In times of negative headlines about pandemics, rising national debt and horrendous losses that raise suspicions of inadequate or even fraudulent management, I can’t help but think that there is a system of early risk detection and legal compliance in listed companies. To complete the package, for the purposes of this new article, let’s also add governance.
Although I feel quite lonely these days when I talk to colleagues about this topic, it wasn’t always like this.
Many years ago, I worked as a corporate lawyer and manager in one of the largest tourism groups on the islands, whose parent company was a listed public company. This meant that the shares of this company were bought and sold on various European stock exchanges. Therefore, the parent company and the entire group were under the supervision of an institution such as the Spanish CNMV – Comisión Nacional del Mercado de Valores – and all specific legal regulations, both at European and national level, in relation to issues such as risk management, compliance and governance (at that time still corporate governance due to the size of the group).
At the time, we were constantly talking about these issues because we were one of the companies that were legally obliged to implement and live a risk management and compliance system, along with publishing the corresponding annual statements regarding the Corporate Governance Codex.
When I joined this company, I knew no more about this topic than most of my colleagues in culture management today. In other words: I knew nothing. You are allowed to laugh.
The worst thing was that the topic, as we understand it in the 21st century, was yet to mature, and I was the one who was chosen to develop such a system from scratch because German law had to be applied as the parent company was based in Germany. I had to obtain the auditors’ approval and a positive audit report without restrictions by the end of the financial year, i.e. in less than seven months.
This was around 2009, when European regulations brought the requirements of EU countries to Spain. The company had already been dealing with the issue for several years, but had never managed to obtain an unqualified audit opinion from the auditors in the annual audit report. For several years, the company was given a negative report because it did not meet the requirements relating to the management of risks and trade secrets, compliance with regulations and corporate governance.
There was almost no Spanish literature on the subject, and very little literature in German. I looked for a book in German and some scientific articles in English. I understood what it was about, but there was no practical model that explained to me what I should do specifically. The auditors couldn’t really help me either; the number of companies that were doing exemplary work on the subject at the time was still small and they didn’t share their manuals, risk catalogs, reports, protocols, communication and solution systems so easily.
I admit that it didn’t make sense to me either in the first few days. It seemed to be all about filling out forms instead of doing something quicker and easier: informing the management by phone. My enthusiasm was limited, as is that of my colleagues in cultural management when I raise the issue.
However, the more the criminal responsibility within and for the company developed, the more we understood that this was a serious matter.
Seven months after I first heard about these issues, the first system I developed was approved by the auditors. We received the first of many certifications with no reservations. We spent the next six years improving the basic 2009 model into something really useful and indispensable for the company and its branches.
Today, I advocate the use of a risk management and compliance model (including governance) in non-profit organizations, even if there is no legal obligation to do so.
The law may not directly require it, but most cultural and creative enterprises are largely funded by public money. Who, if not these companies, supported by the taxpaying community, should minimize any business risk, ensure legally sound management and at the same time ensure the minimum ethical and organizational standards (including diversity and equality), values and codes of conduct of good corporate governance.
I would say that is “we, the tertiary sector companies”. And since there is no law that obliges us to do so, we close our eyes as if none of this is for us.
But then a virus came along, paralyzed the whole world and nobody was prepared for it. The cultural companies, especially the orchestras and performing arts organizations – but ultimately everyone – were paralyzed and had no answers. Helter-skelter, the protocols for action were produced from thin air. And yet epidemics, natural disasters or climatic phenomena are simple risks in the context of risk management because they are obvious risks.
At another time, cases of sexual harassment by artists or administrators made headlines, triggering a wave of “me-too’s”, and no one had an adequate response. Everyone expresses dismay, but little else.
There are also allegations that the management of some arts manager or another, which is or was obviously not by the rule of art, has led the organization into bankruptcy. Rumors are even circulating about cases of fraudulent management, and of course the companies don’t know what to do with these incidents either. In this case, everyone is calling for justice, but, in the end, the public purse pays the price.
The cultural and non-profit world is decades behind in terms of accepting and dealing with its responsibilities.
The fundamental aim of a risk management system is to avoid any risk – and if this is not possible, to be able to react ad hoc and then deal with the consequences. Compliance and governance breaches are potential risks and are therefore directly related to risk management.
After all, trust is good, but … until the damage is done.
The clock is ticking, let’s take a look…..
What exactly are we talking about here?
Definition of risk management
Corporate management is inconceivable without risks, especially as certain consequences of entrepreneurial actions or omissions are often not clearly foreseeable. According to the definition in the Gabler Business Dictionary[1], “risk management has the task of using suitable methods to create transparency about the risk situation in the company (risk control) and to optimize the risk-return profile of a company (risk management)”.
Risk management aims to limit the risk of insolvency for the decision-makers or owners in order to achieve an acceptable volatility of earnings. At the same time, it provides important information for controlling and minimizes deviations from planning and budget. Finally, the assessment of opportunities and risks is an indispensable basis for business decisions.
Definition of compliance
The term compliance refers to adherence to laws and regulations. A compliance system aims to minimize certain business risks as part of risk control and risk management. A breach of the law is always a business risk, hence the link between the two control systems.
Compliance is a term that originally comes from the banking world and was intended for issues of insider trading, monopoly and corruption. In recent decades, however, it has expanded to include numerous private companies in all sectors, and has become increasingly important, especially since the reform of the Criminal Code in 2010, with the codification of the criminal liability of legal persons (in addition to that of natural persons).
Definition of governance
Governance is a defined framework for the management and administration of a company in organizational and structural terms. Consolidated companies of a certain structural size are referred to as corporate governance.
The aim is to optimize the efficiency of the management bodies and to monitor them at the same time, as a breach of governance is also a business risk and often a legal violation, but not exclusively. Rules such as the internal rules (i.e. those set by the company itself) are also considered.
This part of the discipline of business analysis management also takes into account the requirements of diversity, equality and business ethics.
Is this really necessary in the case of non-profit cultural enterprises?
Let me try to explain the necessity using a very simple and recurring example in cultural enterprises. Since I am an orchestra person, I will of course choose the example of an orchestra.
Imagine everything is ready for a concert, everything is rehearsed, everyone is excited to play the concert now, when the solo oboist of our orchestra unexpectedly falls ill. Let’s get this straight: If, for example, the first oboe or the concertmaster is missing, I have a serious problem. It is not possible to say: “The musician in question will resume his work when he comes back”. Imagine our concert takes place without them and they play their part 3 weeks later. Take note, it’s an irony. That is completely impossible.
On the other hand, if it’s a string tutti, the piece may be able to be performed with one less person, but there are several positions that simply cannot be left unfilled. And what do we do when that happens?
Good question, I’ve asked it several times, but what if, to make matters worse, our orchestra is on an island far from the mainland? No matter how quickly another musician tells us that he is coming from Norway to help us, we have to factor in the time it takes him to get from his home country to the islands. That’s a lot more complicated.
And these things happen regularly. They can always be solved somehow, but what if next time we had a proper plan of action for the most important positions in the orchestra? At least we wouldn’t waste time thinking and pondering, but would be able to jump straight into the protocol and reduce the risk much faster and almost certainly much more financially efficient for the company.
Incidentally, the same also applies to certain positions within the administrative and technical management structure. There are positions that must never be vacant. There has be a defined plan B for the absence of a colleague in these positions so that no time is lost if something unforeseen happens.
Now when we talk about financial uncertainties, I think you will understand me better. Many orchestras in Europe are threatened by the reduction or complete elimination of certain public funds, and there is always a storm of indignation, but no one sets out to create a contingency plan in case something like this actually happens.
I mentioned the pandemic above because, from a business perspective, a pandemic is also a risk that needs to be calculated in advance, just like, for example, the negative impact of a competitor’s successful bid on our company. They need to be analyzed and investigated in advance, otherwise we won’t know how to react appropriately in an emergency. We will lose valuable time and market share because we have not done our homework in advance.
A risk management, compliance and governance system that is adapted to our orchestra (not to the same extent as for a listed company, of course) will give us the leeway we need to survive in difficult times and ensure our sustainability.
Above all, we should never forget that there is personal and criminal liability in business today. The risk management, compliance and governance system is also a tool for management and directors to ensure that they cannot be held civilly or criminally liable for their management. But this is of less interest for the purposes of this article.
For the reader with German language skills, I recommend the following reading: Compliance und Governance – Kultur weiterdenken.
https://www.kulturmanagement.net/Magazin/Ausgabe-176-Compliance-und-Governance,245
So how can we implement and enforce a risk and compliance management system?
Of course, you will now ask me: “How do we implement a model that is suitable for our cultural enterprise? What is the right model?
My answer is as follows: The right model is the one that we define ourselves and that we adapt to our particular reality year after year. We can always take inspiration and guidance from others, but it probably won’t really help us to copy tools that have worked for other companies.
The steps we need to take are simple:
1. The definition of a risk catalog
Definition of risks
The basis for everything is the definition and cataloging of the risks associated with our company or orchestra. The experience of the orchestra’s entire staff is useful for this. It is necessary to take a look at the past, list the mistakes made and the consequences they have had for our company.
This process should be carried out with all departments and as many people as possible.
It is also necessary to consider problems that may have been caused by competitors and should therefore also be avoided.
It is a process that requires time, many conversations and a systematization of the data that allows the next step: to extract from this information the abstract risk that requires early detection and an emergency protocol. In the example of the pandemic, the risk to be defined would be “health risks”.
Assessment of risks
Once we have a baseline of risks, we need to categorize them according to their importance and immediacy as well as the difficulty of eliminating them. In other words: Not all risks occur with equal frequency, nor are they all equally important.
For example, running out of paper for the photocopier in the middle of the orchestral audition process is a risk, but it will never be a risk of great importance or urgency as it is relatively easy to resolve. Worst case scenario, we can go across the street and print in the neighbor’s house.
This list of abstract risks with their corresponding assessments and notes then constitutes our risk catalog.
2. Recognizing risks
The next step is to set up communication channels in case someone in the company notices an ongoing or imminent problem. Typically the comment here is “Oh, if something happens, I’ll call the boss”. Yes, but it’s not that simple. At least not if we want to be effective and efficient. Not every risk needs to be communicated to management, there are experts in middle management for that. Other risks can be tackled directly by every employee.
It is important that the decision about which risk should be communicated when and by whom is not only made in an emergency. If we make a mistake and, in the case of our oboe soloist or concertmaster, report to the stage manager first in the hope that he or she will pull the chestnuts out of the fire, we lose valuable time. He or she can tell us to inform the orchestra management. That might be a better solution, but depending on the situation, it could also pose a risk for the management.
Ad hoc communication
Normally, communication in risk management systems takes place from one organizational level to the next higher level within a clearly defined organizational chart (a poorly defined organizational chart would be another risk). In other words: We usually report incidents to our immediate supervisor.
However, there are situations that pose a serious risk. And what is serious also needs to be defined. A serious situation may be one that makes production completely impossible, or perhaps one that causes additional costs. In any case, these serious risk situations require an immediate response that must extend across all organizational levels. We have defined what this is in the risk catalog.
In the language of risk managers, these notifications are referred to as ad hoc notifications. There are usually forms that need to be filled out quickly in these cases and that contain the essential information, e.g. to whom they should be sent.
Now it comes back: “But a phone call to the boss would be enough”. Right! But it’s not that simple. In the heat of the moment, details that could be important later are forgotten. The phone call is not enough. Of course I also call when I have sent the ad hoc message, but not only.
Monthly / quarterly / annual risk reports
Risk reports are often used for day-to-day management risks that need to be reported to management but do not require management intervention. These are also predefined forms, often in tabular form, which list the risks that have occurred, their classification – minor, major and very major – the level of threat, the costs incurred and the status of resolution.
To return to our example:
May 2024 – RISK CONCERNING HR – Sickness case oboe soloist. Serious and immediate risk.
Overrun of accommodation and travel costs by €800 due to late booking. Closed on 17/08/2024
(Amounts and dates are arbitrarily invented)
May 2024 – RISK CONCERNING HR – Maternity leave. Serious risk for the future.
Delivery expected in October 2024. May lead to a cost overrun in recruitment, but is currently undefined. Solution still pending.
(Please don’t read anything into these words that I haven’t said because, of course, I am a woman and understand about mothers. But from a business perspective, pregnancy is what it is: a risk that needs to be anticipated, considered and resolved).
May 2024 – RISKS REGARDING ASSETS – Failure of the air conditioning in the rehearsal room. Slight recurring risk.
Regularly leads to maintenance costs being exceeded by € 500. Status: Temporarily resolved on 16/09/2024. Recommendation to management: Consider purchasing a new system as part of R&D (investment & development).
(Arbitrarily invented quantities and dates)
The examples are grossly simplified, but the point is just to illustrate the idea. I think it’s clear.
The monthly (I don’t think this is necessary for an orchestra) and/or quarterly reports are formalized in the departments. The annual report (a summary of key risks) is written for management by the person responsible for risk management, compliance and governance.
Here, too, I am often told: “That’s just for the wastepaper basket”.
But that’s not the case because after a few years it provides us with invaluable information about our company and makes us fast, agile and decisive over time, without the risk of hasty decisions, mistakes and other unnecessary foot-dragging. Just like controlling[2] (which can be a risk management tool and which I have already mentioned in other articles), it gives us a clear vision of our business, our company and our orchestra, which clearly sets us apart from the competition.
3. Creation of protocols for taking action
During the pandemic, it was possible to observe how all those affected created action protocols out of thin air. Strangely, the steps explained so far were never taken into account. Of course, when Covid-19 broke out, no one was prepared.
Like the risk catalog, the action protocols also need to be created with the involvement of the entire team. This is a process that takes time and, above all, requires an annual update based on the experience gained during the exercise. We won’t find the golden solution the first time around. You would have to be very lucky.
Protocols are developed for specific risk groups, not for each risk individually. That is why the previous definitions are so important.
4. The risk manual
All these points are finally summarized in the so-called risk manual. This contains our catalog, the typological and economic classification of the individual risks, the definition of the terms (minor, severe, very severe, imminent, future, etc.), the communication channels and ad hoc communication as well as the various action protocols and all other points to be considered.
Summary:
These were the basic steps I took to solve the problem of the company not receiving a positive certificate from the auditors at the end of each financial year so far. In the first year I also thought to myself “just call the boss”, but over the course of six years I have come to understand how valuable this tool is.
Whether it’s required by law or common business sense, it’s something that should be explored and applied in non-profit cultural and creative organizations as well.
Please recall the example of the myopic pilot in my last article.[3]
Are there orchestras that really use these instruments in their daily work?
Have I still not convinced you, really?
Since there is a lot of controversy in the classical music world (for better or worse) about what is done in other Spanish and European orchestras, perhaps it will help if I tell you that, of course, there are orchestras that work with risk management and compliance tools. Perhaps not exactly in the form shown here, but in a form adapted to them, but they do use them.
One orchestra that definitely works with the tools discussed in this article and with controlling is the Staatsphilharmonie Rheinland-Pfalz in Ludwigshafen, which is led by the artistic director Beat Fehlmann. For years, they have been winning all the prizes that have to do with the good and correct management or marketing of orchestras. I admire them very much and feel very honoured to have been invited to visit this orchestra for a week at the end of this year. I will be able to observe how they prepare their New Year’s concert and talk to colleagues about topics such as risk management, controlling or simply the use of the digital music stand.
Likewise, I will certainly publish an article in this blog about my visit to Ludwigshafen and all the interesting things I learned on the trip.
If you want proof today that what I am saying is true, I recommend the following article on the sub-topic of controlling (German only):
Controlling mit Blick auf die Musiker:
https://www.controllingportal.de/Fachinfo/Funktional/Controlling-mit-Blick-des-Musikers.html
Nicole Martín Medina
Las Palmas de Gran Canaria
August 2024
(Original in Spanisch/Translation Deepl/ Revision NMM)
*****
Footnotes:
[1] See: Gabler Wirtschaftslexikon (German)- https://wirtschaftslexikon.gabler.de/definition/risikomanagement-42454
[2] See: Part 1 Controlling – 10 reasons for controlling in symphony orchestras – Spanish and German only
https://nicolemartinmedina.com/de/10-gruende-controlling-sorchestern/
Part 2 and 3 Controlling Spanish only:
https://nicolemartinmedina.com/los-instrumentos-del-controlling-2/
https://nicolemartinmedina.com/controlling-3/
[3] See: Numerical tools for non-profit organisations and projects – https://nicolemartinmedina.com/en/economic-and-financial-analysis-tools/
*****
The article is also available in:
SPANISH (original): https://nicolemartinmedina.com/de/risikomanagement-compliance-governance-orchester/
GERMAN: https://nicolemartinmedina.com/de/risikomanagement-compliance-governance-orchester/