focusing on the features that are most striking to an outside observer provides a useful starting point for understanding the organization’s approach to risk management. 关注对外部观察者最引人注目的特征,为理解组织的风险管理方法提供了一个有用的起点。
CIMA’s Official Terminology (CIMA, 2005, p. 20) defines performance measurement as: ‘the process of assessing the proficiency with which a reporting entity succeeds … in achieving its objectives’. The same terminology (CIMA, 2005, p. 53) defines risk management as the 'process of understanding and managing the risks that the entity is inevitably subject to in attempting to achieve its corporate objectives. CIMA 的官方术语(CIMA,2005,第 20 页)将绩效测量定义为:“评估报告实体在实现其目标方面的能力的过程。”同一术语(CIMA,2005,第 53 页)将风险管理定义为“理解和管理实体在努力实现其公司目标时不可避免地面临的风险的过程。”
It would therefore seem that it is difficult, if not impossible, to talk about risk management without simultaneously talking about performance management the two go hand in hand. This integration of risk and performance thinking is straightforward in theory but not so easy to implement in practice, but it forms the blueprint for Tesco’s approach to risk management. In order to understand how this is implemented it is helpful to map out the way in which objectives are operationalized within a business. 因此,似乎很难(如果不是不可能的话)在谈论风险管理的同时不谈论绩效管理,这两者是密不可分的。这种风险与绩效思维的整合在理论上是简单的,但在实践中却不那么容易实现,但它构成了乐购(Tesco)风险管理方法的蓝图。为了理解这一实施过程,绘制出目标在企业中如何具体化的方式是很有帮助的。
Traditional theory argues that it is the role of senior management to translate objectives into detailed strategies, which are influenced by both external and internal factors. An organization’s external environment, in terms of the regulatory regimes, economic conditions, industry structure and levels of competition may restrict strategic choices. Additionally, it is widely acknowledged (see for example Band and Scanlon, 1995) that good ‘strategic fit’ (Waterman, 1986) is fundamental to organizational success, where the term ‘fit’ refers to the need for strategies to reflect internal characteristics of the business. These include human resources, culture, systems and structures. 传统理论认为,高级管理层的角色是将目标转化为详细的战略,这些战略受到外部和内部因素的影响。组织的外部环境,包括监管制度、经济状况、行业结构和竞争水平,可能会限制战略选择。此外,广泛认可(例如见 Band 和 Scanlon,1995)良好的“战略契合”(Waterman,1986)对组织成功至关重要,其中“契合”一词指的是战略需要反映业务的内部特征。这些特征包括人力资源、文化、系统和结构。
Risk management is one of the structures within this framework, and so it is important for it to also reflect and fit in with the factors seen to influence strategies, both internally and externally. Tesco provides a good illustration of how corporate strategies, structures, control systems, people and culture interact to create an organization with specific individual characteristics. The nature and strength of the interactions can be expected to vary across organizations, with the result that risk management systems may vary widely even across apparently similar organizations. This characteristic is clearly demonstrated across the series of case studies of which this forms a part. 风险管理是该框架内的一个结构,因此它也必须反映并适应被认为影响战略的内部和外部因素。特易购很好地说明了企业战略、结构、控制系统、人员和文化如何相互作用,以创造具有特定个体特征的组织。这些互动的性质和强度在不同组织之间可能会有所不同,因此风险管理系统即使在看似相似的组织之间也可能存在很大差异。这一特征在一系列案例研究中得到了清晰的体现。
Risk management within Tesco: internal influences 特易购的风险管理:内部影响
The risk management system reflects and responds to the following powerful internal influences: 风险管理系统反映并应对以下强大的内部影响:
The influence of the CEO, Sir Terry Leahy. 首席执行官特里·利希爵士的影响。
The corporate culture and resulting corporate control systems. 企业文化及其导致的企业控制系统。
The nature of the business and particularly its overall simplicity - in essence it is a distribution business. 业务的性质,特别是其整体简单性——本质上它是一家分销业务。
Organizational structure, particularly the limited number of managerial levels within its relatively ‘flat’ structure. 组织结构,特别是其相对“扁平”结构中有限的管理层级数量。
52 Risk management in the private sector 私营部门的风险管理
Each of these influences is now discussed in some depth: 每一个这些影响现在都将深入讨论
Sir Terry Leahy 特里·利希爵士
The first page of the 2009 Annual Report expounds the organizational philosophy in its declaration that 'Tesco is about creating value for customers to eam their lifetime loyalty". This is reiterated a few pages later (p. 8) in the statement that ‘At the core of Tesco’s business model is a focus on trying to improve what we do for customers’. 2009 年年度报告的第一页阐述了组织理念,声明“乐购的目标是为客户创造价值,以赢得他们的终身忠诚”。这一点在几页后(第 8 页)再次强调,指出“乐购商业模式的核心是专注于改善我们为客户所做的事情”。
This philosophy directly reflects the viewpoint of the CEO, Sir Terry Leahy, who is totally customer focused. His argument is that keeping customers happy is fundamental to success and this perspective is embedded in all staff from day one. Gaining staff support for the business philosophy is not only good for customers, however, but also for the overall organization. The average longevity of people within the Tesco management team is around 14 years, and maintaining a global staff retention rate in excess of 80 per cent ^(3){ }^{3} is one of the company’s key performance indicators. Consequently, recruitment and training costs are reduced, resulting in higher returns to shareholders. 这种理念直接反映了首席执行官特里·利希爵士的观点,他完全以客户为中心。他的论点是,保持客户满意是成功的基础,这种观点从第一天起就深入到所有员工中。然而,获得员工对商业理念的支持不仅对客户有利,也对整个组织有益。特易购管理团队成员的平均任期约为 14 年,保持超过 80%的全球员工留任率是公司的关键绩效指标之一。因此,招聘和培训成本得以降低,从而为股东带来更高的回报。
The interviews and supplementary informal research suggest that knowledge of Leahy’s priorities permeates the full length of the organizational hierarchy. Checkout and shelf filling staff within stores know that the sound bites that are so familiar to Tesco customers such as ‘every little helps’ should be reflected in their own patterns of behaviour. Company wide, it seems to be accepted that if the business is performing well in the eyes of the customer, then it will also be performing well for other stakeholders. As one interviewee phrased it: 'the biggest barometer we’ve got is our customers … how can we earn their lifetime loyalty?* 访谈和补充的非正式研究表明,莱希的优先事项深入到组织层级的每一个角落。商店内的结账和上架员工知道,像“每一点帮助”这样的口号应该反映在他们自己的行为模式中。公司内部似乎普遍接受,如果业务在客户眼中表现良好,那么它也会在其他利益相关者面前表现良好。正如一位受访者所说:“我们最大的晴雨表就是我们的客户……我们如何才能赢得他们的终身忠诚?”
In practical terms, this results in a strong internal focus within the business. It was suggested that if you accept that 'Terry’s philosophy is very clear. If you look at the customer and you are doing what the customer wants, you don’t have to spend your energies worrying about competitors". Not everyone would necessarily agree with such a perspective, but it has the advantage of providing a clear and simple message by which to guide staff thinking and behaviour. Furthermore, Leahy’s emphasis on customer needs taking priority over worrying about the competition exactly matches the thinking of Kenichi Ohmae, a former partner in McKinsey & Co. and a man widely described as ‘Mr Strategy’. Ohmae takes the view that ‘before you test yourself against the competition, strategy takes shape in the determination to create value for customers’ (Ohmae, 1988). 在实际操作中,这导致企业内部有很强的关注焦点。有人建议,如果你接受“特里的哲学非常明确。如果你关注客户,并且做客户想要的事情,你就不必花精力担心竞争对手。”并不是每个人都会同意这种观点,但它的优点在于提供了一个清晰简单的信息,以指导员工的思维和行为。此外,利希对客户需求优先于担心竞争的强调,正好与曾任麦肯锡公司合伙人的大前研一的思维相匹配,他被广泛称为“战略先生”。大前认为“在你与竞争对手进行比较之前,战略是在于创造客户价值的决心中形成的”(大前,1988)。
Most important, if the customer is the focus of attention, and performance is measured in terms of customer loyalty as well as overall spend, then risk management structures also need to reflect this philosophy. One simple example, of how this works in practice is the ‘one in front’ promise that no customer will have to queue behind more than one other in waiting for service at the checkout. Queues represent a risk that a customer will either walk out without buying, or wait but be reluctant to retum and waste time waiting to be served. Risk is thus defined in 最重要的是,如果客户是关注的焦点,且绩效以客户忠诚度和整体消费来衡量,那么风险管理结构也需要反映这一理念。一个简单的例子是“前面一个”的承诺,即没有客户在结账时需要排在超过一个其他客户后面等待服务。排队代表着客户可能会选择不购买而离开,或者等待但不愿意再回来,浪费时间等待服务。因此,风险被定义为
very simple terms and this simplicity is one of the features of the Tesco approach. 非常简单的术语,这种简单性是特易购方法的特点之一。
Corporate culture 企业文化
As indicated, the emphasis on the idea that the ‘customer is king’ has a direct impact upon the risk management system, because risk aversion is expressed in terms of doing the best one can for customers. In cultural terms, this is translated as ‘we’ve all got a role to play’ and Tesco staff purposely avoid talking about risk or a specific risk management function, and the creation of a risk department staffed by individuals taking on roles with risk related titles. 正如所指出的,强调“顾客至上”的理念对风险管理系统产生直接影响,因为风险规避体现在尽力为顾客服务。在文化层面,这被转化为“我们都有角色要扮演”,而特易购的员工故意避免谈论风险或特定的风险管理职能,以及创建一个由承担与风险相关职务的个人组成的风险部门。
The feeling is that ‘having a risk management function probably gets in the way of actually managing the risks because people are thinking about the risks as opposed to thinking about the customer, so all we are worried about is serving the customer and what can go wrong with that’. In other words, there is a danger that risk management cultures might actually get in the way of clear accountability for risk. 'This is about culture and terminology … we don’t want risk management to get in the way of what is a successful company, but we need to get risk management to dovetail into what we are trying to do". 感觉是“拥有风险管理职能可能会妨碍实际管理风险,因为人们在考虑风险,而不是考虑客户,所以我们关心的只是服务客户以及可能出现的问题”。换句话说,风险管理文化可能会妨碍对风险的明确问责。“这关乎文化和术语……我们不希望风险管理妨碍一个成功公司的运作,但我们需要让风险管理与我们所做的事情相结合。”
This cultural perspective was very clearly illustrated when an interviewee was asked about the perceived extent of risk awareness among the managers and operational staff. The response was ‘I don’t think in terms of the word risk there is one. I think, however, there is an awareness of things possibly going wrong’. In other words, the culture is one in which risk is defined and debated purely in terms of performance against objectives - and the core objective of serving the customer. Risk management and performance management are totally integrated, at least in terms of the underlying principles under which the business is managed. 这种文化视角在被采访者被问及管理者和运营人员对风险意识的感知程度时得到了非常清晰的体现。回答是:“我不认为有风险这个词。我认为,然而,有一种对事情可能出错的意识。”换句话说,这种文化是将风险纯粹定义和辩论为与目标的绩效相关的文化——而服务客户的核心目标是其中之一。风险管理和绩效管理是完全整合的,至少在管理业务的基本原则方面是如此。
This is an interesting contrast to the textbook view that risk management is a control system and that controls often create additional layers of bureaucracy. As the recent banking crisis has so vividly illustrated, risk management as a tick box exercise may actually be highly ineffective in control terms if people do not think about the underlying motivation behind the control. In its purest form, controls are put in place to belp an organization achieve its objectives. 这与教科书上认为风险管理是一个控制系统的观点形成了有趣的对比,而控制往往会产生额外的官僚层级。正如最近的银行危机生动地表明的那样,如果人们不考虑控制背后的根本动机,风险管理作为一种走过场的做法在控制方面实际上可能是非常无效的。在其最纯粹的形式中,控制的设立是为了帮助组织实现其目标。
This culture does not imply that Tesco is devoid of formal structures for risk management - it is simply the case that the objectives of risk management are given precedence over the systems themselves. One simple way in which this idea can be seen to permeate the whole organization is via the creation of customer focused sound bites such as “every little helps”. This is risk management in a subtle, rather than an elaborate form. 这种文化并不意味着乐购缺乏正式的风险管理结构——只是风险管理的目标优先于系统本身。这个理念渗透整个组织的一个简单方式是通过创造以客户为中心的简洁口号,例如“每一点帮助”。这是一种微妙而非复杂的风险管理形式。
The nature of the business 业务的性质
The group has two business segments, retailing and financial services, with the former hugely dominant in terms of revenue, net assets and capital investment 该集团有两个业务部门,零售和金融服务,其中零售在收入、净资产和资本投资方面占据主导地位
54 Risk management in the private sector 私营部门的风险管理
Table 4.3 Business segments 表 4.3 业务部门
Year ended 28 Fehruary 2009 截至 2009 年 2 月 28 日的年度
Retailing fm 零售 fm
Financial'services fm 金融服务 fm
Total Em 总情感
Revenue 收入
54,164
163
54,327
Segment assets 分段资产
39,788
6,203
45,991
Segment liabilitics 分段负债
(27,557)(27,557)
(5,501)(5,501)
(33,058)(33,058)
Capital expenditure (including 资本支出(包括
6,537
283
6,820
quad\quad acquisitions through business 通过业务的 quad\quad 收购
combinations) 组合)
Year ended 28 Fehruary 2009 Retailing fm Financial'services fm Total Em
Revenue 54,164 163 54,327
Segment assets 39,788 6,203 45,991
Segment liabilitics (27,557) (5,501) (33,058)
Capital expenditure (including 6,537 283 6,820
quad acquisitions through business
combinations) | Year ended 28 Fehruary 2009 | Retailing fm | Financial'services fm | Total Em |
| :--- | :---: | :---: | :---: |
| Revenue | 54,164 | 163 | 54,327 |
| Segment assets | 39,788 | 6,203 | 45,991 |
| Segment liabilitics | $(27,557)$ | $(5,501)$ | $(33,058)$ |
| Capital expenditure (including | 6,537 | 283 | 6,820 |
| $\quad$ acquisitions through business | | | |
| combinations) | | | |
Source: Tesco Annual Report, 2009, p. 81 来源:特易购年度报告,2009 年,第 81 页
(Table 4.3). In essence, therefore, setting aside the financial services arm for the moment, Tesco is a fundamentally simple retail distribution business - albeit operating on a massive scale - that can be summarized in terms of five core processes: (表 4.3)。因此,暂时不考虑金融服务部门,特易购本质上是一个基本简单的零售分销业务——尽管规模庞大——可以用五个核心流程来概括:
Buying products from suppliers. 从供应商那里购买产品。
Sending them to a distribution centre. 将它们发送到配送中心。
Transferring goods from the distribution centre to the stores. 将货物从配送中心转移到商店。
Taking cash. 拿现金。
Banking the receipts. 银行收款。
The primary risks to the business are therefore those which threaten these processes. Not surprisingly, therefore, risk management in the business is built around process mapping which ensures a clear and detailed understanding of what factors might prevent processes running smoothly. Ultimately, ‘Watching the supply chain is absolutely critical to ensure we are able to supply what the customer wants, when they want it, and in the condition they want’. 因此,业务面临的主要风险是那些威胁这些流程的风险。因此,风险管理围绕流程映射构建,以确保清晰和详细地了解哪些因素可能阻碍流程的顺利进行。最终,“监控供应链对于确保我们能够在客户需要时,以他们想要的状态提供他们想要的产品至关重要。”
Organization structure 组织结构
Complementing the relatively simple business model is a simple organizational structure which directly reflects it. 补充相对简单的商业模式的是一个简单的组织结构,直接反映了这一点。
Despite employing almost 470,000 people around the globe, the grade structure in Tesco is relatively flat, as there are only five levels in the management hierarchy. The top two grades encompass approximately 200 people, and so the structure is a triangle with a very wide base. This flat structure offers, in principle, good opportunities for staff to progress through the hierarchy, and Sir Terence Leahy’s profile provides evidence of this. He joined Tesco in 1979 after graduation as a marketing executive, and was appointed to the Board of Directors in 1992. Leahy became Chief Executive just five years later in 1997. 尽管在全球雇佣了近 470,000 名员工,但乐购的级别结构相对扁平,因为管理层次中只有五个级别。前两个级别大约有 200 人,因此结构呈现出一个底部非常宽的三角形。这种扁平结构原则上为员工提供了良好的晋升机会,而特伦斯·利希爵士的经历证明了这一点。他于 1979 年毕业后以市场营销专员的身份加入乐购,并于 1992 年被任命为董事会成员。利希在 1997 年仅五年后成为首席执行官。
The flat structure makes it easier to identify accountability for risk, as risk registers cascade down the hierarchy, and risk management is made even more manageable by a structure that separates out the financial risks - managed by the 扁平化的结构使得识别风险的责任变得更容易,因为风险登记表在层级中逐级传递,而通过将财务风险分离出来的结构,风险管理变得更加可控
Treasury - from other risks which are overseen and monitored by internal audit. Additionally, Tesco Personal Finance (TPF) is run separately from the rest of the business, and until the buyout from Royal Bank of Scotland (RBS), the risks were shared between both parties to the joint venture. The customer model and branding belonged to Tesco but the infrastructure was that of RBS. (The management of risk in TPF is dealt with separately and in some depth later in this case study.) 财政 - 来自其他由内部审计监督和监控的风险。此外,乐购个人金融(TPF)与其他业务分开运营,在从苏格兰皇家银行(RBS)收购之前,风险在合资双方之间共享。客户模型和品牌归乐购所有,但基础设施属于 RBS。(TPF 的风险管理将在本案例研究后面单独且深入地讨论。)
Summary 摘要
The roots of the risk management system within Tesco lie in the corporate culture, business model and overall structure of the organization. In summary, risk is about performance management and performance is measured in terms of doing what the customer wants. The challenge is to make all of that work in practice by embedding risk awareness into the DNA of all staff. The next section explains the formal structures that are used to try and achieve this. 特易购的风险管理系统根植于企业文化、商业模式和组织的整体结构。总的来说,风险与绩效管理有关,而绩效是通过满足客户需求来衡量的。挑战在于通过将风险意识融入所有员工的 DNA 中,使这一切在实践中发挥作用。下一部分将解释为实现这一目标而使用的正式结构。
Governance 治理
Overall structure 整体结构
The governance structure within the group defines the way in which Tesco is directed and controlled. This structure is illustrated in Figure 4.1, which complements the narrative on governance that is contained with the annual report. The primary lines of accountability show the group Board of Directors overseeing the work of the Executive Committee ^(4){ }^{4} and boards of the various national subsidiaries, who in turn oversee the management teams in each country. The Retail Council, made up of around 40 people, is responsible for collecting together all the key decisions taken by the Board and the associated committees and cascading that information throughout the entire business. By using the retail council as the single conduit for core decisions, the risk of inconsistent messages is avoided. 集团内的治理结构定义了乐购的管理和控制方式。该结构在图 4.1 中进行了说明,补充了年度报告中关于治理的叙述。主要的问责线显示,集团董事会监督执行委员会的工作以及各国子公司的董事会,而这些董事会又监督各国的管理团队。由大约 40 人组成的零售委员会负责汇总董事会及相关委员会所做的所有关键决策,并将这些信息传递给整个业务。通过将零售委员会作为核心决策的唯一渠道,可以避免信息不一致的风险。
The core structure is supported by a number of committees at both board level and below, each of which have a focused remit. The Board of Directors meets nine times a year, including a two-day off-site meeting to review strategy. The Executive Committee meets weekly and is responsible for implementing group strategy and policy and for monitoring the performance and compliance of the business, drawing on the work of relevant committees, and reporting on these matters in full to the Board. 核心结构由多个委员会支持,这些委员会在董事会层面及以下各级别运作,每个委员会都有明确的职责。董事会每年召开九次会议,其中包括一次为期两天的外部会议,以审查战略。执行委员会每周召开一次会议,负责实施集团战略和政策,并监控业务的绩效和合规性,依靠相关委员会的工作,并向董事会全面报告这些事项。
At board level, the various strategic and regulatory committees deal with issues which are fundamental to the strategic success of Tesco and the protection of its reputation. These committees meet at varying intervals, but at least quarterly. Working together, they have responsibility for implementing the key elements of the group’s strategic plan and managing its UK and international operations, joint ventures, property acquisitions, finance, funding and people 在董事会层面,各个战略和监管委员会处理与乐购的战略成功及其声誉保护密切相关的问题。这些委员会的会议频率不一,但至少每季度召开一次。它们共同负责实施集团战略计划的关键要素,并管理其在英国和国际的运营、合资企业、房地产收购、财务、融资和人力资源。
Figure 4.I Governance model 图 4.I 治理模型
Source: Internal documentation provided by an interviewee 来源:面试者提供的内部文档
matters. The committees ^(**){ }^{*} members are a mix of Executive Directors and senior management from relevant functions. 事务。委员会的 ^(**){ }^{*} 成员由执行董事和相关职能的高级管理人员组成。
Below board level, the operational committees are concerned with implementing the group’s strategies and regulatory commitments at country level. The classification of the operational committees under the headings of trading, operations, people, property and IT offer insights into areas where the business feels risks need careful management. Trading is the heart of a retail business and operations; people, property and ITI T all feature in the Risks and Uncertainties section of the directors’ report. 在董事会以下,运营委员会负责在国家层面实施集团的战略和监管承诺。运营委员会根据交易、运营、人员、物业和信息技术的分类,提供了业务在风险管理方面需要谨慎处理的领域的见解。交易是零售业务和运营的核心;人员、物业和 ITI T 都出现在董事报告的风险与不确定性部分。
It is interesting to note that the governance structures covering international operations are identical to those covering the core UK market. This approach has two potential merits. First, it ensures consistency across the whole group, and second it facilitates the movement of staff across different geographic areas e.g. from Asia to Europe or vice versa, because the systems are common. In this way the valuable asset of senior staff can be utilized to maximum effect. 有趣的是,涵盖国际业务的治理结构与覆盖核心英国市场的治理结构是相同的。这种方法有两个潜在的优点。首先,它确保了整个集团的一致性;其次,它促进了员工在不同地理区域之间的流动,例如从亚洲到欧洲或反之,因为系统是相同的。通过这种方式,资深员工这一宝贵资产可以得到最大程度的利用。
The steering wheel 方向盘
At the centre of the governance structure is a steering wheel - Tesco’s version of a balanced scorecard - which is the tool used for performance measurement and management against the targets laid down in the group’s five year rolling plan. The 2009 version of the steering wheel is reproduced in Figure 4.2. 在治理结构的中心是一个方向盘——特易购的平衡计分卡版本——这是用于根据集团五年滚动计划中设定的目标进行绩效测量和管理的工具。2009 年版的方向盘在图 4.2 中 reproduced。
The five year plan establishes targets for the overall group, which reflect the core long term strategy of ‘creating value for customers to carn their lifetime loyalty’. This is pursued through long-term growth of the business both in the UK and intemationally. In the UK, growth is sought through expansion into markets such as financial services, non-food and telecoms. Intemationally, growth is sought by entry into new locations, most recently China, India and the United States. 五年计划为整体集团设定了目标,反映了“为客户创造价值以赢得他们的终身忠诚”的核心长期战略。这通过在英国和国际上实现业务的长期增长来追求。在英国,增长通过扩展到金融服务、非食品和电信等市场来实现。在国际上,增长通过进入新市场来实现,最近包括中国、印度和美国。
The strategies are used to generate plans and performance targets for each of the separate geographic and business segments. At all levels of Tesco - from group, through the business segments, national and regional operations, right down to the individual store, targets are also expressed in terms of the five perspectives of the steering wheel. At store level, the steering wheel is also linked 这些策略用于为每个独立的地理和业务部门生成计划和绩效目标。在特易购的所有层级——从集团、业务部门、国家和地区运营,到单个商店,目标也以方向盘的五个视角来表达。在商店层面,方向盘也与之相关联。
Figure 4.2 ‘Our stecring wheel’ 图 4.2 “我们的方向盘”
Source: Annual Report, 2009, p. 6 来源:年度报告,2009 年,第 6 页
to the objectives of individual members of staff, so that group level strategi connect back to day-to-day work. When KPls are not on track, systems are in place at every level of the organization to investigate the reasons why and to plan corrective action. Quarterly performance reports are submitted to the Board of Directors and a summary report is also sent to the group’s top 2,000 managers for dissemination to staff. 为了实现每位员工的目标,使得集团层面的战略与日常工作相连接。当关键绩效指标未达标时,组织的各个层面都有系统来调查原因并制定纠正措施。季度绩效报告提交给董事会,同时还向集团的前 2000 名经理发送摘要报告,以便传达给员工。
Targets are defined under five separate perspectives of customers, operations, people, community and finance, which the company argues ensure that Tesco puts ‘appropriate balance’ into the trade-offs that need to be made between the main elements of customer metrics, financial measures and operational efficiency and effectiveness. They argue that for the shareholders, the balanced approach is beneficial because the combination of operational efficiency and customers who are well looked after will combine to improve sales, profits and investor returns. The idea that an improved financial performance is the outcome of good performance in the areas of customers, operations and people approach is very closely aligned with that of Kaplan and Norton, who first promoted the balanced scorecard approach. The cycle is driven by paying very close attention to the customer’s needs, which when satisfied creates a virtuous circle of improving results as shown below in Figure 4.3. This focus on the customer fits with the widely accepted principle that increased customer loyalty is the single most important driver of long term financial performance (Norreklit, 2000). 目标从客户、运营、员工、社区和财务五个不同的角度进行定义,公司认为这确保了特易购在客户指标、财务指标和运营效率与有效性之间的权衡中保持“适当的平衡”。他们认为,对于股东而言,这种平衡的方法是有益的,因为运营效率与良好照顾客户的结合将有助于提高销售、利润和投资者回报。改善财务表现是客户、运营和员工领域良好表现的结果,这一观点与卡普兰和诺顿的观点非常一致,他们首次提出了平衡计分卡的方法。这个循环是通过非常关注客户需求来驱动的,当这些需求得到满足时,会形成一个改善结果的良性循环,如下图 4.3 所示。这种对客户的关注与广泛接受的原则相符,即增加客户忠诚度是长期财务表现的最重要驱动因素(Norreklit,2000)。
Proving the empirical existence of this virtuous circle is almost impossible because of all of the intervening factors that may impact on performance. That said, the steering wheel has been in place in Tesco since 2005 and over that period group revenues have increased by over 50 per cent; the gross operating margin has remained constant and EPS has increased by 75 per cent. This would suggest that the strategies are proving successful from a shareholder perspective and the steering wheel does work to improve performance, at least for this organization. 证明这个良性循环的经验存在几乎是不可能的,因为可能影响绩效的各种干预因素。然而,自 2005 年以来,特易购的管理机制一直在实施,在此期间,集团收入增长超过 50%;毛营业利润率保持不变,每股收益增长了 75%。这表明,从股东的角度来看,这些策略是成功的,管理机制确实在改善绩效,至少对这个组织来说是如此。
Figure 4.3 Cause and effect in the steering wheel. 图 4.3 方向盘中的因果关系。
The steering wheel is used to monitor and control performance in relation to each of the five elements and KPIs relating to shareholders are tracked by monitoring both total shareholder return and the full year dividend per share. Some, but not all of the KPIs for the group are detailed in the Directors’ Report (Table 4.4). Each business across the group is required to report performance against the steering wheel targets on a quarterly basis, although trading figures are reviewed daily and weekly. The steering wheel for the group is reviewed quarterly. 方向盘用于监控和控制与五个元素相关的绩效,涉及股东的关键绩效指标(KPI)通过监测总股东回报和每股全年分红来跟踪。集团的一些关键绩效指标在董事报告中详细列出(表 4.4)。集团内每个业务都需要每季度报告与方向盘目标的绩效,尽管交易数据每天和每周都会进行审查。集团的方向盘每季度进行审查。
Staff commitment to the steering wheel and associated targets is encouraged in two separate ways. The first is by the application of a process referred to internally as ‘Values’, which are used to ensure that every member of staff around the world understands the group’s culture and goals. The values are summarized as: 员工对方向盘及相关目标的承诺通过两种方式得到鼓励。第一种方式是应用一个内部称为“价值观”的过程,用以确保全球每位员工都理解集团的文化和目标。这些价值观总结如下:
No one tries harder for customers: 没有人比我们更努力地为客户服务
Understand customers. 了解客户。
Be first to meet their needs. 首先满足他们的需求。
Act responsibly for our communities. 为我们的社区负责任地行动。
We treat people how we like to be treated … 我们以我们希望被对待的方式对待他人……
Work as a team. 团队合作。
Trust and respect each other. 相互信任和尊重。
Listen, support and say thank you. 倾听、支持并说谢谢。
Share knowledge and experience. 分享知识和经验。
… so we can enjoy our work. …这样我们就能享受我们的工作。
The second way of encouraging staff commitment to targets is by the use of a number of schemes designed to encourage their involvement in the financial 鼓励员工对目标承诺的第二种方式是通过使用一些旨在鼓励他们参与财务的方案
Table 4.4 Key performance indicators 表 4.4 关键绩效指标
60) Risk management in the private sector 私营部门的风险管理
performance of the group. Performance against targets is closely linked remuneration at the level of the executive directors, and there is also a proat sharing scheme in place for all employees with more than one year’s service with the company. The executive bonus scheme offers both long- and short-term bonuses, paid in a mix of cash and share options. Payment is linked to the achievement of a mix of targets covering EPS growth, ROCE growth, total shareholder return and the achievement of specific, but confidential, strategic goals. Employees receive a profit share that is calculated pro-rata to their base salary, up to the maximum £3,000£ 3,000 annual tax free limit set by the Revenue and Customs, and may also opt to participate in a savings-related share option scheme and a partnership share plan. ^(5){ }^{5} 集团的业绩。与目标的业绩密切相关的是执行董事的薪酬,并且公司为所有在职超过一年的员工设立了利润分享计划。执行奖金计划提供长期和短期奖金,以现金和股票期权的混合形式支付。支付与一系列目标的实现挂钩,这些目标包括每股收益增长、资本回报率增长、股东总回报以及实现特定但保密的战略目标。员工的利润分享是根据其基本工资按比例计算的,最高可达税务和海关设定的 £3,000£ 3,000 年免税限额,并且还可以选择参与与储蓄相关的股票期权计划和合伙人股票计划。 ^(5){ }^{5}
Making it work 使其运作
Clearly articulated strategies and a structured set of performance targets encompassing both financial and non-financial aspects of the organization create a framework that should at least encourage, if not ensure, that all staff across the group are aware of and make efforts to achieve the core objectives. Risk creates a threat to the achievement of these objectives and therefore aims are only achieved to the full if risks are effectively recognized, controlled and monitored. Linking risk management to performance management is vital to make the whole thing work. 清晰阐明的战略和一套结构化的绩效目标,涵盖组织的财务和非财务方面,构建了一个框架,至少应鼓励(如果不能确保的话)集团内所有员工意识到并努力实现核心目标。风险对实现这些目标构成威胁,因此只有在有效识别、控制和监测风险的情况下,目标才能完全实现。将风险管理与绩效管理联系起来,对于使整个过程有效运作至关重要。
Linking risk management to performance management 将风险管理与绩效管理联系起来
Basic principles 基本原则
One of the reasons we are a successful company is because of risk management - people do it without actually knowing they are doing it, it’s part of their accountabilities. They are held to account. We monitor things on such a micro level. 我们公司成功的原因之一是风险管理——人们在不知情的情况下进行风险管理,这已成为他们的责任之一。他们需要对此负责。我们在微观层面上监控事物。
(Interviewee) (面试者)
This is a fascinating summary of Tesco’s approach to risk management, which provides a stark contrast to the seemingly bureaucratic structures of risk management that have evolved in some global financial institutions that have still ultimately failed. At the heart of Tesco’s approach is the idea that performance management and risk management run hand in hand, and so if people focus on performance targets then they are simultaneously but implicitly managing their risks. 这是对乐购风险管理方法的迷人总结,与一些全球金融机构中演变出的看似官僚的风险管理结构形成了鲜明对比,这些机构最终仍然失败。乐购方法的核心理念是绩效管理和风险管理密切相关,因此如果人们专注于绩效目标,他们实际上也在隐性地管理风险。
The risk management standard produced by the Institute of Risk Management (2002) identifies three key elements in the risk management process, namely risk assessment, risk reporting and risk response (measures to reduce or modify risks), and all three elements form part of a control loop that is used by Tesco to ensure complementarities between the risk management controls and the 由风险管理学院(2002 年)制定的风险管理标准确定了风险管理过程中的三个关键要素,即风险评估、风险报告和风险响应(减少或修改风险的措施),这三个要素构成了一个控制循环,特易购利用该循环确保风险管理控制之间的互补性
Figure 4.4 Linking strategy to performance to risk management 图 4.4 将战略与绩效和风险管理联系起来
performance targets set within the steering wheel. The control loop is portrayed in Figure 4.4. 在方向盘内设定的性能目标。控制回路如图 4.4 所示。
The control loop shows that the process begins with the specification of corporate strategy by the Board of Directors, the identification of key risks and the associated risk appetite of the group. At lower levels of the organization, risk identification is the responsibility of line management, assisted by advice from internal audit. Risk responses and control mechanisms are also the responsibility of line management and internal audit then independently monitors the risk systems that have been established. Internal audit report their findings on internal control back to the Audit Committee and Board of Directors and may also offer advice to line managers regarding deficiencies or potential improvements to risk controls. Under the existing corporate governance regulations the Board of Directors is also required to report that it has conducted a review of the effectiveness of the internal controls. In the case of Tesco, the Directors’ Report also includes a statement that the controls in place remain appropriate. The risk reporting process then feeds back into the strategy setting process to inform and possibly modify future plans for the business. 控制循环显示,过程始于董事会对公司战略的规定,识别关键风险及集团的风险承受能力。在组织的较低层级,风险识别由直线管理层负责,并在内部审计的建议下进行。风险应对和控制机制同样由直线管理层负责,内部审计则独立监控已建立的风险系统。内部审计将其对内部控制的发现报告给审计委员会和董事会,并可能向直线管理者提供有关风险控制缺陷或潜在改进的建议。在现有的公司治理法规下,董事会还需报告其已对内部控制的有效性进行了审查。在乐购的案例中,董事报告中还包括一项声明,表明现有控制措施仍然适当。风险报告过程随后反馈到战略制定过程中,以告知并可能修改未来的业务计划。
Roles and responsibilities for risk: the board of directors and senior management 风险的角色和责任:董事会和高级管理层
The board of directors has overall responsibility for risk management and internal control within the context of achieving the group’s overall objectives. In practical terms this means that the Board’s role is threefold: 董事会在实现集团整体目标的背景下,对风险管理和内部控制负有总体责任。实际上,这意味着董事会的角色有三个方面:
Setting the group's risk appetite 设定集团的风险偏好
The risk appetite is set in the light of the directors’ views about market and shareholder requirements and the need to balance risk controls with the facility to seize 风险偏好是根据董事们对市场和股东需求的看法,以及在风险控制与抓住机会之间取得平衡的需要而设定的
Risk management in the private sector 私营部门的风险管理
opportunities. The risk appetite will also be influenced by global coonorr conditions, the existing business mix and the known associated risks. In terms of the broader business, the risk controls that are established must ensure that the risks taken mirror the risk appetite of the board. 机会。风险偏好还将受到全球经济状况、现有业务组合和已知相关风险的影响。在更广泛的业务方面,建立的风险控制必须确保所承担的风险与董事会的风险偏好相符。
Identifying the key risks facing the group 识别集团面临的关键风险
Key risks may be defined as those which threaten core strategies. The Key Risk Register, maintained by Internal Audit, is built up/revised through regular discussion between members of the Board of Directors, the Executive Committee and other senior managers. In addition, there is an annual Board meeting dedicated to a review of the strategic risks across all of the businesses. The resulting risk register contains information not just on the nature of the risk(s) but also their potential impact and likelibood, and the register is updated on an ongoing basis through feedback from a range of sources, including the steering wheel. All risks are allocated to a named ‘owner’ and the controls and procedures used to mitigate them are identified. 关键风险可以定义为威胁核心战略的风险。由内部审计维护的关键风险登记册通过董事会成员、执行委员会和其他高级管理人员之间的定期讨论进行建立和修订。此外,每年召开一次专门的董事会会议,审查所有业务的战略风险。最终的风险登记册不仅包含风险的性质,还包括其潜在影响和可能性,并且该登记册通过来自多种来源的反馈持续更新,包括指导委员会。所有风险都分配给指定的“负责人”,并识别用于减轻这些风险的控制措施和程序。
A list and summary deseription of key risks facing the group is contained within the corporate governance section of the annual report (pp. 38-40). The list covers a total of 19 categories including business strategy, financial strategy, financial services (through Tesco Personal Finance), operational, joint venture, property, health and safety and environmental risks and it is too long to be very informative. The significance of the risks listed may vary widely, and also change over time but some major risks stand out. One example of a key risk is that of both regulatory and public attitudes towards large retailers. Changes to planning rules could severely impede the group’s strategy for growth, and so risk management involves putting in place mechanisms that can be used to quickly respond to and mitigate changes in planning rules. The use of political lobbying will be one response, accompanied by changes in the format of stores, such as shifting to smaller sites, especially in town centres where other stores are closing down. 在年度报告的公司治理部分(第 38-40 页)中包含了一份关于集团面临的主要风险的列表和摘要描述。该列表涵盖了包括商业战略、财务战略、金融服务(通过乐购个人金融)、运营、合资企业、物业、健康与安全以及环境风险在内的 19 个类别,内容较长,信息量有限。列出的风险的重要性可能差异很大,并且随着时间的推移而变化,但一些主要风险尤为突出。一个关键风险的例子是监管和公众对大型零售商的态度。规划规则的变化可能严重妨碍集团的增长战略,因此风险管理涉及建立能够快速响应和减轻规划规则变化的机制。政治游说将是一个应对措施,伴随商店格式的变化,例如转向较小的店面,特别是在其他商店关闭的市中心地区。
Another way of viewing key risks is to pinpoint the factors on which the strategy depends. Earlier, it was suggested that Tesco is a simple business based around six core processes. The key risks are therefore those which threaten the effectiveness of those processes: 'The Tesco philosophy is “the customer is king”: without the customer we don’t exist. Every part of that process is customer oriented. … What that means is that the things that we would be looking for is … we would be watching the service-supply chain". 另一种看待关键风险的方法是确定战略所依赖的因素。之前提到,特易购是一个围绕六个核心流程构建的简单业务。因此,关键风险是那些威胁到这些流程有效性的风险:“特易购的理念是‘顾客至上’:没有顾客我们就不存在。这个过程的每个部分都是以顾客为导向的……这意味着我们要关注的事情是……我们会关注服务供应链。”
A highly efficient and effective supply chain requires investment in IT systems and procurement and delivery infrastructures. As the annual report notes: 一个高效且有效的供应链需要在信息技术系统以及采购和交付基础设施上进行投资。正如年度报告所指出的:
The business is dependent on efficient information technology (IT) systems. Any significant failure in the IT processes of our retail operations (e.g. barcode scanning or supply chain logistics) would impact our ability to trade. We recognize the essential role that IT plays across our operations in 该业务依赖于高效的信息技术(IT)系统。我们零售运营中的任何重大 IT 流程故障(例如条形码扫描或供应链物流)都会影响我们的交易能力。我们认识到 IT 在我们运营中的重要作用。
allowing us to trade efficiently and so that we can achieve commercial advantage through implementing IT innovations that improve the shopping trip for customers and make life easier for employees. We have extensive controls in place to maintain the integrity and efficiency of our IT infrastructure and we share systems from across our international operations to ensure consistency of delivery. 允许我们高效交易,从而通过实施改善客户购物体验和简化员工工作生活的 IT 创新来获得商业优势。我们有广泛的控制措施来维护 IT 基础设施的完整性和效率,并且我们共享来自国际业务的系统,以确保交付的一致性。
(Tesco Annual Report, p. 39) (乐购年度报告》,第 39 页)。
Overseeing the group's risk and internal control system 监督集团的风险和内部控制系统
The Board is responsible for the overall system of internal control and for reviewing the effectiveness of such a system. The annual report states that group-wide processes are in place for establishing the risks and responsibilities assigned to each level of management and the controls which are required to be implemented and monitored. The control system is designed to mitigate against the risk of not achieving objectives, rather than to totally eliminate the risk of failure. As such, it is acknowledged that some activities carry risks which are outside the Board’s control. 董事会负责整体内部控制系统,并审查该系统的有效性。年度报告指出,集团范围内已建立流程,以确定分配给每个管理层级的风险和责任,以及需要实施和监控的控制措施。控制系统旨在降低未能实现目标的风险,而不是完全消除失败的风险。因此,承认某些活动存在超出董事会控制范围的风险。
Responsibility for the annual review of the effectiveness of the internal control systems rests with the Audit Committee which meets quarterly and reports directly to the Board. The Audit Committee can also be more proactive in their management of risks, and will sometimes take trips to inspect overseas operations and gain an on-site view of internal control. The Committee, chaired by a nonexecutive director, receives regular reports from the Head of Internal Audit on internal control effectiveness and also has the power to take action to call senior line managers to account if it believes they are failing in their risk management duties. If, for example, a national CEO has been a bit slower in managing risk than the Audit Committee might like him/her to have been, the CEO may be flown over for a meeting - ‘a bit like being in the headmaster’s study’ - to explain what is happening and why. 年度内部控制系统有效性审查的责任由审计委员会承担,该委员会每季度召开一次会议,并直接向董事会报告。审计委员会还可以在风险管理方面更加积极,有时会前往海外进行检查,以便获得内部控制的现场视角。该委员会由一名非执行董事担任主席,定期接收内部审计负责人关于内部控制有效性的报告,并有权采取行动,要求高级业务经理负责,如果委员会认为他们在风险管理职责上存在失职。例如,如果一位国家首席执行官在风险管理方面的反应速度比审计委员会希望的要慢,可能会安排首席执行官飞过来开会——“有点像在校长办公室里”——以解释发生了什么以及原因。
Two other senior management committees also play an important role in monitoring the exposure to risk and effectiveness of internal controls. Regulatory risk management falls under the eye of the Compliance Committee, which meets six times a year with the remit to ensure that the group complies with all the necessary laws and regulations in all of its operations worldwide. Risk management within the Treasury and tax functions are subject to review by the Finance Committee, which also sets the Treasury limits. 另外两个高级管理委员会在监控风险暴露和内部控制的有效性方面也发挥着重要作用。合规委员会负责监管合规风险管理,每年召开六次会议,旨在确保集团在全球所有运营中遵守所有必要的法律法规。财务委员会负责审查财政和税务职能中的风险管理,并设定财政限额。
Roles and responsibilities for risk: Internal Audit 风险的角色和责任:内部审计
The internal audit function is independent of business operations and works across the entire group to evaluate and monitor the internal control and risk management processes. The staff see their role as one of facilitation. Their primary customer is the Audit Committee, and their primary service is to the Board in giving them assurance that the risks faced by the business are 内部审计职能独立于业务运营,跨整个集团评估和监控内部控制和风险管理流程。员工将自己的角色视为促进者。他们的主要客户是审计委员会,主要服务对象是董事会,向他们提供保证,确保业务面临的风险是
adequately managed and covered, and in line with the Board’s declared ri appetite. 适当管理和覆盖,并符合董事会声明的风险偏好。
The audit plan is risk-based, and largely focused around the six core processes that dictate the success of the core strategy. There is also a list of items that are audited automatically, such as new ventures, third-party risks, and areas where the business is not building as it should. This fits with the findings of Selim and McNamee (1999), who found that the assets, projects and processes that were deemed key to strategic objectives were central to the definition of the audit universe. The audit programme thus focuses on perceived ‘problem’ areas and new businesses where risks are less well understood. Managerial experience and intuition is used to identify the problem areas - 'at the end of the day it is people’s experience and how you feel ^(**){ }^{*} (Head of Internal Audit). This approach matches that found by Helliar et al. (2002), who found that judgements based on experience were preferred to probabilistic measures of risk. 审计计划是基于风险的,主要集中在决定核心战略成功的六个核心流程上。还有一份自动审计的项目清单,例如新业务、第三方风险以及业务未按预期发展的领域。这与 Selim 和 McNamee(1999)的研究结果相符,他们发现被认为对战略目标至关重要的资产、项目和流程是审计范围定义的核心。因此,审计计划专注于感知的“问题”领域和风险较少被理解的新业务。管理经验和直觉用于识别问题领域——“归根结底,还是人们的经验和你的感觉” ^(**){ }^{*} (内部审计负责人)。这种方法与 Helliar 等人(2002)的研究结果相匹配,他们发现基于经验的判断比概率风险测量更受欢迎。
For each audit, all of the potential risks of the chosen process are identified, together with information on what controls are in place to mitigate those risks. The result is a process risk map in a form similar to a flow chart (Box 4.1). 对于每次审计,都会识别所选过程的所有潜在风险,以及有关为减轻这些风险而采取的控制措施的信息。结果是一个类似于流程图的过程风险图(框 4.1)。
The detail of how internal audit works is best understood via a more detailed example, of an audit of site acquisition in a central European country. Site acquisition is clearly a key process that will affect the ability of Tesco to achieve its growth targets (Box 4.2). 内部审计的工作细节最好通过一个更详细的例子来理解,例如在中欧某国进行的场地收购审计。场地收购显然是一个关键过程,将影响特易购实现其增长目标的能力(框 4.2)。
Staff in Internal Audit come from a mix of backgrounds, some CIMA, ACCA or ICAEW qualified but also some with Institute of Internal Auditors’ qualifications and the chum rate within the department is quite high. This is seen as beneficial because when staff move from internal audit into other areas of the business they take an awareness of risk management with them. 内部审计的员工来自不同的背景,有些持有 CIMA、ACCA 或 ICAEW 资格,也有一些持有内部审计师协会资格,部门内的流动率相当高。这被视为有益,因为当员工从内部审计转到业务的其他领域时,他们会带着对风险管理的意识。
Around 25 per cent of activities/processes are audited each year and the resulting reports are non-standard and clearly specify the next steps to be taken, and who is responsible for them. The reports get sent through to the Board member responsible for the particular area, and depending upon the time scale, internal audit will probably return in due course to review if actions have been taken as required. Line management remuneration and sometimes survival, is dependent upon them fulfilling the actions required of them. 每年大约有 25%的活动/流程会被审计, resulting reports 是非标准的,并清楚地指定了下一步的行动以及负责的人。这些报告会发送给负责特定领域的董事会成员,根据时间表,内部审计可能会在适当的时候返回,以检查是否已采取所需的行动。线管理的薪酬,有时甚至生存,取决于他们是否履行所需的行动。
The head of internal audit reports directly to the head of the Audit Committee (a non-executive manager), and also attends all of that committee’s meetings. 内部审计负责人直接向审计委员会主席(非执行经理)报告,并且参加该委员会的所有会议。
Box 4.1 Process risk mapping for internal audit 框 4.1 内部审计的过程风险映射
Key steps: 关键步骤:
1 Identify the risks and the factors that may trigger them. 识别风险及可能引发这些风险的因素。
2 Identify the current controls that are in place. 识别当前实施的控制措施。
3 Evaluate control effectiveness by reference back to the organizational risk appetite. 通过参考组织的风险承受能力来评估控制的有效性。
Within the broader management base, a number of key groups at national lex carry significant responsibility for risk management. The governance model in Figure 4.1 shows a number of operational committees - trading, operations, people, property and IT - each with a remit to manage a specific area of risk. Performance against steering wheel targets, and the findings of internal audit reviews are reported to these committees, although the ultimate responsibility for controlling the risks rests with line management. 在更广泛的管理基础上,国家级的多个关键小组对风险管理承担重要责任。图 4.1 中的治理模型显示了多个运营委员会——交易、运营、人员、财产和 IT——每个委员会负责管理特定领域的风险。针对方向盘目标的绩效以及内部审计评估的结果会向这些委员会报告,尽管控制风险的最终责任在于直线管理。
Every store has a steering wheel, and where performance is below expected the wheel is marked red, and risk awareness is defined in terms of not hitting the steering wheel targets, rather than the term ‘risk’ per se. When asked about the extent of risk awareness amongst store staff the following exchange with one interviewee is very revealing: 每个商店都有一个方向盘,当业绩低于预期时,方向盘会标记为红色,风险意识是通过未达到方向盘目标来定义的,而不是单纯的“风险”一词。当被问及商店员工的风险意识程度时,与一位受访者的以下对话非常具有启发性:
Interviewee: I don’t think the word risk, there is one, I think how far is there an awareness of things possibly going wrong, and then how do they control things going wrong. I think there is a very high … 受访者:我认为“风险”这个词并不准确,我认为关键在于对事情可能出错的意识有多深,以及他们如何控制事情出错。我认为这个意识非常高……
Researcher: And that extends to the shelf fillers? 研究人员:那这也包括货架补货员吗?
Interviewee: Yes it does, yes, even if it’s just that they know that they don’t meet the five o’clock clear up time or something. 受访者:是的,确实如此,即使只是他们知道自己没有在五点清理时间之前完成什么。
What this reveals is the point made much earlier in this case - that risk management is implicit within performance management in Tesco - it does not simply constitute an additional layer of bureaucracy. 这揭示了在本案早期提出的观点——风险管理隐含在特易购的绩效管理中——它不仅仅是一个额外的官僚层级。
The risk management framework 风险管理框架
As already indicated, the risk management framework employed in Tesco closely matches that of the risk standard developed by the Institute of Risk Management (2002) illustrated in Figure 4.5. 正如已经指出的,特易购采用的风险管理框架与风险管理学院(2002)制定的风险标准密切匹配,如图 4.5 所示。
Box 4.3 Example: monitoring price risk 框 4.3 示例:监测价格风险
The target is to offer the lowest price to customers whilst taking relative quality into account. Monitoring is done by daily review of the price of an industry-typical basket of goods. If prices are proving unfavourable, somebody is charged - that day - with finding out why. 目标是为客户提供最低价格,同时考虑相对质量。通过每日审查行业典型商品篮子的价格进行监控。如果价格不利,某人当天会被指派找出原因。
Risk is measured in terms of actual price differential, e.g. £37.64£ 37.64 versus £38.30£ 38.30, and members of the operations committee for the relevant country meet weekly to discuss the observed differential. The meeting can select to accept prices as OK or adjust them but either way the maximum time lag to react is just one week. This is short because price competitiveness is eritical to the group’s strategy. 风险是通过实际价格差异来衡量的,例如 £37.64£ 37.64 与 £38.30£ 38.30 ,相关国家的运营委员会成员每周召开会议讨论观察到的差异。会议可以选择接受价格为正常或进行调整,但无论哪种方式,反应的最大时间延迟仅为一周。这段时间很短,因为价格竞争力对该集团的战略至关重要。
Box 4.2 Internal audit of overseas site acquisition 框 4.2 海外场地收购的内部审计
An auditor will pick up an area - this is site acquisition in X , for example. We have a property specialist put together the typical risks that you would get in a property process, so he would put together an overall risk thing. The auditor will go and have a talk to senior management and to the people involved in the process and will then adjust the risk model to reflect the risks specific to that country’s business, anything that could go wrong. He then goes along to the business and literally starts working through: ‘First of all, tell me what you do and how you do it, then show me what you do and show me how you do it’, and he’ll actually look at the documents and everything else. So he would say in the case of ‘failure to identify all potential sites of interest on the market,’ ‘So how do you ensure that you do identify all of the potential sites on the market?’ And they’ll say, ‘Oh well, we do a strategy review of this, we do this, we do …’ and so on and so forth. You’ll then be talking to some of the property specialists in Hungary who are outside of the business and saying, 'Right, is there anything the company isn’t doing?" The auditor can then report back on whether he thinks it is adequately controlled or not. A recommendation then comes out, which is the responsibility of the line manager to implement. 审计员将选择一个领域——例如,这是 X 的场地收购。我们有一位房地产专家整理出在房地产流程中可能遇到的典型风险,因此他会制定一个整体风险模型。审计员会与高级管理层和参与该流程的人员进行交谈,然后调整风险模型,以反映该国业务特有的风险,以及任何可能出错的地方。接着,他会到业务部门,逐步进行工作:“首先,告诉我你们是如何做的,然后展示你们的工作和操作方式”,他会实际查看文件和其他资料。因此,他会在“未能识别市场上所有潜在感兴趣地点”的情况下问:“那么你们如何确保识别市场上所有潜在地点?”他们会说:“哦,我们对此进行战略审查,我们这样做,我们……”,等等。然后你会与匈牙利的一些房地产专家交谈,他们不在公司内部,问:“好吧,公司有没有什么没有做的?”审计员可以报告他是否认为控制措施足够到位。随后会提出一项建议,由直线经理负责实施。
If a risk is deemed significant enough, it may appear on the key risk register, and is reported to the Board as well as the Audit Committee. 如果风险被认为足够重大,它可能会出现在关键风险登记册上,并向董事会和审计委员会报告。
In addition, he/she reports to an executive manager - the PLC Finance and Strategy Director on a day-to-day basis. 此外,他/她每天向一位执行经理——PLC 财务与战略总监汇报。
Roles and responsibilities for risk: line management and other staff 风险的角色和责任:直线管理和其他员工
As already indicated, risk is seen as the responsibility of all staff, as reflected in the performance targets set within the steering wheel. The risk management process is cascaded through the group with every international CEO and local Boards maintaining their own risk registers and assessing their control systems. The same process also applies functionally in those parts of the group requiring greater oversight (Tesco, 2009, p. 48). For example, key risks are identified for HR and distribution as these are seen as core functions. 如前所述,风险被视为所有员工的责任,这在方向盘设定的绩效目标中得到了体现。风险管理过程在集团内层层传递,每位国际首席执行官和地方董事会维护自己的风险登记册并评估其控制系统。相同的过程也适用于需要更大监督的集团部分(特易购,2009 年,第 48 页)。例如,关键风险被识别为人力资源和分销,因为这些被视为核心职能。
Accountability of the CEOs of subsidiary businesses is attained via a requirement for them to issue annual statements of assurance that the Board’s govemance policies have been adopted both in practice and in spirit. In some, but not all, joint ventures e.g. TPF pre-2008, the Board’s assurance is dependent upon the internal control systems of the partner and the obligations upon their Boards relating to the effectiveness of their own systems. 子公司首席执行官的问责制通过要求他们发布年度保证声明来实现,确保董事会的治理政策在实践和精神上都得到了采纳。在一些(但不是所有)合资企业中,例如 2008 年前的 TPF,董事会的保证依赖于合作伙伴的内部控制系统以及他们的董事会在自身系统有效性方面的义务。
Figure 4.5 Core elements of the risk management process 图 4.5 风险管理过程的核心要素
Source: Adapted from Institute of Risk Management (2002) 来源:改编自风险管理学院(2002)
Risk assessment and evaluation is done by line management, using a risk and materiality matrix which classifies risks as green, amber or red dependent upon a combination of likelihood and consequences. The categorization is based upon experience and ‘gut feeling’ rather than detailed risk modelling, but provides a basis for identifying which risks are worthy of greater or lesser monitoring. For example, in terms of financial control, the finance manager may identify the risks faced as including: 风险评估和评估由直线管理进行,使用风险和重要性矩阵将风险分类为绿色、琥珀色或红色,具体取决于可能性和后果的组合。该分类基于经验和“直觉”,而不是详细的风险建模,但为识别哪些风险值得更大或更小的监控提供了基础。例如,在财务控制方面,财务经理可能会识别面临的风险包括:
Cash management. 现金管理。
Investment appraisal. 投资评估。
Balance sheet control. 资产负债表控制。
Financial information systems. 财务信息系统。
Skill risks (shortage of key people). 技能风险(关键人员短缺)。
Managing the ‘City’. 管理“城市”。
Compliance with IFRS. 遵守国际财务报告准则(IFRS)。
Financing, e.g. illiquidity. 融资,例如流动性不足。
Re-financing. 再融资。
Interest rates. 利率。
Foreign exchange. 外汇。
Counterparty credit. 对手方信用。
Tax. 税。
All of the above risks have owners and all are classed as green, amber or red. Red implies the risk is a glaring problem. Amber means ‘we aren’t comfortable with where we are at on the risk scale but we do have a plan to tackle it’. Green is that ‘we are comfortable with the risk that we are taking.’ The risk owner is required 上述所有风险都有负责人,并且都被分类为绿色、琥珀色或红色。红色意味着风险是一个明显的问题。琥珀色表示“我们对当前的风险水平感到不安,但我们确实有计划来应对它。”绿色则表示“我们对所承担的风险感到满意。”风险负责人是必需的。
68 Risk management in the private sector 68 私营部门的风险管理
to take action to bring the risk level down to green wherever possible, and advi on how to do this will be provided by internal audit. 采取行动将风险水平降至绿色,内部审计将提供有关如何做到这一点的建议。
The risk registers, allocation of risk ownership and action plans all form important parts of the risk management process, but ultimately risks are only managed if the process is continuous, and this requires that the risks and action plans are the subject of regular review. The frequency of monitoring reflects the level of significance of the risk. 风险登记册、风险责任分配和行动计划都是风险管理过程的重要组成部分,但最终只有在持续的过程中才能管理风险,这要求对风险和行动计划进行定期审查。监测的频率反映了风险的重要性水平。
Risk reporting and communication 风险报告与沟通
Figure 4.5 portrays the lines of communication used within Tesco PLC. The arrows indicate the direction of the information flow, with upward arrows showing reporting lines, whilst downward arrows show the communication of objectives or priorities. Risk issues are reported to the specialist monitoring committees and internal audit. Internal audit reports to the audit committee, the members of which may also ‘drive’ internal audit, or the actions of line managers via the expression of concerns over areas of business where risk is being controlled inadequately. 图 4.5 描绘了特易购 PLC 内部使用的沟通线路。箭头指示信息流动的方向,向上的箭头表示报告线路,而向下的箭头则显示目标或优先事项的沟通。风险问题报告给专业监测委员会和内部审计。内部审计向审计委员会报告,审计委员会的成员也可能通过对风险控制不充分的业务领域表达关切来“推动”内部审计或线经理的行动。
Note, Figure 4.6 is my personal interpretation of the communication lines used within Tesco. It is intended to complement the governance model that is used internally by the group as is depicted in Figure 4.1. 请注意,图 4.6 是我对特易购内部使用的沟通线路的个人解读。它旨在补充图 4.1 中所描绘的集团内部使用的治理模型。
As already indicated, in the interviews the business was described as being relatively shallow, with only five grades of staff from top to bottom. This indirectly assists in the communication process. The formal lines of communication are also augmented by informal systems that are used to further the achievement of objectives. For example, one interviewee observed that ‘many years ago we decided on a strategy of trying to improve the controls of the business by getting as many people as we could [who] trained through audit’. ‘Spread the message’ communication is therefore achieved via a number of complementary routes. 正如已经提到的,在访谈中,企业被描述为相对简单,员工从上到下只有五个等级。这在一定程度上有助于沟通过程。正式的沟通渠道也通过非正式系统得到了增强,这些系统用于进一步实现目标。例如,一位受访者观察到:“许多年前,我们决定采取一种策略,通过让尽可能多的人接受审计培训来改善企业的控制。”因此,“传播信息”的沟通是通过多条互补的途径实现的。
At the same time, the involvement of operational managers in the identification of risks helps the process of risk communication across the whole group, and fits with De Haas and Kleingeld’s (1999) suggestion that participation is vital to the effectiveness of a control system. All risks are owned and exposure is clear under the traffic light system. Consequently, because the risk reporting lines go right through from line management up to the Board of Directors, no business or individual escapes scrutiny. 与此同时,运营经理参与风险识别有助于整个集团的风险沟通,并符合德哈斯和克莱因戈尔德(1999)的建议,即参与对控制系统的有效性至关重要。所有风险都被拥有,曝光在交通灯系统下是明确的。因此,由于风险报告线从一线管理层一直延伸到董事会,没有任何业务或个人能够逃避审查。
The big challenge: extending the risk management system into Tesco Personal Finance 大挑战:将风险管理系统扩展到乐购个人财务
TPF is the UK’s largest supermarket bank, and was established 12 years ago as a joint venture with Royal Bank of Scotland (RBS). Following the financial losses at RBS, Tesco bought out its share of the joint venture in July 2008 for the sum of £950£ 950 million, and it has recently moved to new headquarters in Edinburgh. TPF 是英国最大的超市银行,成立于 12 年前,作为与苏格兰皇家银行(RBS)的合资企业。由于 RBS 的财务损失,乐购在 2008 年 7 月以 £950£ 950 百万的价格收购了其在合资企业中的股份,并且最近已迁至爱丁堡的新总部。
Figure 4.6 Communication lines in Tesco 图 4.6 特易购的沟通线路
The shift from a 50 per cent share in a joint venture to 100 per cent ownership of a financial services business fits well with Tesco’s declared long term strategy of growth via investment in retailing services such as Tesco.com, telecoms and financial services. The transfer of the group’s Finance Director to the role of Chief Executive of Retailing Services in July 2008 might be viewed as an indicator of the level of significance that this market holds for Tesco. Sir Terence Leahy believes that the recent banking failures have played into Tesco’s hands and provided them with an opportunity to expand retail services from its current position of £400£ 400 million profit to in excess of £1£ 1 billion within a decade. Press reports suggest that Tesco has been strengthening its financial services arm since 2008 by taking advantage of the financial crisis to take its pick of banking experts. At the same time, analysts such as Clive Black at Shore Capital forecast that Tesco Personal Finance could triple its revenues to £600£ 600 million within the next five years. 从在合资企业中拥有 50%的股份到完全拥有一家金融服务公司的转变,与特易购(Tesco)所宣称的通过投资零售服务(如Tesco.com)、电信和金融服务实现长期增长的战略非常契合。2008 年 7 月,集团财务总监转任零售服务首席执行官,可能被视为特易购对这一市场重要性程度的一个指标。特伦斯·利希爵士(Sir Terence Leahy)认为,最近的银行危机对特易购来说是一个机会,使其能够将零售服务的利润从目前的 £400£ 400 百万提升到十年内超过 £1£ 1 十亿。媒体报道表明,自 2008 年以来,特易购一直在利用金融危机加强其金融服务部门,挑选银行专家。同时,分析师如肖尔资本(Shore Capital)的克莱夫·布莱克(Clive Black)预测,特易购个人金融(Tesco Personal Finance)在未来五年内可能将其收入提高到 £600£ 600 百万的三倍。
On a number of levels, the risks associated with expansion of its financial services arm appear relatively low because: 在多个层面上,与其金融服务部门扩展相关的风险似乎相对较低,因为:
TPF is a ‘known animal’ given the company’s ten years of experience in the joint venture. TPF 是一个“熟悉的角色”,因为该公司在合资企业中拥有十年的经验。