Introduction
Risk management is a process encompassing many considerations and factors, and it should be treated accordingly. This process of managing risks suggests that organizations should not merely strive to avoid negative events but predict them, assess possible losses, plan mitigation measures, and address risks systematically. A type of situation in which the risk management toolkit can be applied is a corporate disaster (specifically, related to accounting). From the perspective of the risk management cycle components, it is possible to assess what a company did right and what it did wrong in terms of minimizing risks. In this context, the risk is understood as the product of likelihood and loss (R=Li x Lo). The case of Tesco accounting scandal will be addressed from the perspectives of policy, identification, measurement, analysis, decision, implementation, and feedback to describe strategies aimed at ensuring more effective management of the risk of fraud in the future. First, the case will be summarized. Then, the issues of policy making and presence of adequate policies will be examined. Further, the way risks were identified and measured will be assessed. The following sections will show the processes of decision making, implementing decisions, and providing feedback to improve the policy. What was done right and wrong will be discussed.
Case Summary
The Tesco accounting scandal was not simply fraud, i.e. mere lying of the executives; there were more complicated factors and contributors. First of all, the atmosphere at the company was indicating that something was going wrong, as before the scandal broke in September 2014, there had been a series of rather obscure resignations (Colson, 2017). As it is becoming evident now, several staff members decided to resign because they felt the pressure of the practices of misrecording and were willing to discontinue their work at Tesco rather than being involved in what they thought was illegal. There were repeated references to the company’s environment of secret wrongdoing, and Richard Parsons, then-member of the commercial finance team, practiced absenteeism and informed his supervisor that the stress and worrying he was experiencing did not allow him to do his job properly. (Colson, 2017). Another employee, Aysen Nadiri, repeatedly contacted top managers to express her concerns about what she perceived as illegitimate accounting practices; specifically, she referred to the early registration of income. However, the management was unwilling to discontinue the practice or to admit that the targets set in the strategic framework of the company’s development could not be met. Nadiri ultimately resigned due to feeling compromised as a professional and worried about what could happen to the company.
More importantly, the upcoming disaster was not only marked by resignations but also prepared by the reaction of the top management. Carl Rogberg was the UK finance director at the time, and he later was one of the eight executives accused of the fraud during the scandal and subsequently dismissed. He is currently standing trial, and he was notified about the worrisome resignations. However, he reportedly ignored them and told human resources management officers to hire more people instead of the resigned. Rather than an accident, the case appears to be a disaster that resulted from systematic failures, which is why it qualifies for analysis from the risk management perspective.
Policy
A particular risk management assessment framework has been chosen for the presented case; the elements of the framework are connected into a cycle and shown below (Figure 1). The elements of the cycles have been widely discussed in the relevant literature by various theorists (Christoffersen, 2012). Further, they were integrated into a cyclic system for the purposes of analyzing the presented case. The first element that will be addressed is policy, and it is recognized that policy constitutes a crucial aspect of managing risks. In general, risk management can be defined as the development and implementation of efforts aimed at identifying and minimizing risks (Harrington & Niehaus, 2004); the former part—development—consists largely of policymaking. It is recognized that risk management aspects should be incorporated into a company’s regulations so that managers have instruments to address risks properly and minimize the effects of negative scenarios (Harrington & Niehaus, 2004). From this perspective, it is necessary that, if risk management policies are not in place, the leadership and the management of a company are flexible enough to introduce additional policies.
For Tesco, the primary pure risk identified in the context of the presented case is the risk of fraud, and it can be addressed from the policy perspective. First of all, policies do not necessarily rule out pure risks, e.g. there cannot be a policy against fire or unexpected death; however, policies may protect stakeholders from the occurrence of a situation in which the only outcome is a loss (Dionne, 2013). For example, businesses or individuals may not be allowed to engage in certain activities in case they do not have proper insurance—this is a way to minimize pure risks.
Apparently, Tesco did not have proper policies that could protect the company from misstatements of financial performance. The role of the board of directors in the situation is not yet clarified; the case is now being reviewed in the court. Concerning auditors, there are reasons to suspect that their assessment of the company’s performance was intentionally misrepresented (Colson, 2017). However, it should not be overlooked that the company did have such policy-related protection tools as the sustainability policy (Tesco sustainability case study, 2017), which is evident from the way it managed to continue its operation after the fraud scandal.
Identification
Having risk management policies or a flexible mechanism for risk management-related policymaking (or both) in place, companies should adjust the process of risk identification (Harrington & Niehaus, 2004). According to the enterprise risk management framework, companies should, first, create a toolkit to enable the management of risks that companies expect their managers to manage and, second, ensure that managers can use specific techniques to map and classify possible risks (Gates, Nicolas & Walker, 2012). In addition, there is a relationship between risk identification and observation (Appendix A). This relationship suggests that risk identification encompasses risk assessment and risk response, while observation includes control and monitoring (Gates, Nicolas & Walker, 2012). Therefore, risk identification refers not only to detecting certain risks but also to having appropriate tools a company can use to respond.
It can be argued that Tesco did indeed identify the risk properly in the presented case, but the response was rather poor. The fact that the finance director ignored the resignations in which employees referred to inappropriate accounting practices does not mean that he was unaware of the risk. It rather shows the management’s apparent inability to analyze what the consequences would be, and this is a risk identification flaw. Recently, government regulations have changed significantly as per requirements for companies in terms of creating and revealing financial performance information. However, with poor internal risk identification strategies, companies may still be unable to detect fraudulent developments or the creation of networks of executives involved in fraud.
Measurement
In risk management, a special role is played by measurement and the ability of companies to assess their risks with a certain degree of precision according to particular scales. The Chartered Institute of Management Accountants refers to the national efforts aimed at preventing corporate fraud, and one of the major initiatives is establishing a unit responsible for measuring fraud losses and assessing “value and risks of future fraud threats” (Chartered Institute of Management Accountants, 2008, p.54). Measurements can be based on various formulas; an example is the gross-based assessment is performed according to R=Li x Lo + AbMi, where R is a risk, Li is a likelihood, Lo is a loss, and AbMi is the absence of mitigation, i.e. additional loss suffered due to the lack of proper response to risk.
It is unclear how Tesco measured their risks, as certain aspects of internal management may not be revealed to the general public. However, it can be assumed that the company had measured fraud risks appropriately, as the scandal broke at a relatively low point of fraud-related losses. Although the amount of money lost in the accounting black hole is rather impressive— 250 million GBP, or 331 million USD (Colson, 2017)—this amount constitutes less than 0.5 percent of the company’s revenue. According to the guidelines for calculating materiality (Three steps to determining and applying materiality, n.d.), this black hole can be considered immaterial because it is less than five percent of income from continuing operations.
Analysis
In the context of risk management, analysis refers to processing the data collected from measuring risks (McNeil, Frey & Embrechts, 2015). Once a company establishes the extents and other characteristics of risks, it is necessary to further analyze possible risks; specifically, from the perspective of potential gain and potential loss. From this perspective, major theorists separate financial risks from pure risks and attribute the former to speculative (Dionne, 2013). The Chartered Institute of Management Accountants (2008) suggests that risk analysis should be based on five key considerations: likelihood, impact, controls, net likely impact, and prioritization.
In the presented case, risk analysis was part of internal regulations, too, which is why it cannot be assessed in detail. However, it is evident that Tesco’s top management managed to create protection from the fraud risk. For example, the Serious Fraud Office imposed a fine on Tesco, and the company had to launch an investor compensation program (Rees, 2017), but the previous and the new chief executives (the change in the position happened as the scandal was unfolding) avoided liabilities, and only three directors were accused of fraud by false accounting and fraud by abuse of position.
Decision
Upon analyzing risks, organizations need to make decisions on what action should be taken to prevent possible negative effects. Key variables in this regard include specific programs or initiatives and the enforcement of corporate policies (independent) and risk-related circumstances (dependent) (Cerchiello & Giudici, 2012). In this decision-making process, the relationship should be recognized between risk management and other factors in operation, including internal ones, such as corporate governance and ethical culture, and external ones, such as legislation (Figure 2). Therefore, decisions (regarding the pure risk of fraud) should be made based on multiple factors impacting a company simultaneously and continuously, but what is important is that the decisions do not increase the likelihood of loss.
It is noteworthy that the fraud in the Tesco scandal did not simply occur: it was a process in which many employees had been involved, and some decided to resign directly referring to the fraudulent practices as the reasons for resignation. Tesco as a company did not decide to engage in fraud, but the managers did make several decisions that demonstrated poor fraud response, while fraud response is one of the three components of fraud deterrence (Figure 2). When the earliest signs of fraud appeared (such as employee absenteeism due to the atmosphere of secret wrongdoing), the decision should have been made to expose the misrecording; it could have prevented the accounting black hole and the negative effects for investors. The corporate decision (as opposed to individual decisions) in this regard should have been to respond readily to the signs of fraud).
Implement
The implementation of anti-fraud strategies in the context of risk management should be based on the recognition of what exactly can be affected by implementing the decision made in the previous part of the risk management cycle. Dorminey et al. (2012) suggest a model of fraud-related crimes (Appendix B), and an important aspect of this model is that the perpetrator in it is separated from the crime; three interconnected components of each are identified and can be affected. The perpetrator characteristics can be affected through implementing human resources management strategies in which it is ensured that employees’ financial situations do not pressure them to engage in fraud, and they do not rationalize the process of committing a crime (Dorminey et al., 2012).
Nonetheless, in the Tesco case, the crime components of the model are more relevant to the risk management implementation stage. Apart from the act of fraud itself, there are also concealment and conversion. The former refers to perpetrators’ ability to hide their crimes. In this regards, Tesco should have established transparency in which fraudulent practices would not have been known to a few employees only (who ultimately resigned) but would have immediately launched the process of correcting financial reporting processes. Conversion refers to perpetrators’ ability to convert the results of fraud into something they can use and benefit from directly (Dorminey et al., 2012). To prevent such conversion, it was needed to initiate better inspection before the accounting black hole grew to 250 million GBP.
Feedback
Finally, upon implementing, feedback should be provided to support further policymaking thus effectively completing the risk management cycle (Figure 1). Liu, Liu, and Liu (2013) propose the failure mode and effects analysis (FMEA) framework, in which it is crucial to provide feedback on the risks and thus calculate the risk priority number (RPN) according to the following formula: RPN=O x S x D, where O is the likelihood of a failure, S is the severity of it, and D is the likelihood of having the failure unidentified. Based on the occurrence of certain negative effects, risk managers compare them and the extent of effects to the results of initial risk management planning; in case there is a significant difference, it indicates that the current processes that are part of the risk management cycle do not function properly.
The Tesco case is an example of poor feedback in terms of risk management. According to the Solicitors Regulation Authority (2014), monitoring risk levels should be followed by controlling these levels in case they are unacceptable through regulatory tools (Appendix C). The company’s top management was aware of the complaints about inappropriate accounting practices, i.e. feedback was provided. However, it did not result in a response, which indicated a poor system of processing feedback. More consolidated feedback incorporating specific references to accounting practices that were performed illicitly needed to be provided, and it would increase the possibility that feedback would have affected Tesco’s corporate decision-making.
Risk Management Strategy
Upon reflecting on each element of the risk management cycle, it is necessary to summarize the key elements of Tesco’s risk management strategy. First of all, a major component of successful risk management can be derived: cost and benefit analysis. This analysis consists of a system of interconnected measures and actions, including but not limited to avoidance, separation, combination, and transfer. To minimize risk, an organization should calculate the entire potential loss and further adopt the practices needed to not only avoid negative scenarios or factors that are likely to lead to negative outcomes but also distribute roles, functions, and assets in a way that reduces the likelihood of loss. In Tesco, a number of policy-related tools were adopted to prevent the development of fraud. However, it was demonstrated in the presented case that the tools turned out to be not sensitive enough, and fraudulent practices were present in the company for a significant period before they were exposed.
Therefore, the main weakness of the strategy was the lack of exposure capacity and response mechanisms. Despite the signs of the unfolding fraud (the resignations in which fraudulent practices were specifically referred to as the reason for resigning), Tesco leadership proved insufficiently prepared for exposing illicit actions and preventing the accounting black hole. However, it should not be recommended to enhance the strategy by spending large amounts of money on risk reduction and loss avoidance. Instead, the improvement of Tesco’s risks management strategy should be aimed at reinforcing the system of internal response and prioritizing the risk of fraud. The company’s current approach to risk management is more focused on managing external risks, while internal risks can lead to serious reputational and financial losses. The risk management strategy should be enhanced by adjusting the mechanisms that detect and report illicit internal practices.
Conclusion
In identifying and measuring their risks, Tesco apparently failed to detect fraudulent practices; at the same time, the scandal broke before the accounting hole reached 0.5 percent of the annual revenue, which is why it can be said that risk prevention mechanisms were in place. If the loss caused by the risk had been properly analyzed and measured, the company would have responded to the signs of fraud before the black hole developed. Additionally, feedback would have improved the company’s policies and ensured improved decision-making and implementation processes. The main weakness is that the company failed to respond adequately to the alarming resignations. In the future, better feedback strategies need to be developed and adopted.
Reference List
Cerchiello, P. & Giudici, P. 2012. Fuzzy methods for variable selection in operational risk management. The Journal of Operational Risk, 7 (4), pp.25-41.
Chartered Institute of Management Accountants. 2008. Fraud risk management: a guide to good practice. Web.
Colson, T. 2017. ‘The current environment has broken me’: Tesco accounting scandal ‘compromised’ staff and sparked resignations.Business Insider. Web.
Christoffersen, P.F. 2012. Elements of financial risk management. 2nd ed. Waltham: Academic Press.
Dionne, G. 2013. Risk management: history, definition, and critique. Risk Management and Insurance Review, 16 (2), pp.147-166.
Dorminey, J., Fleming, A.S., Kranacher, M.J. & Riley Jr, R.A. 2012. The evolution of fraud theory. Issues in Accounting Education, 27 (2), pp.555-579.
Gates, S., Nicolas, J.L. & Walker, P.L. 2012. Enterprise risk management: a process for enhanced management and improved performance. Management Accounting Quarterly, 13 (3), pp.28-38.
Harrington, S. & Niehaus, G. 2004. Risk management & insurance. 2nd ed. New York: McGraw-Hill.
Liu, H.C., Liu, L. & Liu, N. 2013. Risk evaluation approaches in failure mode and effects analysis: a literature review. Expert Systems with Applications, 40 (2), pp.828-838.
McNeil, A.J., Frey, R. & Embrechts, P. 2015. Quantitative risk management: concepts, techniques and tools. Princeton: Princeton University Press.
Rees, T. 2017. Former Tesco directors to face trial over accounting scandal.The Telegraph. Web.
Solicitors Regulation Authority. 2014. SRA Risk Framework. Web.
Tesco sustainability case study. 2017. Web.
Three steps to determining and applying materiality. n.d. Web.
Appendix A: Risk Identification and Observation
Appendix B: Meta-Model of White-Collar Crime
Appendix C: Risk Management Feedback Loop
