Case Study of Tesco Plc
Definitions and perceptions of the role and styles of risk management, and performance management/strategic control systems have evolved over time, but it can be argued that risk management is primarily concerned with ensuring the achievement of strategic objectives. This paper shows the extent of overlap between a broad-based view of risk management, namely Enterprise Risk Management (ERM), and the balanced scorecard, which is a widely used strategic control system.
A case study of one of the UK’s largest retailers, Tesco plc, is used to show how ERM can be introduced as part of an existing strategic control system. The case demonstrates that, despite some differences in lines of communications, the strategic controls and risk controls can be used to achieve a common objective. Adoption of such an integrated approach, however, has implications for the profile of risk and the overall risk culture within an organisation. Keywords: balanced scorecard; case study; corporate governance; enterprise risk management; risk controls; strategic control, Tesco plc. Introduction The notion that risk is inherent to any business activity is a long standing one, but the establishment of formalised risk functions in organisations is a much more recent phenomenon. Corporate governance frameworks serve to create structures that help to facilitate management accountability in a world characterised by a divorce of ownership from control (Spira and Page, 2003), but such controls seem so far to have failed to stem the recurrence of corporate scandals across the globe.
Regulatory bodies have responded by introducing a mix of practice recommendations and specific requirements that emphasise the importance of internal control systems as a way of improving accountability and reducing the risk of corporate failure. These regulations have served to raise the profile of risk management, as demonstrated below. In the UK, the Combined Code of the Committee on Corporate Governance was originally published in 1998 and incorporated the recommendations of a number of earlier committees (Cadbury, Greenbury and Hampel).
A revised version of the Combined Code was issued in July 2003, in which the principles of good corporate governance were categorised under a number of headings including financial reporting, internal control and disclosure. In relation to internal control, the Combined Code requires the Board of Directors to maintain a ‘sound’ control system in order to safeguard shareholders’ investment and the company’s assets and to review, at least annually, the effectiveness of that control system.
Financial, operational, compliance and risk management controls should all be included in the review. There is, however, no requirement for the Board to report externally on the review’s findings. As part of the process of ensuring effective internal controls, the Board is also required to appoint an audit committee of at least three members, all of whom should be independent non-executive directors. The Combined Code thus emphasises executive responsibility for internal controls, which explicitly include risk management controls.
In the United States the Committee of Sponsoring Organisations (COSO) has published two key reports (COSO, 1992, 2004) laying down guidelines on the design of internal control systems. The internal control framework outlined in the 1992 report identifies risk management as one of five elements within the control system, but the 2003 report (Enterprise Risk Management) was drafted in conjunction with consultants from PricewaterhouseCoopers with the specific aim of developing a framework to enable managers to evaluate and improve their companies’ risk management systems.
In so doing it argues that it “expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management . . . that incorporates the internal control framework within it” (COSO, 2004, foreword, p. v). The profile of risk management is thus raised substantially, as it shifts from being a component of internal control to one in which it effectively encompasses internal control. This change in thinking is of great potential significance for the risk and audit professions.
The COSO 2004 report complements the Sarbanes Oxley Act (SOX) of 2002, which was a direct response to the corporate scandals of WorldCom and Enron. The act places great emphasis on the responsibilities of directors for effective internal control, although it contains no provisions on the role of internal audit function. Section 404 of SOX requires that a company’s annual report should contain an internal control report which includes a statement of management’s responsibility for establishing and maintaining an internal control system, and an assessment of the system’s effectiveness.
This must be supplemented by a statement from the external auditor attesting to and reporting on the management’s assessment report. Like the UK, therefore, the US regulators seek to emphasise management’s responsibilities for the design and maintenance of internal control systems. In designing internal control and risk management systems managers need to try and strike a balance between taking advantage of the growth and returns that can be generated by taking risks with the potential losses that may also result from risk taking.
Setting strategic objectives and establishing an acceptable associated level of risk are thus closely intertwined, and this paper seeks to demonstrate how risk management systems can be used to both encourage line managers to meet strategic objectives whilst also aligning their risk taking to the risk appetite established by the Board of Directors. In other words, utilising risk management to enhance strategic success. It argues that the ultimate objective of risk management is to ensure the existence of controls that improve corporate decision making and thus enhance performance from the perspective of multiple stakeholders.
The paper contributes to the risk management literature in two distinct ways. Firstly, by using detailed case study information from Tesco plc, one of the UK’s leading retailers, to provide insights into risk management practice the paper adds an empirical dimension to work that has to date emphasised the design of theoretical models of risk management rather than consideration of risk in practice. Secondly, the paper links the key concept of Enterprise Risk Management (ERM), as promoted by COSO, with the balanced scorecard which is used as a strategic performance measurement system.
In so doing, the link between risk management and strategy is made explicit in a manner that is relatively new to the literature. The paper is structured so that the next section on the development of the concept of enterprise risk management is followed by a section discussing an alternative form of strategic control system, namely the balanced scorecard. The strong parallels between ERM and the balanced scorecard are explained in detail, and arguments presented to show the potential advantages of combining the two control systems.
The main part of the paper then describes the risk management system within Tesco plc, and its interface with the balanced scorecard approach also used within the business. The concluding section seeks to identify the advantages and disadvantages of the risk systems deployed in Tesco, and the scope for further research in this field. 2 The development of enterprise risk management (ERM) A review of the risk management literature indicates that both the definition of risk and also our understanding of the term risk management have evolved over time.
Spira and Page (2003) chart in some detail the evolution of risk definitions from the pre-seventeenth century onwards. In pre-rationalism times risk was seen as a consequence of natural causes that could not be anticipated or managed, but with more modern, scientific based thinking there emerged a view that risk was both quantifiable and manageable via the judicious use of avoidance and protection strategies. Risk management became institutionalised with the application of science (Beck, 1998) and in the process the public were led to expect risks to be managed.
As a consequence, risk management led to some diffusion of responsibility for the adverse effects of risk whilst the notion of accountability required some demonstration of risk management effort (Spira and Page, 2003). Selim and McNamee (1999, p. 161) note what they describe as “major paradigm shifts in organisations’ approach to risk management”. The first of these relates to the fact that over time risk management has evolved from an insurance and transaction based function into a much broader concept that is linked to both corporate governance and the achievement of strategic objectives (McLave, 1996; Nottingham, 1997; Unsworth, 1995).
The concept of risk management being centred in the treasury division with its use of financial instruments to hedge transaction and funding risks is long dead, as risks have become much more broadly defined to include aspects such as corporate reputation, regulatory compliance, health and safety, employees, supply chain management and general operational activities. Risk is now viewed from a very broad perspective, and it is almost inevitable that this has important implications for the design of internal control systems.
The second paradigm shift is a result of the broadening of the definition of risk leading to a reconsideration of the purpose of risk management, and the development of views that argue that it is concerned with assisting decision making to improve corporate strategic performance (Deloitte and Touche, 1997). The Institute of Chartered Accountants of England and Wales (ICAEW) defines business risk as “the uncertainty as to the benefits that the business will derive from pursuing its objectives and strategies” . One of the core dimensions of the risk management process is thus “identifying, ranking and sourcing the risks inherent in the company’s strategy” (ICAEW, 2002, para. 4. 2, p. 5). Broad definitions of risk, and recognition of the strategic and governance roles played by risk management are the characteristics of Enterprise Risk Management (ERM) or what is sometimes called holistic risk management.
The framework for risk management outlined by COSO defines ERM as follows: “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. (COSO, 2004, p. 2) The definition contains a number of key phrases. Firstly, ERM is initiated by the board of directors in the first instance, but is cascaded across the organisation via line management. Secondly, it is broad based because it encompasses all potential events that may affect achievement of objectives. Lastly, ERM aims to contain risk within the boundaries of a specified risk appetite and provide reasonable assurance in this regard.
Such a broad perspective of risk management implies a requirement to develop a very comprehensive strategy to identify, measure, monitor and control a vast array of risk exposures, and communicate the company’s risk policies to staff at all levels via the creation of a risk aware culture. This is a very broad remit for the risk manager, as it encompasses all hierarchical levels within the company as well as multiple functions, and hence poses major challenges in its practical implementation.
Perhaps not surprisingly, therefore, there is evidence to indicate a limited take up of ERM to date. In a survey of internal auditors, focused primarily on US based companies, Beasley et al. (2005) found that only forty eight per cent of the 174 respondents had at least a partial ERM system in place in their companies and a further one third were planning to implement ERM in the future. Beasley’s findings need to be viewed with caution because the survey response rate was only 10%, and the majority of respondents were from large US corporations with annual sales in excess of $1. billion.
There is therefore a danger in generalising up from such results, but they none the less offer some indications that the adoption of ERM is still in its relatively early stages. Notwithstanding the challenges of introducing it, because ERM seeks to assist the fulfilment of strategic objectives it aligns the interests of the risk manager with those of the entity as a broader whole. In principle at least, therefore, it should be possible to incorporate ERM into existing control and performance management systems.
The integration may raise issues of professional rivalry between parties such as internal auditors and risk managers, but there is no obvious intrinsic conflict between the aims of ERM and any other control system. One of the most widely documented control and performance management systems in use today is the Balanced Scorecard or Tableau de Bord. In the next section of this paper, the basic principles underpinning the Balanced Scorecard are discussed, together with its scope for use as the tool for implementation of ERM.
The balanced scorecard The balanced scorecard is a management control system popularised by Kaplan and Norton (1992, 1993, 1996a,b,c, 2000) that has its origins in Porter’s concept of strategy as a response to competitive forces in an industry. The popularity of the scorecard can be explained in part by the fact that it recognises the significance of non financial factors in determining strategic success, and hence moves performance measurement away from its traditional focus on purely financial measures.
In addition, it serves as a feed forward control system as well as a performance measurement system (De Haas and Kleingeld, 1999), thereby offering clear advantages over the historically based performance measures that characterise financial systems. The balanced scorecard identifies four component perspectives within which a company must perform well in order to achieve its strategic objectives – namely financial, customer, internal business processes and learning and growth.
Kaplan and Norton (1996a) argue a linked cause and effect relationship between performance in each of the perspectives and strategic outcomes. In other words, for example, improvements in organisational learning may lead to improvements in internal business processes, which in turn raise customer satisfaction levels and ultimately result in higher levels of financial performance. The perspectives may be interlinked and so the order of cause and effect may vary, but the basic principle remains – by setting targets for operational behaviour, strategic performance can be improved.
There is some debate within the management accounting literature about the extent to which the balanced scorecard is empirically proven to be an effective control and performance improvement tool (Ittner and Larcker, 1998), but proving the cause and effect relationships in practice is extremely difficult. Kaplan and Norton (1996c) argue that the balanced scorecard is valuable in ensuring both the articulation of corporate strategy and the specification of the factors that will facilitate strategic success, but there are reasons to be rather cautious of these proclaimed benefits.
Grady (1991) argues that strategic objectives need to be classified in terms of critical success factors and critical actions, but the balanced scorecard does not rank measures of performance in this way. In addition, the importance of good communication systems cannot be underestimated. Merchant (1989) argues that failure to communicate strategies effectively throughout an organisation can lead to poor economic performance, but the balanced scorecard seems to assume the existence of effective communication systems which may not exist in practice.
Despite such criticisms, one of the greatest benefits of the balanced scorecard lies in its potential to overcome the remoteness of strategy from day to day activity (Norreklit, 2000), and this mirrors one of the challenges faced by a manager seeking to introduce ERM into an organisation. Risks of various types may threaten the achievement of strategic objectives, and systems need to be devised to create a culture or consciousness of how to manage those risks at all levels within the organisation.
If risks can be linked to the four perspectives of the balanced scorecard, then the management of those risks can be integrated into an existing performance measurement system. 4 Linking ERM and the balanced scorecard Table 1 below, which draws on Kaplan and Norton (1996b) and COSO (2004), shows the degree of overlap between ERM and the Balanced Scorecard in terms of their basic philosophies, organisational breadth and scope for use as both control and performance measurement tools.
Table 1 The overlap between ERM and the balanced scorecard ERM Basic philosophy Poor internal control of risk can jeopardise strategy Interface between control and performance measurement Risk controls help to achieve higher performance levels via minimisation of the loss of resources Organisation wide High. Controls should work to align operational activity with corporate risk appetite Strategic performance is influenced by both financial and non-financial factors Performance measurement against targets serves to ensure effective controls Balanced scorecard
Level of staff involvement Significance of operational behaviour and performance Risk Organisation wide High. Targets should work to align operational activity with corporate strategy Straddles all functional and Encountered in all scorecard operational areas perspectives, for example: Customer – risk of dissatisfaction/ loss Financial – interest rate and credit risks Learning and growth – poorly trained staff Internal business processes – delivery delays; stockouts
Both ERM and the balanced scorecard recognise the significance of non-financial factors in overall company performance. In the case of ERM, the non financial component is purely that of risk, which is not explicitly mentioned in the balanced scorecard, although it can indirectly impinge upon any or all of the quadrants of the scorecard, as indicated in the Table. Implicitly if not explicitly, therefore, the balanced scorecard incorporates risk as an influence upon strategic performance. One interpretation is that he balanced scorecard seeks to create a control structure that ensures the implementation of strategy, and risk management complements this by identifying and mitigating any potential threats to strategic implementation. Table 1 also shows that both systems function across all hierarchical levels within an organisation. Neither strategy nor risk issues are exclusively the preserve of the board of directors, with the result that operational effectiveness even at the lowest levels of employment can serve to impact on the achievement of objectives.
In the case of a food retailer, for example, the individual shelf filler who fails to keep items fully stocked can cause lost sales for the business leading to missed targets, simply because customers may be unable to find what they want. Such an individual, albeit in a limited way, has an impact on the achievement of both risk and strategic sales targets, and hence the setting of operational performance targets and the use of controls to monitor that performance are fundamental to both systems.
In both ERM and the balanced scorecard, performance measurement and control may be regarded as complementary – good controls enhance performance, but performance also needs to be managed via judicious target setting that reinforces strategic objectives. Ultimately, therefore, the balanced scorecard is just one specific type of control system and ERM another type, but there are potential advantages to be gained by their integration.
If risk issues are managed separately from other strategic objectives, so that a balanced scorecard runs parallel with ERM, then managers may have difficulty in prioritising the targets they have been set. If the two systems are integrated, then the influence of various types of risk upon, for example, customer loyalty levels becomes clearer, with the result that risk targets become embedded in the performance culture of the organisation, and relevant to all grades of staff.
Where risk management systems are embedded in this way, there is less need to create a new function of risk management, because everybody’s jobs are redefined to incorporate a risk component. Overall responsibility for risk control rests with the board of directors, as suggested under both UK and US regulations. Simultaneously, the management, implementation and monitoring of risk controls is delegated to line management, whose remuneration and survival is linked to performance against a range of targets, of which risk is just one element.
The following section outlines the structures used to control and manage risk in Tesco plc, one of the UK’s largest retailers, with over 220,000 employees and group sales in excess of ? 33,000 million. The data for the case study was drawn from two key sources. The first was the extremely rich and publicly available information contained in the company’s annual report and website which included extensive detail on the corporate governance and control structures in place at Tesco.
The second source was personal interviews with the head of internal audit and the head of international audit, at the company headquarters in Cheshunt. The interviews offered further insights into the company’s design of the risk management and internal audit functions, thereby both verifying and expanding upon the material already collected from the public domain. The use of case studies in accounting research has been the subject of extensive coverage in the academic literature (Berry and Otley, 2004; Humphrey, 2001; Otley and Berry, 1994; Scapens, 1990) and it is now a widely accepted research method. Risk management structures in Tesco plc 5. 1 Strategic planning and control: the balanced scorecard in Tesco The corporate governance section of the Tesco plc annual report and financial statements, contains a brief outline of the planning and control structure used across the group. The group has a five year rolling plan, categorised under revenue and capital expenditure headings, and this forms the basis for the creation of similar plans for each of the separate group businesses.
Targets are set, and these are then monitored via the ‘steering wheel’ which is the company’s term for their version of the balanced scorecard. Targets are defined under four separate headings of customers, operations, people and finance, which the company argues “is the best way to achieve results for our shareholders” and “allows the business to be operated and monitored on a balanced basis with due regard for all stakeholders” (Tesco Annual Report, 2004, p. 10).
The performance of the individual businesses against targets is reviewed quarterly by the Executive Committee, which is a sub division of the board comprising all executive directors plus the company secretary. The committee meets weekly and takes responsibility for the day to day management and control of the business. It is understood that targets within the separate businesses are set and monitored by line management and the steering wheel concept and performance against it is a familiar concept right down to individual store level.
Performance against targets is closely linked to remuneration at the level of the executive directors, and there is also a profit sharing scheme in place for all employees with more than one year’s service with the company. The executive bonus scheme offers a mix of both long and short term bonuses, which in combination can equal up to 150% of the executive’s annual salary, and payment is linked to the achievement of a mix of targets covering EPS growth, total shareholder return, and the achievement of specific, but confidential, strategic goals.
Employees receive a profit share that is calculated pro rata to their base salary, up to the maximum ? 3000 annual tax free limit set by the Inland Revenue. The strategic planning system is thus monitored and controlled via the use of a form of balanced scorecard, which assumes that good financial performance is the outcome of good performance in the areas of customers, operations and people.
This approach is very closely aligned with that of Kaplan and Norton, in so far as the cause and effect linkages are acknowledged via the remuneration system and as was noted in the interviews, “this allows the business to be operated with due regard for all stakeholders” (Head of International Audit). It would appear that the cycle is driven by paying very close attention to the customer’s needs, which if satisfied create a virtuous circle of improving results as shown below in Figure 1.
This focus on the customer fits with the widely accepted principle that increased customer loyalty is the single most important driver of long term financial performance (Norreklit, 2000). It may, however, be argued that this view might be limited to or especially applicable to fast moving consumer goods’ markets, such as Tesco, where customers make frequent purchases. Starting with employees, investment in staff training and effective recruitment help to ensure low staff turnover rates and ongoing improvements in employee performance, which in turn feed through to better process management.
Equally, process improvements may raise employee performance levels, and so the cause and effect arrows flow in both directions. Efficient operations help to ensure that customer needs are met, and if customers are happy the financial targets will be achieved. Information feedback systems ensure that operational processes are fine tuned to respond to customer complaints and so once again the cause and effect arrow flows in both directions. The resulting higher profitability facilitates investment in better customer rovision combined with increases in staff bonuses that hopefully reduce staff turnover rates. In this way the circle repeats itself and the controls and performance targets interact to add value for shareholders. Proving the empirical existence of this virtuous circle is almost impossible because of all of the intervening factors that may impact on performance, but the model suggests that Tesco plc have adopted and believe in a balanced scorecard approach to strategic performance management.
Get access to
Guarantee No Hidden