1 | Building trust through transparency
How much added value does the, often generic, In-control statement really have?
Listed companies lack the courage to be truly open and transparent about risks and the level of control. Risk management paragraphs provide little to no insight into improvements made to the risk management system of possible shortcomings thereof. The ‘In-Control statement’ that follows does not provide much more comfort: 97% of companies follow the Corporate Governance Code to the letter, most of them literally copying its text.
Written by Denise Valkering and Arlette Brouns, Senior Consultants Governance & Strategic Risk
The revised Corporate Governance Code, one year later
This blog is part of Deloitte’s ‘revised Corporate Governance Code, one year later’ series. The blogs address how Dutch listed companies account for their application of the 2016 Corporate Governance Code in their annual report. The Dutch Corporate Governance Code aims to enhance transparency around companies’ risk management and control systems, stimulating them to communicate openly about improvements and potential shortcomings of the system. In practice companies lack the courage to be truly open, resulting in generic in-control statements.
The Dutch Corporate Governance Code requires listed entities to make a statement on the level of control in their organization in the so called ‘In-control statement’. Deloitte’s benchmark study into 68 listed entities shows that almost 79% literally copy and paste the text from the Code. A few other organizations (18%) use the wording from the Code, but in a narrative summary. In both cases the statement lack company specifics. Which poses the questions: does the In-control statement, in this generic form, provide any real added value?
How much value does the in-control statement add?
We asked selection of (non)executives and general counsels in a Roundtable session, organized by Deloitte and Allen&Overy. According to this group, ‘being in control’ of your organization is mostly dependent on how well you know your organization (14% totally agreed, 50% agreed). They felt that the in-control statement itself is not needed to ensure a critical review of their own performance.
That being vulnerable in your external accountability can be challenge is further illustrated by the fact that the majority of companies even add a disclaimer to their statement. Completeness and future effectiveness cannot be ensured or a reference is made to materiality levels, ignoring everything below the threshold. If the statement itself is a copy-paste exercise and a disclaimer is added, what is management taking responsibility for? Can stakeholders, and especially shareholders, derive any comfort from this statement, as it intends to do?
What is in the risk management paragraph?
Often the in-control statement is presented at the end of the risk management paragraph. Both subjects should be read in conjunction to get more insights into the level of control of the company. Relevant, company specific, information on risks, uncertainties and the way these are handled to remain in control. While the top 10 risks across the board are still fairly similar, companies provide detailed descriptions of what the risk means to them and how they manage their risks
The Code provides certain guidance on what should or can be included in the risk management paragraph. Next to the most relevant risks or uncertainties, the Code has further emphasizes the concept of risk appetite in its most recent revision. Deloitte’s benchmark study reveals that companies are providing more details in their risk appetite. Where a more generic, boiler plate statements were made on the risk appetite in 2016 reporting. This year most companies are disclosing their risk appetite per risk category (49%) or even showing the risk appetite for each of the top risks (26%).
Risk mitigating measures and actions to take to stay within the stated risk appetite are described by 90% of the studied companies. Which can provide the reader with a certain level of comfort on what is being done to stay in control.
An important new element of the 2016 Code is the requirement to report on opportunities for improvement or shortcomings in the risk management system. Our research shows that this is an area where improvements can be made. Companies lack the courage to be truly transparent on what could be better in managing their risks. More than half of the studied companies do not state whether any improvements have been made to the risk management system. And while almost half (49%) do state that improvements have been made, they do not provide details as to what those improvements might entail.
The risk paragraph and in-control statement are meant to provide insight into and comfort on the level of control to the shareholder, other stakeholder and society. It should provide comfort to the reader in the way management deals with risks and uncertainties. Considering the lack of transparency on improvement initiatives, followed by a generic in-control statement, it seems that we are lacking the courage to be open and vulnerable. Even if this vulnerability and transparency might lead to more comfort and trust.
‘The revised Corporate Governance Code, one year later’ series
This blog is part of a weekly series of blogs on the results of Deloitte’s benchmark study, examining annual reports of Dutch listed companies to assess how implementation of the 2016 Dutch Corporate Governance is accounted for in its first year. This benchmark study included the annual reports of 68 Dutch listed entities.
As the Code is principle based, we know from our own experience and those of our clients that applying it to your organization can be challenge. Through this benchmark and this series of blogs we provide insights into implementation of some of the key elements in the Code. Interested to see how Dutch listed companies deal with Remuneration and pay-ratio’s?
Subscribe here to the series and receive a notification as soon as the next blog is available.
Curious how Deloitte’s can help your organization with risk management and internal control systems? Please contact Arjan ten Cate or Rob de Leeuw via their contact details below. Both specialize in Corporate Governance, Risk Management and Internal Control and Internal Audit.