to different fora; collusion on non price parameters; and pure
information exchange (e.g. price signalling),

5
Information exchange: Good, Bad, Ugly
Good Bad Ugly
> Historical data > Future price/volume
data or future
strategic intentions
> Current data which
discloses intended
conduct
> Aggregated/
anonymised data
> Disaggregated,
company specific
data
> Systemised, frequent
exchanges
> Exchanges in public
(i.e. the customer has
equal access)
> In private > Partly in private/partly
in public – not
genuinely public
> Increases
transparency for
consumers/consumer
benefits
> Highly concentrated
market (few players)
> Covers a broad part of
the market which is
concentrated

6
Competition risks
Fines
Damages
claims Damages
claims
Imprisonment
Negative
commercial
impact Disciplinary
action
Procedural
costs
Reputational
damage
Company
risks
Personal
risks
Director
disqualification

7
Cartel fines in the last 25 years
344 271
3157
7969
8700
4332
127
1419
938
2332
3363
2750
264
1061
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1990-1994 1995-1999 2000-2004 2005-2009 2010-2014 2015-to date
EU
US
China
Million (EUR)
Comparatively
higher than in the
previous period

8
Liability for individuals/board members in the UK
> Criminal cartel offence: no dishonesty requirement as of April 2014; is jury trial
appropriate? “not in usual spectrum of fraud cases”
> Director disqualification: personal involvement; knowledge of conduct and failure
to take action; where “ought to have known”
> Claiming damages from directors and employees? Safeway v Twigger: attempt
to recover fines against individuals (really D&O insurance). Failed as against
public policy
Advice for Directors: Insist on compliance programme and training in high
risk areas (e.g sales team in industrial companies), query anomalies.
Advice for companies: assess risk levels and tailor compliance programmes
accordingly; do audits to monitor compliance; clean up conduct found.

10
Concept of parental liability
> In the EU, a parent company can be held jointly and severally liable
for the conduct of its subsidiaries (in the broadest, not just
accounting sense) (single economic entity doctrine)
> The parent does not need to be involved or aware of the
subsidiary’s participation in the infringement
> Parental liability arises when parent and subsidiary constitute a
“single undertaking” in the economic sense (the underlying legal
structure is not decisive)
> The European Commission must in principle prove on the facts
that the parent exercised decisive influence over the commercial
policy of the subsidiary to show that they are a single undertaking
(except if the parent has – almost - 100% shareholding)

11
The Akzo (rebuttable?) presumption
Shifts the Commission’s burden to prove that parent/subsidiary are a
single economic entity, but:
> The Commission must prove that the conditions to apply the
presumption are met
> The parent company must hold (almost) 100% of the subsidiary’s
capital
> The Commission must identify unequivocally the addressees of the
potential fine sufficiently early in the investigation (the statement of
objections)
> In such cases the presumption becomes, in practice, impossible to
effectively rebut

12
Outside Akzo
When the parent does not have (effectively) a 100% shareholding, the
Commission must prove that the parent exercised actual decisive
influence over the subsidiary’s commercial policy, which involves the
unity of market conduct of the subsidiary and its management
> Market conduct/commercial policy includes strategic decisions and
operational matters
> May be triggered at much lower levels of control (e.g. joint control
and minority interests), relevant factors include actual control of the
subsidiary’s board, management overlaps and reporting mechanisms
> PE investors can also be held liable if they did not act as a purely
financial investor

13
Goldmans/Power Cables
> Commission decision in 2014 finding the Goldman Sachs Group, Inc.
(GS) liable for the participation of one of its portfolio companies,
Prysmian, in the Power Cables cartel (Euro 37.3m)
> GS had exited when the investigation started (and the infringement
started before it purchased it)
> GS appealed the decision (ongoing proceedings before the EU General
Court)
> Two clearly differentiated periods for GS, but the Commission held it
liable throughout both periods
> 2005-2007: GS shareholding far below 100% for most of the period
> 2007-2009: GS minority shareholder

14
The Impact of Brexit
> Still a lack of clarity, but “hard” Brexit now seems likely (‘Great Repeal
Bill’ to bring about a “fully independent, sovereign country” without being
bound by ECJ law)
How might Brexit impact the CMA’s position towards parental liability?
> If the ECA 1972 is repealed, and the CMA is no longer bound by the
European Courts’ jurisprudence (s 60 Competition Act), will it change its
stance on parental liability?
> Unlikely. There are strong public policy reasons (e.g. deep pockets,
deterrence, effectiveness of enforcement, recidivism uplift) for the
CMA to maintain the approach taken by the EU
More generally, CMA has criminal powers and may be expected to
enforce these actively without needing to think about interaction with EU
law

15
Managing and mitigating risks

16
Acquiring new entities or businesses
> Pre-acquisition: due diligence should cover antitrust issues (may be
difficult in an auction), identify industry hot spots and interview
management. Easier when you are already active in the industry.
> Limiting risks by structuring acquisition (ideally, you will want full
recourse)
> Asset deal: selling entity should not disappear, share deal: not to
merge entity within acquirer
> Consider making the seller seek leniency prior to signing

17
Group companies’ compliance
> You will likely be liable for (indirect) subsidiaries, joint ventures and
even minority investments’ conduct if there is control
> Do I want to know? TYPICALLY YES
> Effective compliance programmes, identify risk areas, but rolling
out compliance programme can be seen as control!
> Any doubts/suspicions: do an audit
> If passive JV partner, ensure that there is no suggestion of control
(e.g. water down your rights)
> Consider “remedial/clean up” action e.g. application for
immunity/leniency

18
Acquiring new entities or businesses cont.
> Use robust warranties and indemnities to cover possible fines
and/or damage claims
> But enforceability of indemnity clauses may be challenged in the
UK on the basis of the ex turpi causa maxim
> Minority investment
> Carve-out infringing company/business if have knowledge
In any event, the Commission is pushing the boundaries and the
options are becoming more limited
> Act early post-acquisition: address antitrust at first board meeting,
end infringement, implement effective compliance programme

19
Disposals
> When selling a group company or an interest options include:
> Clean up conduct before the sale (seek immunity if appropriate)
> Limiting warranties and indemnity exposure (ideally, you want to
walk away with clean hands)
> Beware of asset sales due to residual corporate liability
> Escrow account to cover potential liability
> Record of non-involvement and compliance efforts

21
What does this mean for boards?
> Compliance fatigue: stream competition risk assessment and
controls with other risk areas facing the business (ABC, sanctions,
etc.) but don’t ignore competition law.
> Ensure compliance programmes and training is fit for purpose and
revisited regularly (e.g with M&A, with expansion into new
geographic areas; when new teams are hired from competitors)
> Consider contractual protections in acquisitions and limit exposure
when disposing of group companies or businesses

22
Contact
Nicole Kar
Partner, National Practice Head
Competition Antitrust, London
Tel: +44 20 7456 4382
nicole.kar@linklaters.com
Linklaters LLP is a limited liability partnership registered in England and Wales with registered number OC326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to
refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP together with a list of those non-
members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC2Y 8HQ or on www.linklaters.com and such persons are either solicitors, registered foreign lawyers
or European lawyers.
Please refer to www.linklaters.com/regulation for important information on our regulatory position.

Health and Safety – Subsidiary Governance
Health and Safety: Risk &
Liability Review
Ann Metherall CEng FICE
Partner

24/07/15

Offence Starting
Point*
Range*
Corporate
Manslaughter
Act
£7.5m £4.8 - £20m
Health &
Safety at
Work Act
£4m £2.6 - £10m
*assumes very high culpability and a turnover greater than £50m

How can the firebreak be undermined?
• H&S obligations
• Cases of
• Chandler v Cape [2012]
• Thompson v Renwick [2014]
• R v CAV Aerospace [2015]
• Risk Factors
• Practical Steps
Purpose of limited liability
subsidiaries?
Tax? Firebreak?

Health & Safety Obligations/Consequences
Corporate Manslaughter
Duty of care based on
negligence principles
HSWA
“organisations must ensure safety so far as
reasonably practicable
s.2 s.3
Everyone else affected by
“scope of undertaking”
Factual question
Employees
Gross breach caused
substantially by the way
senior management
organises its business
Corporate Manslaughter
creates no new obligations
just increases the
consequences

Chandler v Cape plc
[2012]
• Claimant employed by a cape
subsidiary
• Exposed to asbestos dust
• Cape plc accepted subsidiary failed
in its duty of care
• Subsidiary dissolved
• Claim against Cape plc
• Group Medical Advisor and
scientific officer
• Board discussion on aspects of
production
• Cape knew its subsidiary
arrangements were defective
Court of Appeal found for claimant
because of its knowledge of the
condition and asbestos risk meant it
had a duty of care to advise the
subsidiary what to do or to ensure
steps were taken

Pure holding
company may
reduce risk
Factual and
what does
the parent
say in its
safety
management
system?
Audits increase
and reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
and practice of
intervention
generally
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe

Chandler v Cape plc
[2012]
Thompson v The
Renwick Group plc
[2014]
subsidiary
in its duty of care
scientific officer
production
steps were taken
• Claimant employed by a Renwick
subsidiary
• Exposed to raw asbestos
• Subsidiary had no EL insurance or
assets
• Claim against parent company
• No group directors on subsidiary
board and subsidiary run by an
“unconnected director”
Applying factors in Chandler, Court of
Appeal found not liable on facts

Mere
appointment
of subsidiary
director not
enough
Appointment of
directors
Co-operation
between subsidiary
without parent
control ok. Problem
if parent controls
key element e.g.
delivery/finance
Sharing resources
Avoid assets and
paperwork asserting
work done or
decisions made on
behalf of parent
Corporate
branding
Pure holding
company
reduces risk
What does
the Group
say it does in
its safety
policy and
management
system?
Audits both
increase and
reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe

Chandler v Cape plc
[2012]
Thompson v The
Renwick Group plc
[2014]
R v CAV Aerospace
[2015]
subsidiary
in its duty of care
scientific officer
production
steps were taken
• Claimant employed by a Renwick
subsidiary
• Exposed to raw asbestos
• Subsidiary had no EL insurance or
assets
• Claim against parent company
• No group directors on subsidiary
board and subsidiary run by an
“unconnected director”
Applying factors in Chandler, Court of
Appeal found not liable on facts
• Fatally injured person employed by
CAV subsidiary
• Killed when stack of metal billets
collapsed
• Corporate manslaughter and HSWA
prosecution of CAV A
• Cases of Chandler and Thompson
considered when establishing duty of
care
• CAV A treated CAV C as supplier but
did not give it control (no FD and
purchasing and stock control
governed by CAV A)
• Ignoring warning of near misses was
most aggravating feature
Convicted of both offences
Fined £600,000

Mere
appointment
of subsidiary
director not
enough
Appointment of
directors
Co-operation
between subsidiary
without parent
control ok. Problem
if parent controls
key element e.g.
delivery
Sharing resources
Avoid assets and
paperwork asserting
work done or
decisions made on
behalf of parent
Corporate
branding
Conflict of
interest/direction
and control
Pure holding
company
reduces risk
What does
the Group
say it does in
its safety
policy and
management
system?
Audits both
increase and
reduce risk.
Ignoring warnings
from subsidiary
increases risk
Centralised
advice and
medical support
Run as a
business
division - no
separate
financial function
Parent ought
to have
foreseen
subsidiary
would rely
on it
Risk
Factors
Business of
parent &
subsidiary
are the
same
Parent has or
ought to have
had superior
H&S
knowledge
Parent knew or
ought to have
known system
of work unsafe
Lack of
independence
Overlap of
directors

A question of risk
Increased control may mitigate
risk of safety failures
But increase exposure if
something goes wrong
May be tainted anyway?

• How likely are CM prosecutions? Does it
matter?
• Rarely can Parent avoid any scrutiny
• Identify where in the organisation safety
management decisions should be taken
• Robust on how decisions are recorded
• Does the safety management system
reflect the reality?
• Check terms of reference for oversight
committees
• How are decisions in JVs and SPVs taken?
• Robust and independent audit of subsidiary
• Follow through on actions and do not
leave recommendations hanging
• Acquisitions
• Check how business fits into safety
management structure
• Does company come with the
competence to run it?
There was no clear and realistic thought given
to the relationship between CAV A and CAV C
particularly at the level of senior management
and above.
Practical Steps

Ann Metherall
Partner
T: +44(0)117 902 6629 M: +44(0)7980 984 071
E: ann.metherall@burges-salmon.com

Risk Culture v
Organisational Culture
Richard Anderson, Director, AndersonRisk

My agenda for today
• Why is risk culture important to business?
• Who has been talking about a “risk” culture?
• VW – a case study
• FRC, IIA, CIMA, CIPD, CVF – what are they saying?
• What do I think?
• A possible approach…
• Wrap up and questions

Why is risk culture important to business?
© Richard Anderson Photography | www.raphoto.me

Why is risk culture important to business?
Five reasons: because of…
• People
• 300 years of failure
• Risk appetite
• Extended enterprise
• Societal impact

Human nature is …
Individualist … or … collectivist
What do you believe … ?
I or C? Which do you think?
The way we live …
“superiors” tell “inferiors” … or … “equals” negotiate the “rules”
Prescribed/In-equal … versus … Prescribing/Equal
Tell or Negotiate? T or N? Which way does it work?
People

Fatalist
Individualist
Egalitarian
Hierarchist
Richard Branson
Philip Green
Entrepreneur
Greenpeace
Environmentalist
Prince Charles
Typical Government
Chief Scientist
What will be will be
I C
Tell
Negotiate
People

300 years of failure
The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)
Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)

The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)
Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)
COSO Internal Control I & II
COSO ERM I & II (almost)
Cadbury to Corporate Governance Code
CoCo
King I, II & III

The South Sea
Bubble (1720)
Volkswagen
(2015)
Savings & Loans
(1986 - 1995)
Polly Peck (1990)
Maxwell
(1991)
Marconi
(2006)
Banking Crisis
(2008)
BP
(2010)
HSBC
(2012)
Wal-Mart
(2012)
Tesco
(2014)
Enron and .com
Bubble (2001)
And the next disaster is
being incubated right now…

Level
Propensity to
take risk
Propensity to
exercise control
Strategic
Tactical
Project/
Operational
Measurement
Stakeholder
Value
Risk Metrics
Control
Metrics
RiskTaking
Exercising
Control
Delegation
Escalation
Risk Appetite

Level
Propensity to
take risk
Propensity to
exercise control
Strategic
Tactical
Project/
Operational
Measurement
Stakeholder
Value
Risk Metrics
Control
Metrics
RiskTaking
Exercising
Control
Delegation
Escalation
But any model of Risk Appetite makes
heroic assumptions about the ability of
the people in the organisation to cope
within the ranges it sets…
Risk Appetite

Joint Endeavour
Outcomes
Multiple Economies in
Multiple Societies
Theextended
enterprise

Joint Endeavour
Outcomes
Customer 1
Customer 2
Customer 3
IP Owner
Regulator
Sub-
Contractor 1
IT Outsource
Provider
Government
Supplier 1
Supplier 2
Agents
Prime
Contractor
Multiple Societies
Theextended
enterprise
Sub-
Contractor 2
Labour

Joint Endeavour
Outcomes
Extent of
Shared Values
Allocationof
Incentives
Relative Power
Regulatory
Influence
Theextended
enterprise
Multiple Societies

Joint Endeavour
Outcomes
Extent of
Shared Values
Allocationof
Incentives
Relative Power
Regulatory
Influence
Theextended
enterprise
Multiple Societies
Culture is KING in
managing across the
Extended Enterprise…

Because the societal impact of failure is
leading to breakdowns in society as
witnessed in BREXIT and the rise of
nationalism and protectionism versus
free trade and globalisation
Societal impact

Who has been talking about risk culture?

The commentators
Organisation Title Pages Culture Risk Culture
DoJ (2010) Bribery Act 43 7 (16%) Nil (0%)
NAO (2011) Managing Risk in Government 18 4 (22%) Nil (0%)
IRM (2012)
Risk Culture – resources for
practitioners
114 893 (783%) 344 (302%)
FRC (2014) Risk Management etc 28 20 (71%) Nil (0%)
FSB (2014) Guidance […] on Risk Culture 14 100 (714%) 70 (500%)

• The board’s responsibility for
the organisation’s culture is
essential to the way in which
risk is considered and
addressed within the
organisation and with external
stakeholders.
• The board must determine its
willingness to take on risk, and
the desired culture within the
company.
• The board has ultimate responsibility for
RM…, including for the determination of
the nature and extent of the principal
risks it is willing to take to achieve its
strategic objectives and for ensuring that
an appropriate culture has been
embedded.
• Training and communication assist in
embedding the desired culture and
behaviours in the company. To build a
company culture that recognises and
deals with risk, it is important that the
RM and IC systems consider how the
expectations of the board are to be
communicated to staff and what training
may be required.
The FRC

• “The top-level management of a
commercial organisation (be it a
board of directors, the owners or
any other equivalent body or
person) are committed to
preventing bribery by persons
associated with it. They foster a
culture within the organisation in
which bribery is never
acceptable.”
• “Those at the top of an organisation
are in the best position to foster a
culture of integrity where bribery is
unacceptable. The purpose of this
principle is to encourage the
involvement of top-level
management in the determination
of bribery prevention procedures. It
is also to encourage top-level
involvement in any key decision
making relating to bribery risk
where that is appropriate for the
organisation’s management
structure.”
Department of Justice
Principle 2 - Top-level commitment

• “An anticipatory and strategic
approach to supervision rests,
among other things, on the ability
to engage in high-level sceptical
conversations with the board and
senior management on the
financial institution’s risk appetite
framework, and whether the
institution’s risk culture supports
adherence to the board-approved
risk appetite.”
• “Culture can be a very complex issue
as it involves behaviours and
attitudes. But efforts should be made
by financial institutions and
supervisors to understand an
institution’s culture and how it affects
safety and soundness. While various
definitions of culture exist,
supervisors are focusing on the
institution’s norms, attitudes and
behaviours related to risk
awareness, risk taking and risk
management, or the institution’s risk
FSB

The FSB’s top four indicators of the risk
culture
•Tone from the top;
•Accountability;
•Effective communication and challenge; and
•Incentives.

IRM Risk Culture Framework
Risk Culture
Organisational Culture
Behaviours
Personal Ethics
Personal
Predisposition to
Risk
IRM’s risk culture framework
looks at component parts making
up an organisation’s risk culture
• How will I react?
• How will I respond in
recognition of other competing
needs?
• What will I do?
• What will we do?
• Our overall risk culture

Risk culture aspects model
Risk Culture
Tone at the
Top
Risk
Leadership
Dealingwith
BadNews
GovernanceAccountability
Transparency
Decisions
RiskInformed
Decisions
Reward
Competency
Risk
Resources
RiskSkills

VW: a case study

Objectives
• To be the biggest car manufacturer in the world
• To move motorists across to diesel engines as
requested by the EU
• To demonstrate compliance with Californian air
quality requirements

Core personal values
1. Social responsibility:
Innovative employment
models and social
involvement.
2. Sustainability: Human rights,
labour standards,
environmental protection:
there are many facets to
sustainability.
3. A spirit of partnership:
Equality and humanity:
fairness is important to us.
4. "Pro Ehrenamt"
volunteering initiative: Have
you ever thought about
becoming a volunteer?
There are many ways to
get involved - and there's
one near you.

Sustainability
“We aim to be the world’s most successful, fascinating and
sustainable automobile manufacturer. For the Volkswagen
Group, sustainability means that we conduct our business
activities on a responsible and long-term basis and do not seek
short-term success at the expense of others. Our intention is that
everyone should profit from our growth – our customers and
investors, society and, of course, our employees. In this way,
good jobs and careful treatment of resources and the
environment form the basis for generating lasting values.”

Global Compact
• Since 2002, Volkswagen has been involved in one of the largest and most
important CSR initiatives in the world
• This sets out the Ten Principles of human rights covering working standards,
environmental protection and combating corruption
• “Together with 12,000 companies from over 170 countries, Volkswagen works in
diverse international CSR projects towards making the global economy more
sustainable and fairer. An annual progress report documents our projects.”

Failing to live up to their standards
• Emitting larger amounts of NOx than allowed was not in line
with looking after the Human Rights of communities where their
cars were sold;
• Lying to regulators by installing this software is fundamentally
corrupt when you define corruption as “the abuse of entrusted
power for private gain”; and
• Clearly the engineering solution was not consistent with
environmental protection.

Where they failed
1. Values
2. Silos
3. Layering
4. Short-termism
5. Control v Risk
6. Obstruction
7. Black holes

FRC, IIA, CIMA, CIPD, CVF – what are they
saying?

The Culture Coalition
Organisation Title Pages Culture Risk Culture
FRC (2016) Corporate Culture and the role of boards 62 435 (702%) 7 (11%)
IIA (2016) Organisational Culture 27 366 (1,355%) 31 (115%)
CIMA (2016) Rethinking the Business Model 38 5 (13%) 0 (0%)
CIPD (2016) A Duty to Care 38 381 (1,002%) 0 (0%)
CVF (2016) Governing Culture, Risk & Opportunity 30 130 (433%) 0 (0%)

FRC guidance on culture: a missed
opportunity
62 pages of platitudes:
• How chairmen and chief executives are vital to the culture;
• How non-executive directors should probably be involved, but
poor individuals, they find it hard;
• How culture is so very important, but it really is difficult;
• How important it is for directors to exhibit their corporate values;
• How hard pressed heads of internal audit want to do work in
this area, but their boards are not ready

My conclusions on the FRC report
So rather than see some wishy-washy platitudes with
“suggested” topics for boardrooms to discuss, when they
get round to it, it is time for the FRC to commission first
class research from people who have genuinely thought
about the subject – both academics and practitioners.
And then we can talk constructively about the
importance of culture versus risk culture and just how we
can measure and manage both of them.

And the others
• CIIA: only about assurance. Little about managing the culture or
risk culture and no reference to the differences
• CIMA: seem to have forgotten the topic
• CIPD: NOTHING about risk culture
• CVF: Ditto

The risk…
The participants in the FRC’s Culture
project, led by the FRC have let directors
wriggle off the hook and substantially to
ignore Organisational Culture (because
they only spoke in platitudes) and totally to
ignore Risk Culture which barely gets a
mention.

What do I think?

Risk v Organisational Culture
Unlike some, I firmly believe that there is a major difference between the
“Culture” of an organisation and the “Risk Culture”. I also think that the
two elements are entirely measurable by looking at the conversations and
risk conversations (the cultural DNA) in the organisation
Culture:
The culture of the organisation is built
from the behaviours, beliefs, attitudes,
activities and ethical responses of the
individuals in the organisation and
determines how those individuals will
respond to issues in the “here-and-
now”. It is influenced by the tone from
the top, incentives and the social &
regulatory environment.
Risk Culture:
“The risk culture of the organisation is
about how individuals tackle the
complexity of the multiple futures that
face them in dealing with issues today.
It is about “tomorrow” rather than the
“here-and-now”. It is what gives an
organisation the resilience to tackle
difficult decisions today while having
an eye on the impact tomorrow.”

My model of risk management has now
changed…
Traditionally I see risk
management as a trade off
between two pairs of tensions:
1. Taking more managed risk
– v – Avoiding pitfalls
AND
2. Performance culture – v –
Corporate ethics and
behaviours
I now add a third pair of tensions
3. Allowing the needs of today to
dominate because of the
corporate culture – v –
Allowing the needs of
tomorrow to dominate
because of the risk culture

In summary, I think that…
• Organisational Culture and
Risk Culture are different
• Both are vital to retaining and
growing long term sustainable
value
• The Risk Culture is poorly
understood but ignoring it is
potentially very dangerous
• VW, the GFC, HSBC, and
LIBOR show that problems
STILL exist
• We MUST demonstrate to
boards why this is important
• We MUST develop practical
approaches to managing Risk
Culture

A possible approach…

Assessing the Risk Culture: three
traditional steps
Desk Top
Research
Surveys
Interview
s
But…
not often that
much policy
worthy of
review in
terms of risk
culture
But…
Most surveys
suffer from
groupthink and
you can’t
move beyond
it
But…
Most senior
people will give
the right answer
anyway so you
learn little

So we have introduced a fourth step
Desk Top
Research
Surveys
Interview
s
Conversations in Risk

Conversations in risk management
You
CFO CEO
Suppliers Clients
CMO
Back
Office

0%
25%
50%
75%
Production
and Projects
Sustainability
and HSE
Drilling Exploration &
New Business
Finance Other
Production and Projects
In this organisation, there were six
organisational departments. “Production
and Projects” talked a lot about risk, but
73% of their conversations were WITH
THEMSELVES: they were not dealing with
risk by talking to other experts in the
organisation… About 22% were with their
“Sustainability and HSE” department.

Sustainability and HSE
But the “Sustainability and HSE”
department was not listening because less
than 10% of their risk discussion were with
Production and Projects and a whopping
72% were WITH THEMSELVES. This
organisation was HOPELESSLY silo’ed
and they did not recognise it
inthemsleves. They needed to work
together because of the economic
environment, but their risk culture was
shot to pieces and the business was
following downhill.
0%
25%
50%
75%
Production
and Projects
Sustainability
and HSE
Drilling Exploration &
New Business
Finance Other

Three states for a conversation
Unmatched
Partially
Matched
Completely
Matched
The Desired Direction of Travel

Unmatched
Partially
Matched
Completely
Matched
% % %
Three states for a conversation

This diagram,
straight from our
system, shows all of
the participants in
the exercise and
(rather
depressingly) shows
that none of the
conversations was
matched. They had
a lot of work to do to
turn this round, and
they needed to do
so quickly

This picture simply
illustrates the
richness of the data
showing linkages
between individuals.
Each connection is
based on a set of
data that we
analyse and
summarize to come
to the board level
view. It also
explains why the
underlying data are
actionable…

And where cultures clash…
Issues which any board should want to know about:
• Values: Significant deviations from the board’s values.
• Silos: Especially where an organisation is facing complexity in its
dealings internally or externally.
• Layering: Layered management reporting prevents new issues
being spotted on a timely basis.
• Short-termism: Extrapolation from past behaviours is not
necessarily good enough for dealing with new futures.

And where cultures clash…
Issues which any board should want to know about:
• Control v Risk: Control (or risk control) management instead of
risk management.
• Obstruction: Individually obstructive nodes can be very
dangerous.
• Black holes: Sometimes it is difficult to discern any volume of
conversations about risks.

Wrap up and questions?

Resources:
1. IRM Risk Appetite and Tolerance Guidance:
https://www.theirm.org/media/464806/IRMRiskAppetiteExecSummaryweb.pdf
2. IRM Risk Culture Guidance:
https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf
3. FRC Culture document: https://www.frc.org.uk/Our-Work/Publications/Corporate-
Governance/Corporate-Culture-and-the-Role-of-Boards-Report-o.pdf
4. FSB Risk Culture: http://www.fsb.org/wp-content/uploads/140407.pdf?page_moved=1
5. AndersonRisk Commentary on Risk Culture:
http://andersonrisk.com/publications/downloads/ (and check my publications on LinkedIn)
6. AndersonRisk board agenda: http://andersonrisk.com/publications/downloads/
7. AndersonRisk blog: http://andersonrisk.com/conversations/

RCA@AndersonRisk.com
Tel: +44(0)7807 780284
www.AndersonRisk.com
Thank you!

ICSA Subsidiary Governance Conference

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ICSA Subsidiary Governance Conference

Similar to ICSA Subsidiary Governance Conference (20)

More from Institute of Chartered Secretaries and Administrators

More from Institute of Chartered Secretaries and Administrators (20)

Recently uploaded

Recently uploaded (20)

ICSA Subsidiary Governance Conference