Case Study of Tesco Plc Essay Example

revised version of the Combined Code was released. This updated version categorized the principles of good corporate governance under various headings such as financial reporting, internal control, and disclosure. Regarding internal control, the Combined Code mandates that the Board of Directors must uphold a "sound" control system to protect shareholders' investment and the company's assets. Additionally, it requires the board to annually review the effectiveness of this control system.

The review should cover financial, operational, compliance, and risk management controls. The Board is not required to make the findings of the review public. To ensure effective internal controls, the Board needs to form an audit committee with at least three independent non-executive directors. Therefore, the Combined Code emphasizes executive responsibility for both internal controls and risk management controls.

The Committee of Sponsoring Organisations (COSO) in the United States has released two significant reports. The first report, published in 1992, provides guidelines for designing internal control systems and includes an internal control framework that identifies risk management as one of five elements. The second report, titled "Enterprise Risk Management," was published in 2004 and was developed with consultants from PricewaterhouseCoopers. This report aims to create a framework for managers to evaluate and improve their companies' risk management systems.

The text states that the idea of enterprise risk management is based on internal control but offers a wider and more comprehensive viewpoint. COSO (2004) explains that this approach includes the internal control framework. This change increases the importance of risk management, making it a holistic practice rather than just a part of internal control. This modification has significant consequences for the risk and audit

professions.

The COSO 2004 report complements the Sarbanes Oxley Act (SOX) of 2002, which was implemented as a direct reaction to the corporate scandals involving WorldCom and Enron. SOX highlights the obligations of directors in guaranteeing an efficient internal control, though it does not specifically address the internal audit role. Section 404 of SOX stipulates that a company's annual report must include an internal control report containing a statement from management about their responsibility in establishing and maintaining an internal control system, along with an assessment of its effectiveness.

US regulators, like their UK counterparts, emphasize the significance of management's role in creating and upholding internal control systems. Alongside an external auditor's statement, managers must strive for a equilibrium between embracing risk to foster growth and returns while also accounting for potential losses.

The paper aims to show how risk management systems can be used to support strategic objectives and align risk taking with the Board of Directors' established risk appetite. In other words, it demonstrates how risk management can enhance strategic success. The paper emphasizes that the main goal of risk management is to establish controls that improve corporate decision making and enhance performance for various stakeholders.

The text provides two important contributions to the risk management literature. Firstly, it presents empirical insights into risk management practice by analyzing detailed case study information from Tesco plc, a well-known UK retailer. This goes beyond the current emphasis on theoretical models and highlights the importance of considering risk in real-world situations. Additionally, the paper links the concept of Enterprise Risk Management (ERM), as advocated by COSO, with the balanced scorecard, which acts

as a strategic performance measurement system.

In the paper, a unique approach is taken to explore the relationship between risk management and strategy. The development of enterprise risk management is examined, as well as an alternative strategic control system called the balanced scorecard. Additionally, the similarities between ERM and the balanced scorecard are explained, and arguments are presented for the potential advantages of integrating these two control systems.

The article examines the risk management system in Tesco plc and its relationship with the balanced scorecard approach. It also explores the pros and cons of Tesco's risk systems and proposes potential areas for future research. Furthermore, it acknowledges that the definition of risk and understanding of risk management have evolved over time through a literature review on this topic.

In their analysis, Spira and Page (2003) delve into the history of risk definitions dating back to before the seventeenth century. In those times, risk was seen as a result of unpredictable natural causes that could not be foreseen or controlled. However, with the advent of modern scientific thinking, a new viewpoint emerged which suggested that risk could be quantified and handled by implementing suitable avoidance and protection strategies. As science gained more prominence, risk management became an integral part of society, raising public expectations that risks would be effectively dealt with.

The adverse effects of risk were partially attributed to the diffusion of responsibility caused by risk management, while accountability required demonstration of effort in managing risk (Spira and Page, 2003). Selim and McNamee (1999, p. 161) point out significant changes in organizations' approach to risk management. The first major shift is

the expansion of risk management from an insurance and transaction focused function to a broader concept that is connected to corporate governance and strategic objectives (McLave, 1996; Nottingham, 1997; Unsworth, 1995).

The traditional idea of risk management being solely focused on the treasury division and using financial instruments to mitigate transaction and funding risks is no longer relevant. Risks are now seen in a much broader context, including elements like corporate reputation, regulatory compliance, health and safety, employees, supply chain management, and general operational activities. This shift in perspective has significant implications for the design of internal control systems.

The second paradigm shift arises from the broadening of the risk definition, which prompts a reevaluation of risk management's purpose. Some argue that risk management is focused on assisting decision making to enhance corporate strategic performance (Deloitte and Touche, 1997). The Institute of Chartered Accountants of England and Wales (ICAEW) characterizes business risk as the uncertainty surrounding the benefits derived from pursuing objectives and strategies. One key aspect of the risk management process is identifying, ranking, and sourcing the risks associated with a company's strategy (ICAEW, 2002, para. 4. 2, p. 5). Enterprise Risk Management (ERM) or holistic risk management embodies comprehensive definitions of risk and acknowledges the strategic and governance roles fulfilled by risk management.

COSO has defined enterprise risk management (ERM) as a process that is initiated by an entity's board of directors, management, and other personnel. This process is applied throughout the organization to identify potential events that may impact the entity. The objective of ERM is to manage risk within the entity's risk appetite and provide reasonable assurance

regarding the achievement of objectives. Key aspects of this definition include the initiation of ERM by the board of directors, its cascading effect across the organization through line management, its broad-based nature encompassing all potential events, and its aim to contain risk within specified boundaries while providing reasonable assurance.

To develop a comprehensive risk management strategy, it is important to identify, measure, monitor, and control different risk exposures. Additionally, communicating the company's risk policies to all staff levels and establishing a risk aware culture throughout the organization are crucial. This presents significant challenges for risk managers as it involves all levels of the company and various functions.

Evidence suggests that there has been limited adoption of ERM thus far. According to a survey conducted by Beasley et al. (2005), which mainly focused on US based companies, only 48% out of the 174 participants had some form of ERM system in place in their companies. Furthermore, one third of the respondents expressed intentions to implement ERM in the future. However, it is important to approach Beasley's findings cautiously due to the low response rate of 10% for the survey and because most participants were employees of large US corporations with annual sales exceeding $1 billion.

Even though there may be a risk in generalizing from these findings, they suggest that the implementation of ERM is still at an early stage. However, since ERM aims to help achieve strategic goals, it brings together the interests of risk managers and the entire organization. In theory, it should be possible to incorporate ERM into current control and performance management systems.

The combination of ERM may

result in clashes between internal auditors and risk managers, but there is no innate conflict between ERM and any other control system. The Balanced Scorecard or Tableau de Bord is a extensively documented control and performance management system that is currently widely utilized. This paper will explore the basic principles of the Balanced Scorecard and its potential for implementing ERM.

The balanced scorecard, popularised by Kaplan and Norton (1992, 1993, 1996a,b,c, 2000), is a management control system derived from Porter's concept of strategy as a response to industry competition. This scorecard's popularity lies in its recognition of the importance of non financial factors in strategic success. Consequently, it shifts the focus of performance measurement away from exclusively financial metrics.

The text describes the balanced scorecard as a control system and performance measurement system. It states that the balanced scorecard offers advantages over historically based performance measures. The balanced scorecard consists of four component perspectives: financial, customer, internal business processes, and learning and growth.

Kaplan and Norton (1996a) propose that there is a connected cause and effect relationship between performance in each perspective and strategic outcomes. Put simply, enhancements in organizational learning can result in improvements in internal business processes, which can then increase customer satisfaction levels and ultimately lead to higher financial performance. The perspectives may be interconnected and therefore the order of cause and effect may differ, but the core principle remains the same – setting targets for operational behavior can enhance strategic performance.

The effectiveness of the balanced scorecard as a control and performance improvement tool in management accounting is a debated topic in literature (Ittner and Larcker, 1998). Proving cause

and effect relationships empirically is challenging. Kaplan and Norton (1996c) argue that the balanced scorecard helps articulate corporate strategy and identify factors for strategic success. However, one should be cautious about its claimed benefits.

Grady (1991) suggests that strategic objectives should be categorized based on critical success factors and critical actions, a step that the balanced scorecard fails to take. Effective communication systems are also important, as emphasized by Merchant (1989), who argues that poor economic performance can result from ineffective communication of strategies within an organization. However, the balanced scorecard assumes the existence of effective communication systems, which may not always be true in reality.

Even though the balanced scorecard has received criticism, it can serve as a means to connect strategy and daily operations. This parallels the challenge that managers encounter when implementing Enterprise Risk Management (ERM) within an organization. The presence of different risks may endanger strategic objectives, necessitating the establishment of systems that foster a culture of risk management awareness at all levels of the organization.

If the risks associated with the four perspectives of the balanced scorecard are connected, then managing those risks can be incorporated into an existing performance measurement system. Table 1 below, which is based on Kaplan and Norton (1996b) and COSO (2004), indicates the extent to which ERM and the Balanced Scorecard share similar principles, organizational coverage, and suitability as both control and performance evaluation tools.

Table 1 The overlap between ERM and the balanced scorecard ERM Basic philosophy Poor internal control of risk can endanger strategy Interface between control and performance measurement Risk controls aid in achieving higher levels of performance

by minimizing resource loss Organization wide High. Controls must align operational activity with corporate risk appetite Strategic performance is influenced by financial and non-financial factors Performance measurement against targets ensures effective controls Balanced scorecard

The level of staff involvement and the significance of operational behavior and performance are high throughout the organization. The targets should aim to align operational activity with corporate strategy. This applies to all functional and operational areas of the scorecard, including the risk encountered in each perspective. For example, in the customer perspective, there is a risk of dissatisfaction or loss. In the financial perspective, there are risks related to interest rates and credit. In the learning and growth perspective, there is a risk of poorly trained staff. And in the internal business processes perspective, there are risks of delivery delays and stockouts.

Both ERM and the balanced scorecard acknowledge the importance of non-financial factors in company performance. ERM focuses specifically on risk, while the balanced scorecard does not explicitly mention it but recognizes its indirect impact on all aspects of the scorecard. Therefore, the balanced scorecard implicitly includes risk as a factor in strategic performance. It can be interpreted that the balanced scorecard aims to establish a control structure to ensure strategy implementation, with risk management identifying and mitigating potential threats to implementation. Table 1 demonstrates that both systems operate at all levels within an organization. Both the board of directors and operational employees can impact the achievement of objectives, highlighting that strategy and risk issues are not limited to a specific group within the organization.

Properly stocking items is crucial for a food retailer as the

failure of an individual shelf filler to do so can result in lost sales. This, in turn, can lead to missed targets since customers may not be able to find what they want. Despite their limited impact, these individuals can affect both risk and strategic sales targets. Hence, it is essential to establish operational performance targets and implement controls to monitor performance and achieve these goals.

Both ERM and the balanced scorecard view performance measurement and control as complementary. Good controls enhance performance, but managing performance requires strategic target setting. This means that the balanced scorecard and ERM are different types of control systems with potential advantages gained from integrating them.

When risk issues are managed separately from other strategic objectives, it can be challenging for managers to prioritize their targets. However, if these two systems, a balanced scorecard and ERM, are integrated, the impact of different types of risk on customer loyalty levels becomes more evident. Consequently, risk targets become ingrained in the organizational performance culture and are relevant to all staff grades.

When risk management systems are integrated in this manner, there is reduced necessity to establish a novel risk management function since everyone’s roles are redesigned to include a risk aspect. The board of directors holds ultimate responsibility for risk control, as indicated by regulations in both the UK and the US. Additionally, line management is tasked with delegating the management, execution, and oversight of risk controls. Their compensation and continuation within the organization are tied to their performance against various targets, including risk.

The text below outlines the structures utilized by Tesco plc, a major UK

retailer with over 220,000 employees and group sales exceeding ?33,000 million, to control and manage risk. The case study's data was obtained from two primary sources - the company's annual report and website. These sources offered detailed information on Tesco's corporate governance and control structures.

The second source consisted of personal interviews conducted with the head of internal audit and the head of international audit at the company headquarters in Cheshunt. These interviews provided additional insights into the company's risk management and internal audit functions, confirming and expanding upon the information already gathered from public sources.

The use of case studies in accounting research has been extensively covered in academic literature (Berry and Otley, 2004; Humphrey, 2001; Otley and Berry, 1994; Scapens, 1990) and is widely accepted as a research method.

In Tesco plc's annual report and financial statements, there is a section on corporate governance that outlines the planning and control structure used throughout the group. The group follows a five-year rolling plan for revenue and capital expenditure categories, which serves as the basis for creating similar plans for each individual business within the group.

The company sets targets and monitors them using their version of the balanced scorecard, referred to as the "steering wheel". These targets are categorized under customers, operations, people and finance, which the company believes is the most effective approach to benefit shareholders and ensure consideration for all stakeholders (Tesco Annual Report, 2004, p. 10).

The Executive Committee, which includes all executive directors and the company secretary, assesses the performance of individual businesses against targets every quarter. Additionally, the committee meets weekly to supervise and

handle daily operations and business control. Line management is accountable for establishing and monitoring specific targets within each business, while the steering wheel concept is utilized at the store level to evaluate performance.

The remuneration for executive directors and all employees with over one year of service is closely linked to their performance against targets. Additionally, all employees with over one year of service are eligible for a profit sharing scheme. The executive bonus scheme comprises both short and long term bonuses, which can reach up to 150% of the executive's annual salary. These bonuses are granted based on the attainment of specific targets including EPS growth, total shareholder return, and undisclosed strategic goals.

The profit share employees receive is calculated based on their base salary, up to the maximum annual tax-free limit set by the Inland Revenue, which is ?3000. The strategic planning system is monitored and controlled using a balanced scorecard, which assumes that achieving good performance in the areas of customers, operations, and people leads to good financial performance.

The approach mentioned in the interviews is similar to Kaplan and Norton's. Both recognize cause and effect linkages through the remuneration system, ensuring that all stakeholders are considered by the business. By closely attending to customer needs, a positive cycle is created, resulting in improved outcomes (Figure 1).

The widely accepted belief is that building customer loyalty is crucial for long-term financial success (Norreklit, 2000). However, this perspective may be more relevant in rapidly changing consumer goods markets like Tesco, where customers make frequent purchases. To achieve this, it is important to focus on employees by investing in staff

training and implementing effective recruitment practices. This helps maintain low staff turnover rates and continuous enhancements in employee performance, which ultimately contribute to better process management.

Both process improvements and efficient operations can enhance employee performance levels, creating a two-way cause and effect relationship. The fulfillment of customer needs through efficient operations ensures customer satisfaction and ultimately achieves financial targets. Operational processes are fine-tuned based on customer complaints through information feedback systems, creating another two-way cause and effect relationship. The resulting higher profitability enables investment in improved customer provision and staff bonuses, ultimately reducing staff turnover rates. This creates a repetitive cycle where controls and performance targets interact to add value for shareholders. Proving the existence of this virtuous circle empirically is challenging due to various intervening factors that can impact performance, but the model suggests that Tesco plc embraces a balanced scorecard approach to strategic performance management.