Chapter 14: case study 14.1, 14.2 & 14.

3
14.1 The Sage Group Plc Evaluate the approach to enterprise risk management that the Sage Group has developed. The Sage Group (www.sage.com) has a relatively sophisticated approach to risk management as can be seen in the following extract from their web site (www.sage.com/ourbusiness/corporategovernance/corporaterisk). The case provides an opportunity to discuss what comprises professional risk management at board level. Corporate Risk The Board is responsible for the operation and effectiveness of the Groups system of internal controls and risk management. There is an ongoing process for identifying, evaluating, and managing the significant risks faced by the Group. It is regularly reviewed by the Board and complies fully with the Turnbull guidance. The internal control systems are designed to meet the Groups particular needs and the risks to which it is exposed and by their nature can only provide reasonable, but not absolute, assurance against misstatement or loss. The effectiveness of this process has been reviewed by the Audit Committee, which reports its findings to the Board. The processes used by the Audit Committee to review the effectiveness of the system of internal control include discussions with management on significant risk areas identified and the review of plans for, and results from, internal and external audits. The Audit Committee reports the results of its review of the risk assessment process to the Board. The Board then draws its collective conclusion as to the effectiveness of the system of internal control. The key procedures, which the directors have established with a view to providing effective internal control, are as follows: Indication of business risks The processes to identify and manage the key risks to the success of the Group are an integral part of the internal control environment. Such processes, which are reviewed and improved as necessary, include strategic planning, the appointment of senior managers, the regular monitoring of performance, and control over capital expenditure and acquisitions. The Company has formed a Risk Committee consisting of the Chief Executive, Group Finance Director, the Group Risk officer, members of the Group finance team, the Secretary and representatives of the Group operating companies. A representative of KPMG, the internal auditors, may attend meetings of the Committee by request. The Committee reviews all business activities to identify the nature and extent of the significant risks facing the Group, undertakes risk review audits, and

considers the scope and results of audits undertaken by KPMG. It identifies significant internal control failings and weaknesses, if any, and agrees remedial action on such matters. The Risk Committee reports to the Audit Committee. Through the work of the Audit and Risk Committees, the Board is provided with a balanced assessment of the significant risks associated with the Groups operations and the effectiveness of the system of internal controls. A whistleblowing telephone hotline service has been introduced in many operating companies in the Group (including all those in the UK and US) allowing employees to raise issues of concern in relation to dishonesty or malpractice on an entirely confidential basis. The Audit Committee receives regular reports on any matters raised through this service and monitors its use throughout the Group. Similar arrangements are being considered for Group companies in other jurisdictions subject to compliance with local legal requirements. Quality and integrity of personnel The integrity and competence of personnel is ensured through high recruitment standards and subsequent training courses. High quality personnel are seen as an essential part of the control environment. Management structure The Board has overall responsibility for the Group. Each executive director has been given responsibility for specific aspects of the Groups affairs. A clearly defined organisational structure exists within which individual responsibilities are identified and can be monitored. The management of the Group as a whole is delegated to the Chief Executive and the executive directors. The conduct of Sages individual businesses is delegated to the local executive management teams. These teams are accountable for the conduct and performance of their businesses within the agreed business strategy. They have full authority to act subject to the reserved powers and sanctioning limits laid down by the Board and to Group policies and guidelines. Internal audit The Group utilises internal audit resources supplied by KPMG to review compliance with procedures and assess the integrity of the control environment. Internal audit acts as a service to the businesses by assisting with the continuous improvement of controls and procedures. Actions are agreed in response to its recommendations and these are followed up by the Audit and Risk Committees to ensure that satisfactory control is maintained. Budgetary process A comprehensive budgeting system is in place, with annual budgets for all operating subsidiaries being approved by respective subsidiary boards. Subsequently the combined budget is subject to consideration and approval by the Board. Management

information systems provide the directors with relevant and timely information required to monitor financial performance. Investment appraisal (including acquisitions) Budgetary approval and defined authorisation levels regulate capital expenditure. As part of the budgetary process the Board considers proposals for research and development programmes. Acquisition activity is subject to internal guidelines governing investment appraisal criteria, financial targets, negotiation, execution, and post-acquisition management. 14.2 The University of Sussex Evaluate the risk ranking procedures of the University of Sussex. 1. What issues might occur in its application? 2. What benefits might flow from this approach? A straightforward ranking schema showing the potential impact, likelihood and overall risk ranking. The issues that might occur in its application include the difficulties, particularly in a university environment, of obtaining the relevant data, assessing the likelihood to obtain the risk ranking. The benefits include the opportunity for the university to take appropriate action in advance, to know where they are exposed to risk and for the governing body to accept its responsibility for professional enterprise risk management. 14.3 The Northern Rock case Northern Rock is set to join the annals of British corporate governance. Northern Rock started life in the 19th century as a mutual building society (savings and loans association) owned by the members. In 1997, it de-mutualised and changed its strategy towards growth, introducing the 'Together' loan which allowed borrowers 125% of the value of their home at up to six times their annual income (both more than most other lenders). The Northern Rock bundled these loans and sold them on the open financial market (rather like government bonds but with significantly less security). 1. What role did the board play in this saga? It is worth reminding ourselves of the key players: Chief executive - Adam Applegarth, 38, joined the company in 1980 as a graduate trainee. He had no banking qualifications but had expertise in marketing. According to the Daily Mail (14.6.08) he was confident, aggressive, and charismatic. Chairman - Dr. the Honourable Matthew White Ridley, son of Viscount Ridley, educated at Eton College and Oxford, had a doctorate in zoology. He was not a financier. He joined the board as an INED in 1994 and became chairman in 2004. He also chaired the nominations committee.

The other INEDs were: Adam Fenwick, 46, the group managing director of Fenwick Ltd and an INED of John Swire and Sons Ltd. Sir Ian Gibson, 60, the senior INED, who had industrial experience in running Ford Motors and Nissan, and was currently chairman of the publishers of the Daily Mirror and an INED of GKN plc and Greggs plc. He was previously a member of the Court of the Bank of England. Nichola Pease, 46, chief executive of JO Hambros Capital Management, previously with Barings, famous for its collapse after a Singapore trader was allowed to run excessive risks. Michael Queen, 45, a director of 3i Group plc. Rosemary Radcliffe, 62, a leading chartered accountant and a complaints commissioner for the Financial Services Authority. Sir Derek Wanless, 59, former CEO of NatWest Bank, who steered it through an acquisition strategy that proved disastrous, and left in 1999 with a 3 million pay-off. Well respected in the City of London, and a member of the actuarial committee of the Financial Reporting Council. He was chairman of Northern Rock's audit committee and risk committee. On this board, Pease, Radcliffe and Wanless could be considered to have experience of the financial world. Gibson, though having served on the Court of the Bank of England was really an industrialist. 1. What role did the board play in the saga? On the face of it, very little. There is no evidence to suggest that the CEO, the chairman, or any of the other directors questioned the risk profile of the bank's strategy or asked the 'what if' question: what if the international market for funds, on which we are totally dependent, fails to provide us with finance, what if house prices fall? 2. Did the directors understand the underlying business model and how it differed from the classical banking approach to lending? Did they appreciate their company's exposure should the financial markets change? Did they know the extent of their business risk? The obvious answer to all three questions is: no. Whose fault was that? Primarily, the chief executive who had delegated responsibility for running the bank. But the chairman should have ensured that the board was aware of the extent of the banks' financial exposure and risk, and any of the INEDs could have raised similar questions. There is no evidence that they did.

3. If the answer to these questions is yes, was the board's business judgement valid? Did the directors accept the risk, deciding that such a level of exposure was reasonable for their company? This question makes the charitable assumption - that the board did understand the risks and had made a business judgement that they were acceptable. This would suggest that the board had chosen to hazard their savers funds and ignore the exposure of their shareholders to loss. In the event, most of the savers were able to recover their savings, albeit after standing in queues and enduring collapses of the company's trading web site. The share price dropped from a high of 12.60 to less than 1 (a loss of some 4bn.) Finally the British government bailed out the bank, allegedly to avoid a major loss of confidence in the banking system. Further support has subsequently been needed and the current exposure of the taxpayer has been estimated at over 55 bn. Although no one can know how this will all end.