UNIVERSITEIT GENT FACULTY OF ECONOMICS AND BUSINESS ADMINISTRATION ACADEMIC YEAR 2013-2014
Do financial analysts take into account risk management and internal control information?
Master thesis to obtain the degree of: Master of Science in Applied Economic Sciences: Business Engineering
Dries De Craemer Lead by Prof. Dr. Gerrit Sarens
UNIVERSITEIT GENT FACULTY OF ECONOMICS AND BUSINESS ADMINISTRATION ACADEMIC YEAR 2013-2014
Do financial analysts take into account risk management and internal control information?
Master thesis to obtain the degree of: Master of Science in Applied Economic Sciences: Business Engineering
Dries De Craemer Lead by Prof. Dr. Gerrit Sarens
I, undersigned, declare that the contents of this thesis can be consulted and/or reproduced, provided citation.
Dries De Craemer
Ondergetekende verklaart dat de inhoud van deze masterproef mag geraadpleegd en/of gereproduceerd worden, mits bronvermelding.
Dries De Craemer
Nederlandse Samenvatting
In deze masterproef wil ik de nagaan hoe financieel analisten omgaan met de publicatie van risk management en interne controle informatie door bedrijven en hoe zij dit opnemen in hun valuatie. Voorgaand onderzoek heeft uitgewezen dat het publiceren van dergelijke informatie voordelen oplevert voor zowel bedrijven als voor alle stakeholders. Na de literatuurstudie volgt het eigen kwalitatief onderzoek waarin door middel van interviews inzicht verworven wordt in de perceptie van de analisten ten opzichte van dit onderwerp. Deze interviews werd gecodeerd en verwerkt door middel van een “within case” analyse en een “cross case” analyse. De resultaten van deze analyses worden vergeleken met de literatuurstudie, hieruit worden conclusies getrokken en aanbevelingen gemaakt. Uit de interviews blijkt dat de financieel analisten geen belang hechten aan de publicatie van informatie over het risk management- of interne controle raamwerk dat gebruikt wordt door de bedrijven. Verder stellen we vast dat de bekendgemaakte informatie met betrekking tot risk management of interne control door bedrijven, vaak niet opgenomen wordt door analisten in hun valuatie. Hun valuatie is voornamelijk gebaseerd op kwantitatieve elementen, informatie over risk management of interne controle is hier moeilijk in te integreren. Een andere verklaring die analisten aangeven is dat ze zowel risk management als interne controle beschouwen als elementen van de interne bedrijfsvoering. De systemen op zich hebben dus zeker hun nut, maar de externe rapportering over deze systemen bevat geen meerwaarde. Om aan de wet te voldoen zijn bedrijven vaak verplicht op regelmatige basis bepaalde zaken over risk management en interne controle te publiceren. Het voorbereidingswerk dat hierbij komt kijken en de kosten die hiervoor gemaakt worden kunnen aanzienlijk oplopen. Indien deze informatie niet gewaardeerd wordt door investeerders en analisten, kan men zich afvragen wat de waarde hiervan is en of een herziening van de wetgeving hierrond aan de orde is. De wetgever en toonaangevende organisaties zoals COSO kunnen hiervoor samenwerken zodat de publicatie van risk management en interne controle informatie een meerwaarde kan betekenen voor zowel de bedrijven als voor de stakeholders.
Word of thanks I would like to thank a couple of people who contributed to the creation of this thesis. First of all I would like to thank Prof. Dr. Gerrit Sarens who provided me with guidance and advice throughout the year. His input was indispensable for this thesis. Next I would like to thank the financial analysts who found time in their busy schedule to sit down with me and share their expertise. I would also like to thank my parents for supporting me and letting me follow my own path. Without their unconditional support, I would have never been able to achieve what I have during my studies. Lastly, I want to thank my fellow students and friends for their support throughout my studies.
i
TABLE OF CONTENTS Word of thanks .......................................................................................................................... i TABLE OF CONTENTS ......................................................................................................... ii Tables used ............................................................................................................................. iv 1.
Introduction ....................................................................................................................... 1
2.
Risk management ............................................................................................................ 2
3.
Internal control ................................................................................................................. 4 3.1
Benefits of internal control ....................................................................................... 5
3.2
Internal control deficiencies ..................................................................................... 5
4
Link between Internal Control and Risk Management ............................................... 6
5
Why companies disclose risk management and internal control information ........ 7 5.1
Legal reporting obligations ...................................................................................... 7
5.1.1 5.1.1.1
Sarbanes-Oxley (2002) section 302 ............................................................ 8
5.1.1.2
Sarbanes-Oxley (2002) section 404 ........................................................... 8
5.1.2
Europe ................................................................................................................. 9
5.1.3
Belgium ............................................................................................................... 9
5.2 6.
US ........................................................................................................................ 7
Voluntary reporting ................................................................................................. 10
Consequences of disclosure ........................................................................................ 11 6.1
Risk Management disclosure ................................................................................ 11
6.2
Internal control information disclosure ................................................................. 12
7.
Analysis of a company .................................................................................................. 13
8.
Empirical study ............................................................................................................... 15
8.1
Research set-up and research question ................................................................. 15
8.2
Within Case Analysis ................................................................................................. 16
Case A: Financial analyst at Petercam .......................................................................... 16 Case B: Financial analyst at Leleux Associated Brokers ............................................ 18 Case C: Senior Equity Analyst at Bank Degroof .......................................................... 19 Case D: Equity Analyst at Petercam .............................................................................. 21 Case E: Financial analyst at Petercam .......................................................................... 22 Case F: Independent financial analyst at Demes ......................................................... 23 Case G: Independent financial analyst .......................................................................... 25 8.3
Cross Case Analysis .................................................................................................. 26
8.3.1
Sources of information for financial analysis .................................................. 26
8.3.2
Knowledge of risk management and internal control frameworks ............... 27 ii
8.3.3
Perceived value of disclosure of risk management ....................................... 29
8.3.4
Perceived value of internal control information .............................................. 30
8.4 9.
Conclusion ............................................................................................................... 31
General Conclusion ....................................................................................................... 33
Bibliography ............................................................................................................................. iv Appendix ................................................................................................................................. vii Interview 1: Herman van Der Loos (Petercam) Analyst A ......................................... ix Interview 2: Geert Van Herck (Leleux associated brokers) Analyst B ..................... xi Interview 3: Marc Leemans (Bank Degroof) Analyst C ............................................ xiii Interview 4: Junior Cuigniez (Petercam) Analyst D .................................................... xv Interview 5: Roderick Verhelst (Petercam) Analyst E ............................................... xvi Interview 6: Gert De Mesure (Bvba DEMES) Analyst F ......................................... xviii Interview 7: Vincent Koopman (03/03/2014) Analyst G ........................................... xix
iii
Abbreviations used RM IC ERM COSO CG SOX
Risk management Internal control Enterprise Risk management Committee Of Sponsoring Organizations of the Treadway Commission Corporate Governance Sarbanes-Oxley
Tables used Table 1: Main valuation methods, ranked by type……………………………………………14
iv
v
1. Introduction Analysts play a very important role in today’s financial world. They are the ones providing millions of people with reliable and relevant information, based on which these people can make investment decisions. The dataset upon which they base their analysis is very large and probably differs from analyst to analyst or from firm to firm. Most of the large asset managers or financial institutions create valuation models for their analysts upon which they can build and enrich with new or other information. Partly due to a series of scandals, the role of risk management and internal control in today’s business environment is becoming increasingly important and consequently, businesses are forced to enhance their corporate governance. With the introduction of new legal requirements, such as the Sarbanes-Oxley act (2002) in the US or the Corporate Governance Code (2009) in Belgium, companies are required to disclose more information on how they deal with elements such as internal control and risk management. These disclosures should be a win-win for both investors and companies. Investors gain more insight in the risk structure and internal control systems, which should boost their trust in the companies and their reporting. Consequently, the companies which disclose this information should benefit from this lower perceived risk and be able to obtain cheaper financing and reduce their cost of capital. (Belgian Corporate Governance Code 2009) The direct consequence of these new regulations is that companies will have additional costs of compliance. Not only the direct costs of creation or expansion of these systems, but also the additional costs of preparing the necessary statements and hiring an external auditor will impact the company’s bottom line. While the cost side for the corporations is quantitatively determinable, the benefit side is not. To determine this, one has to assume that the additional disclosures made by the companies will reduce the perceived risk and increase the valuation of a company. (Belgian corporate governance code 2009) The valuation of a company is a complex and subjective matter, the exact value of a company doesn’t exist since this is always based on assumptions and depends on the models used by analysts. In this thesis I want to assess whether analysts include the
1
disclosure of risk management and internal control systems in their valuation and how they interpret this kind of information. To achieve this, I decided to contact several financial analysts for an interview. After gathering and contacting roughly fifty analysts, I was able to conduct seven interviews with analysts who have different backgrounds, a varying amount of experience and different areas of expertise. During these interviews I wanted to gain insight in which elements they use in their analysis and specifically determine the influence of the disclosure of risk management and internal control information. The data gathered from these interviews was processed and used to analyse the similarities or differences in interpretation and valuation by analysts. This research is obviously subject to certain limitations. First of all, I was only able to interview a small subset of financial analysts who were all located in Belgium. Secondly, some analysts were reluctant to disclose the exact method or model which they used for their analysis since they consider this to be proprietary knowledge of their company or themselves. Furthermore, we’re dealing with human behaviour we can’t be fully sure they perform their analysis exactly like they described it. This work starts off with a literature review in which we describe the concepts of risk management and internal control. We continue with the legal requirements and possible motives for voluntary disclosure by companies. Next we review the previous research on the impact of risk management and internal control disclosures on the company’s performance. The last part of our literature review is a brief description of the most commonly used methods analysts use to determine the valuation of a company. The following part is dedicated to the primary research, which consists of the interviews conducted with financial analysts and the analysis of their responses by using a within case and cross case description. In the conclusion, the most important results will be discussed and compared to previous research, followed by an interpretation and a few recommendations.
2. Risk management To define the concept of “Risk management” is a hard thing to do, mainly because opinions vary on what it actually means. Many leading organizations have tried to define the concept themselves, leading to several definitions. The most respected risk 2
framework to which most firms adapt is the COSO Enterprise Risk Management (ERM) framework (2004). It defines ERM as “a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. The matching between risk appetite (the amount of risk a company is willing to take while going about its business) and risk tolerance (the acceptable level of variation in the achievement of the company’s objectives) is key here. Risk tolerance is included in the COSO Internal control framework as a precondition to (but not as a part of) internal control, which will be discussed in the next chapter. John J. Hampton (2009) studied enterprise risk management (ERM) in detail and tried to formulate a consensus definition of enterprise risk management: “ERM is the process of identifying major risks that confront an organization, forecasting the significance of those risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan, and holding key individuals responsible for managing critical risks within the scope of their responsibilities”. It’s noteworthy that most other definitions have similar elements but stress different aspects of the risk management process. Hampton lists the 4 major advantages of the implementation of ERM; it offers internal as well as external advantages to companies. Internally ERM improves the company’s capability to deal with their risk exposure efficiently and provides stability to the enterprise. Externally, it creates stronger relationships with regulators and improves stakeholders’ confidence in the company. Over the last decades, the enterprise risk management systems have gained a lot of traction.
Even though the value of ERM is accepted by most firms to be positive, some firms still haven’t adapted to this. Golshan et al. (2012) found that this could be due to several reasons. Some firms misunderstand how ERM can be implemented in an effective way and what benefits it brings them. Pagach & Warr (2010) argue that ERM requires a top-down approach instead of a collaborative one, while Kleffner et al. (2003) claim that troubles in measuring risks across the entire company is a main reason. According to Beasley et al. (2005) larger entities are able to spend more money and other resources to implement ERM, this confirmed the earlier findings by Colquitt, Hoyt & Lee (1999) who claim that bigger companies are more likely to employ a concept of 3
integrated risk management than smaller firms. Smaller firms might be willing to implement these systems but simply can’t afford it. This could also be a reason why some firms haven’t adopted a well-defined ERM system yet.
3. Internal control COSO (Committee Of Sponsoring Organizations of the Treadway Commission) has developed the Internal Control framework in 1992, since then it has gained broad acceptance and is considered to be the most used in the world. Over the years, businesses and operating environments have become more complex, technologically advanced and globalized while stakeholders require more accountability and transparency from them. COSO claims this framework can enable companies to develop and maintain efficient and effective internal control systems which will help them adapt to these changes. Implementing an internal control system enables companies to keep its focus on its operations as well as on its financial performance goals. In summary, COSO defines internal control as follows: “Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) Effectiveness and efficiency of operations 2) Reliability of reporting 3) Compliance with applicable laws and regulations” This definition stresses that an internal control system is not a one-time thing; it requires a continuous effort – a process - from the company. It should be noted that good internal control systems don’t directly result in improved firm performance since it cannot prevent external factors which are outside of the company’s control. Since we’re mostly interested here in the reporting objective of internal control, we’ll now focus on this topic specifically. Stakeholders are not only concerned about the reliability of the current financial reports but they’re also interested in the future financial statements of the firm. An effective internal control system should relieve the concerns of stakeholders about the reliability of the future financial statements. The reporting objective of internal control systems refers to the reporting of financial and non-financial information on the company, both internally and externally. The external reporting is important because companies often need to comply with 4
regulation but it can also be used as a tool to convince stakeholders of the strength of the company. For example, some companies try to obtain the ISO norm for quality management which it can then publish in their annual report. The performance of a company is then judged by investors and analysts by studying the company’s annual report and financial statements. (COSO 1992 & 2013)
Internal control systems do in no way fully prevent the company from making mistakes, it can only provide “reasonable assurance”. This term is defined by the FCPA (1977) as ‘such degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” When reviewing the adequacy of internal control system, managers must make sure that any mistake that has been made should be able to be considered as a one-time thing, rather than an indication of a failing system which will no longer reasonably assure the reliability of future financial statements. If this is not the case, changes have to be made to the internal control systems and these changes have to be mentioned in the annual report. (Cfr. Infra)
3.1
Benefits of internal control
Internal control gives management feedback on how the business is doing and helps to reduce surprises. It increases efficiency and effectiveness within the company and its processes. Moreover, effective internal control is often a necessity to gain access to capital markets which can help a company grow. Internal control leads to increased and more reliable financial reporting to the outside world, which leads to increased investor confidence. Technically, companies are able to determine the costs of internal control systems by adding all the direct costs made to implement the specific systems. However, both the costs and the benefits of internal control systems are rather hard to quantify.
3.2
Internal control deficiencies
COSO (2011) defines an internal control deficiency as a situation in which a certain internal control principle is deemed to be non-functional or simply not present. Internal control deficiencies are often classified in one of 3 categories: deficiency, significant deficiency, and material weakness. A material weakness related to financial reporting 5
is defined as a “condition in which there is a deficiency or a combination thereof in internal control such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be detected, prevented or corrected on a timely basis.” The existence of a material weakness in external financial reporting means companies can no longer claim that its internal control system is effective. A significant deficiency is less severe than a material weakness but it’s still important enough to the board of directors to look into it. If multiple significant deficiencies are discovered, they are collectively considered as a material weakness.
Sarbanes Oxley Section 404 dictates US companies to ensure an internal control system which provides reasonable assurance that material weaknesses will be prevented or detected. This assessment should be made through thorough analysis and testing of the operating effectiveness of the internal controls which prevent or detect material weaknesses in the financial statements.
4 Link between Internal Control and Risk Management Enterprise risk management and internal control are strongly related, yet one is more elaborate than the other. ERM expands in internal control, focusing fully on risk and describing it more broadly, we could therefore state that internal control is a part of risk management itself. They both define 3 different types of objectives which are compliance, operations and reporting. However, enterprise risk management as defined by COSO adds an additional category: ‘Strategic Objectives’. These high level goals should be the basis to which the other 3 types should be aligned. (COSO 1992, 2011) It’s clear that while internal control is a very useful and necessary exercise, it’s not a goal on its own. It’s a way for companies to make themselves better, without changing the company drastically, risk management on the other hand has the ability to influence a company at a very high level.
6
5 Why companies disclose risk management and internal control information Obviously the increased attention for risk management reporting has several root causes. One could wonder whether companies disclose risk management information to comply with different legal requirements or whether they do this on a voluntary basis to please their stakeholders. Companies in the US have to comply with Sarbanes Oxley (Sections 302 and 404), in Europe all firms have to disclose the principle risks and uncertainties they face (European directive 2006/46/EG) and even in Belgium, companies have to report on their risk management and internal control systems.
5.1
Legal reporting obligations
IFRS (International Financial Reporting Standards) and US-GAAP (US Generally Accepted Accounting Principles) already endorse companies to perform risk disclosures, requiring companies to inform their investors in the annual report on going concern uncertainties and key causes of uncertainty influencing estimations.
5.1.1 US The main regulator in the US is the SEC (Securities and Exchange Commission). Their legal requirements in terms of risk management and internal control disclosure are rather limited. They require publicly traded companies to disclose their risk factors in both the annual and quarterly reports (respectively the 10-K and 10-Q forms). Any changes made compared to the last term should be mentioned in the 10-Q forms as well. The introduction of the Sarbanes-Oxley act completely changed the game for internal control and risk management disclosure. Sarbanes-Oxley is a US act which got approved in 2002 by the American government to set the standard for all US public company’s management and boards. Most notably, it forced top management to personally certify the accuracy of its financial reports in order to prevent fraud. Additionally, it required them to hire independent external audit firms to verify the financial statements. The 2 most important sections (302 and 404) relevant to this paper are further explained below.
7
5.1.1.1
Sarbanes-Oxley (2002) section 302
The Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (2002): section 302 is dedicated to the company’s corporate responsibility when it comes to financial reports. It requires the principal executive officer and principal financial officer of American companies to personally certify each annual or quarterly report. They have to guarantee that they have read the report and that it –by their knowledge- does not contain any untrue statement and that it fairly represents the financial situation of the company. These executives are also responsible for setting up an internal control system which will inform them about any important material information. The effectiveness of this system has to be tested on a regular basis. Every annual report should also include a review of the effectiveness of these systems. All significant deficiencies in the internal control system or cases of fraud which could reduce the effectiveness of financial reporting have to be disclosed by the signing officers to the external auditor and internal audit committee. Additionally, every significant change in the internal control system should be documented. 5.1.1.2
Sarbanes-Oxley (2002) section 404
The Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (2002): section 404 is dedicated to the assessment of internal control of financial reporting. It states that every public US Company which publishes an annual report should also include an internal control report in it. This should state the responsibility of management for establishing and maintaining an internal control structure for financial reporting. It should also contain a report on the effectiveness of the internal control framework and systems of the company. Additionally, it states that every public US Company should have their internal control systems audited by a registered public accounting firm (external auditor) which will have to attest to and report on the internal control by the company’s management. Management also has the responsibility to evaluate every change that is made in the internal control over financial reporting during the year. It’s worth noting that the US law doesn’t specifically ask for a risk management framework like they do for an internal control framework. As we will see next, this is the biggest difference between US and European regulation. 8
5.1.2 Europe In 2006, Europe issued a guideline (2006/46/EG) which forced public companies with a branch in Europe to include a separate note on corporate governance with their yearly report. This report should include important information on corporate governance and more information on their applied risk management and internal control systems relevant to the process of financial reporting. If a company is part of a group, it’s not necessary to publish separate corporate governance reports for all the separate branches, it is however mandatory to provide information on risk management and internal control systems of the group. Directive 2003/51/EC also requires companies to give an elaborate description of the principal risks to which they’re prone and which uncertainties they face in the future. The European risk reporting is more advanced and elaborate than the US equivalent. It focuses on the entire corporate risk exposure, treating risks of all categories instead of just sticking to single risk factors and market risks.
5.1.3 Belgium In Belgium, the laws regulating corporate governance, specifically the part about risk management and internal control systems is not as elaborate as the American Sarbanes Oxley act. Belgian law dictates Belgian financial companies to describe the most important characteristics of their internal control- and risk management systems related to the process of financial reporting. (Belgian Law of 06/04/10) Belgian companies are required to use the “Belgian Corporate Governance Code (2009)” as the guideline and standard. This code is based on the same “comply or explain” principle which was recommended by the OESO and recognized by the European Union in its 2006/46/EG guideline. This code states that the board is responsible for taking the appropriate measures to guarantee the integrity and timely publication of the annual report and other financial and non-financial information which has to be made available to stakeholders or possible stakeholders. They’re also responsible for the approval of a framework of risk management and internal control (Cf. COSO framework) which is established by the management. This framework should clearly define the definitions of internal control and risk management and help management implement the appropriate risk 9
management and internal control systems. The monitoring of effectiveness of these systems has to be tested at least once a year. (Belgian Corporate Governance Code 2009) A description of the most important characteristics of these systems should also be made public in the “Corporate Governance chapter”. This chapter specifically states that the management has to create a system of internal controls which identify, evaluate, control and monitor financial and other risks, within the framework approved by the board. (Belgian Corporate Governance Code 2009, principle 6.5)
5.2
Voluntary reporting
Voluntary reporting on risk is something a lot of companies already do on a frequent basis to keep their stakeholders informed. Identifying the exact reason why they do this is of course not possible, but it’s very likely they do this to please their stakeholders in an attempt to increase their trust in the company. During the last economic crisis it became clear that trust in a public (quoted) company is essential and a lack thereof could be detrimental to a firm. If we follow this reasoning, we would assume that reporting on risk management and internal control information would be beneficial to a firm. One could ask the question whether risk disclosure should be regulated and become mandatory or if it should stay voluntary to reward the most “open” companies. Some institutions have suggested frameworks in which companies could report on all business risks and provide forward-looking risk disclosures. The problem with this type of regulation would be that companies would be reluctant to providing stakeholders with information which is sensitive and which they don’t want their competitors to see. This would result in incomplete risk disclosures which wouldn’t effectively reduce the information asymmetry with stakeholders and therefore wouldn’t change the required risk premium. (Dobler 2005) Additionally, empirical evidence from Germany showed that risk disclosures only marginally improved after legally requiring companies to report on risk. (Bungartz, 2003; Kajüter, 2004; Fischer and Vielmeyer, 2004) Jorgensen and Kirschenheiter (2003) concluded that imposing mandatory risk disclosure requirements will result in a lower company valuation. They argue that forcing companies to make disclosures they wouldn’t voluntarily make, leads to higher 10
disclosure costs and therefore a lower company value. They also found that in a voluntary risk disclosure environment, companies who do disclose have a higher share price. This is in line with the findings of Verrecchia (1983) who argues there is an optimal level of risk disclosure after which point the disclosure becomes more expensive than the benefits is brings to the company. We can therefore assume that companies will never voluntarily fully disclose all of their risk information, since this would take up too much resources.
In the next chapter we will analyse the consequences of the disclosure of risk and internal control information in detail.
6. Consequences of disclosure 6.1
Risk Management disclosure
Dobler (2005) and Healy and Palepu (2001) have investigated the influence of risk disclosure on a company’s performance and have concluded that “Reporting on risk may decrease the firm’s risk premium demanded by the investors and decrease the firm’s cost of capital”. Risk reporting reduces information asymmetry between stakeholders and the company, which will lower the firm’s risk premium demanded by the market to invest with the company. A lower risk premium will result in a lower cost of capital (when calculating the cost of capital through CAPM). (Solomon et al., 2000; Linsley and Shrives, 2000; Lang and Lundholm, 1996) Furthermore, literature has indicated that reporting on risk encourages firms to more actively manage the risk of their own portfolio which is also beneficial to a company. (Linsley and Shrives, 2000). Kajüter (2001), Woods and Reber (2003) and Beretta and Bozzolan (2004) found that firms tend to disclose information on past and present risks, but are rather reluctant to disclosing information on future risk. Linsley & Shrives (2006) contradict this in their more recent study. They found a statistical significant amount of forward-looking risk disclosures. This could be explained either by the increasing attention for risk disclosures in the last couple of years, or by the more broad definition of risk used by Linsley & Shrives.
11
The findings we discussed in the previous section on voluntary disclosure of risk management, lead us to believe that we should be careful with estimating the impact and informative value of risk reports and always verify whether the disclosure is voluntary or to comply with regulation, since previous research suggests these have different impacts.
6.2
Internal control information disclosure
The same problem occurs with the disclosure of internal control information. An important survey by Hermanson (2000) was conducted with several financial statement user groups in the US. It indicated that respondents generally agree that internal controls are important and that the value of the information strongly depends on the nature (voluntary or mandatory) of the disclosure. They indicated that if reporting became mandatory, they would judge the information as less valuable and consequently be more positive about voluntary disclosure. Deumes (2008) on the other hand claims that in a system of voluntary disclosure, investors will expect full disclosure and everything short of that will be perceived as a higher risk, therefore requiring a higher risk premium. He concludes that managers will have to consider the trade-off between the costs of making internal control disclosures and the benefits of having to pay a lower risk premium. Comparable to reporting on risk management, reporting on internal control can also provide substantial benefits to a company. As indicated by McMullen (1996) reporting on internal control can improve the quality of internal control systems and procedures, which have proven to be beneficial to a company. We can assume that improved quality of internal control systems will lead to a lower level of risk, which in turn should lead to a lower expected risk premium by investors. Additionally, Deumes (2008) found that reporting on internal controls has been recommended as a way to improve financial reporting and reduce governance problems, but the extent in which this happens is dependent on the size of the companies involved. There seems to be a positive association of company size and the voluntary reporting on internal control. This relationship is also found and described in a British empirical study by Beretta and Bozzolan (2004). Deumes (2008) argues that companies tend to disclose more internal control information because it enables investors to more efficiently monitor management. This 12
disclosure reduces the information risk as well as the agency problems with which investors are often confronted. If they don’t disclose this kind of information investors will assume that there is an information risk and agency problem and this will be taken into account in the valuation and pricing of the firm. Furthermore, investors can view firms voluntarily disclosing internal control information as being less risky overall, which reduces the uncertainty about the company’s performance in the near future.
7. Analysis of a company Now that we know about the basics of enterprise risk management and internal control systems, we will now discuss what financial analysts take into account when valuing a company. Fernàndez (2007) described the most widely used company valuation techniques: discounted cash flow (DCF) method, balance-sheet based methods, income statement-based methods and mixed methods. In table 1, Fernandez listed the methods and classified them into 6 groups and gives the best-known examples. The first group, balance sheet-based methods, is a very static method since it doesn’t take into account any future elements. Since risk management in its very definition is a dynamic and ongoing process, we’ve decided that this type of valuation method isn’t the most appropriate one in this case.
The second group, income statement-based methods are based on the sales or earnings of a company. Risk management and internal control both have the objective to reduce variability in earnings so we can assume that using this kind of valuation techniques should reflect some of the influence of the disclosure.
The third large group, cash flow discounting is based on the future cash flows which are discounted versus the weighted average cost of capital (WACC). The literature suggests that risk management, as well as internal control information disclosure, could lead to a lower information asymmetry between stakeholder and management. (Cf. Supra) In turn, this should lead to a lower perceived level of risk by investors and should lower the risk premium and therefore the WACC. Again, we can expect an influence here of the disclosure on the value of the company. 13
The fourth category which we’ll consider are the “Value Creation” valuation techniques, of which EVA (Economic Value Added) is the best-known example of which the formula goes: 𝐸𝑉𝐴 = 𝑁𝑂𝑃𝐴𝑇 − (𝐶𝑎𝑝𝑖𝑡𝑎𝑙 ∗ 𝐶𝑜𝑠𝑡 𝑜𝑓 𝑐𝑎𝑝𝑖𝑡𝑎𝑙)
Again we can immediately draw the same conclusion as before, based on the literature we reviewed we expect a different level of disclosure to result into a lower or higher cost of capital (through the mechanism explained above). This calculation was developed to try to grasp the true economic profit of a company so we expect financial analysts to positively any growth in EVA. The other categories of valuation methods are left untouched in this study. If we take the perspective of the investor (instead of the company and corporate finance approach) we can assume that profit maximization will be the investor’s main goal when investing in a company. He will therefore try to get the highest return possible for a given level of risk, which depends on his risk appetite. As we are sure, financial analysts will base their decisions and company analysis on a huge amount of factors of which we can only grasp some. We do expect –based on previous research- to see an indirect influence by the disclosure of risk and internal control information on the valuation of companies by financial analysts. We will try to determine the direct and indirect influence of disclosures of risk management and internal control information on the perceived value of companies in the heads of analysts.
Main valuation methods Balance Sheet
Income Statement
Mixed (Goodwill)
Cash Flow Discounting
Value Creation
Options
Book value Adjusted book value Liquidation book value Substantial value
Multiples PER Sales P/EBITDA Other multiples
Classic Union of European Accounting Experts Abbreviated income Others
Equity cash flow Dividends Free cash flow Capital cash flow APV
EVA Economic profit Cash value added CFROI
Black and Scholes Investment option Expand the project Delay the investment Alternative uses
Table 1: “Main valuation methods” (Fernàndez, 2007) 14
8. Empirical study 8.1 Research set-up and research question The disclosure of risk management and internal control information is a subject on which a lot of research has been done already, most of which we outlined in the previous parts. A lot of the discussion around it has been about the legal framework surrounding the subject, which has changed quite a bit over the last decades. I want to approach this discussion from a different perspective. Since a lot private and corporate investors rely on the valuations by professional analysts, I wanted to verify the impact of the disclosure of risk management and internal control information on the valuation by financial analysts. During my interviews with the analysts, I wanted to know what the major elements were which played a role in their valuation and if the disclosures we researched were among them or not. Furthermore, I wanted to test the knowledge of the analysts about risk management and internal control frameworks, since these play a big role in the disclosure. If analysts should be familiar with several frameworks, the next step would be to determine how they would be valued differently from one another. In any case, the last big part of the interview would be dedicated to finding out how disclosure of risk management and internal control information was being valued by the analysts. I composed a list of fifty analysts and sent them a personal email to request an interview. Seven of them were willing to cooperate and were interviewed. A list of the contacted analysts can be found in the appendix, the full transcripts of the interviews are available on request upon contacting Prof. Dr. Sarens or the author of this thesis. The interviewees were promised anonymity, though their identity is also known to the promoter of this thesis. With the input from these analysts I tried to answer my research question: “How do financial analysts take into account risk management and internal control information?” For the processing of our qualitative data, the approach proposed by Miles and Huberman (1994) was used. The first step was to reduce the data, which was achieved by coding the relevant parts and disposing of the non-useful data, a within case analysis was made which can be found in the next chapter. In the second step, a matrix was made to give us a better overview of the gathered data and to simplify further analysis, this matrix can be found in the appendix. In the next step, a cross case 15
analysis (Cf. Infra) was made in which we analyzed the data per subject instead of per analyst. These steps allowed us to draw conclusions from the observed trends, similarities and differences.
8.2 Within Case Analysis Case A: Financial analyst at Petercam Analyst A is a seasoned financial professional with over 20 years of experience in 2 of Belgium’s top financial institutions. He’s currently working as a sell-side equity analyst, specialized in real estate, at one of the top Belgian firms in terms of private banking and asset management.
1. Most important sources of information as input for the analysis and valuation of a company. Analyst A’s main source of information is the annual report, from which he claims to mainly analyse the balance sheet, profit & loss- and cash flow statement. Besides tis quantitative input, he’s also in close contact with the management of the companies which he covers. In his experience, the annual reports contain a lot of unnecessary and worthless information. He also claims that most companies make an effort to strengthen investor relations and mainly do this by inviting him over and allowing contact with the middle management. The analysis itself though is still mainly quantitative, every input has to be objectified and modelled to be implemented in the valuation model. This model gives an output which has to be interpreted by the analyst. “The annual report is very important to us, it’s our main source of information. If anything is still unclear, we contact the company itself… Our job is mainly quantitative, we try to objectify and model everything, the models then gives us a general output. The interpretation of this outcome requires a certain ‘feeling’.”
2. Knowledge of Risk management and internal control frameworks
16
Analyst A is not at all familiar with any risk management frameworks available. Even upon further questioning, when mentioning COSO, he indicates this is not known to him. Risk management is considered a ‘black box’ of which he assumes it’s being implemented to industry (legal) standards. Besides the information in the annual report on the largest risks (often currency or interest rate risk), no disclosure on risk management frameworks or internal control frameworks is deemed relevant to him. Both risk management and internal control are considered to be an integral part of the company’s internal functioning, which is hard to gauge for an external party. “[Interviewer]: Are you familiar with frameworks which companies use for risk management procedures? [Analyst A]: I am not at all familiar with this, I consider this to be more of a black box mechanism.”
3. Value and interpretation of Risk management and internal control information
Analyst A states that the real estate sector is less prone to the ‘main’ risks (such as currency risk or commodity price risk) than other sectors. Most of the companies he reviews dedicate a chapter of their annual report to their biggest risks and how they can potentially influence the result. The way in which they’re dealt with by the company is not a concern to analyst A, he considers this to be part of the internal functioning of the company. Analyst A reads the chapter in the annual report which outline the main risks but this is of less importance in his analysis. He tends to focus more on (quantifiable) operational and financial metrics. The part on risk management systems as described in the corporate governance statement, is not considered important to analyst A. He honestly admitted he doesn’t read this passages and that it doesn’t influence his analysis in any way. These disclosures are made to comply with regulations but aren’t necessarily useful to analysts or investors. The initial reaction –especially with younger analysts- might be that they get a certain sense of security, but we can’t let this blind us. Analyst A concludes that this reporting is becoming increasingly standardized and companies all report in the same way. This way, the value of these disclosures diminishes.
17
“The entire corporate governance statement contains very little useful information, to me this is a formal statement which is formulated in the same way by every company. I honestly don’t read this chapter.” [Interviewer]: So whether a company would publish more or less information on this topic wouldn’t influence your analysis? [Analyst A]: No, it wouldn’t make any difference. I like knowing these systems of corporate governance, in terms of risk management and internal control, exist but that’s it…. An adequately functioning system of risk management and internal control should be seen as self-evident… ”
Case B: Financial analyst at Leleux Associated Brokers Analyst B is a financial analyst with Leleux Associated Brokers. As a sell-side analyst he offers his expertise to his clients and performs technical and fundamental analyses on equities.
1. Most important sources of information as input for the analysis and valuation of a company As a financial analyst, Analyst B focusses on quantitative information like the evolution of turnover, EBITDA, profit, margins … This information is mainly found in the annual report. Analyst B tries to mix fundamental research with technical analysis, which is almost completely done by using quantitative information, there is no qualitative input in the process. During some analyses he claims to even only look at the technical analysis with little regard for the fundamentals. “Honestly even if the numbers are bad, as long as the prices stay at an acceptable level it doesn’t matter to me. When analyzing a company I tend to favor the technical analysis rather than the fundamental one. In these cases I obviously don’t care about very detailed information about the functioning of the company, such as for example risk management and internal control systems.”
2. Knowledge of Risk management and internal control frameworks Analyst B has no knowledge of existing frameworks of risk management or internal control. He claims he doesn’t take into account risk management- or internal control systems when analysing and valuing a company.
18
“I have never heard of any frameworks concerning risk management or internal control. I think this is normal since this is far from my area of expertise.”
3. Value and interpretation of Risk management and internal control information Analyst B tends to read the disclosures companies do on how they handle certain topics such as interest rate risk and refinancing risk, but it’s often very limited. Internal control disclosure is not something analyst B cares about, he claims that companies are legally required to publish certain information which leads to a giant annual report, but this is actually useless information for his financial analysis. The entire corporate governance statement is rarely reviewed by analyst B, he claims it doesn’t contain a lot of interesting information. Some companies do disclose more than legally required but analyst B considers this to be more for public relations purposes. If one company outperforms another, then there are most probably fundamental factors responsible for this, other than risk management and internal control system disclosures. “[Interviewer]: So you consider risk management- and internal control system disclosures to be less interesting? [Analyst B]: I’m neutral towards this kind of disclosures. I won’t normally read them or start looking for that kind of information during my analyses. To some extent I do take some risks into account, but the system used by the company is of less importance. To me, it’s only logical that every company is exposed to some risks and deal with them as good as possible… Both risk management and internal control systems obviously have their value, but I doubt there’s actually value in reporting on them since financial professionals won’t care about it too much. ”
Case C: Senior Equity Analyst at Bank Degroof Analyst C has years of experience as a (senior) financial analyst at one of the largest banks in Belgium, as well as with his current employer which is one of the most reputable wealth- and asset managers in Belgium. He also has a background as an internal auditor and currently works as a senior credit analyst with the same employer.
1. Most important sources of information as input for the analysis and valuation of a company
19
Analyst C describes himself as a fundamental analyst, which means he executes profound analyses based on mainly quantitative information. He gets this information from secondary sources like Bloomberg and Reuters but also performs his own analysis based on the annual report. Next to the balance sheet, cash flow- and profit and loss statement, analyst C consults the segmentand industry information. The hitting or missing of the earnings forecasts in the past are also important in the analysis. 2. Knowledge of Risk management and internal control frameworks Analyst C claims to have a basic knowledge of the COSO framework, mainly because of his time as an internal auditor. He’s aware that COSO is the framework most often used in internal control, but his knowledge about the specificities is very limited. The company’s choice of framework is not very important or relevant. 3. Value and interpretation of Risk management and internal control information Disclosures on Risk management and internal control systems is hard to quantify and is therefore not used in the valuation of analyst C. He claims that when nothing special or out of the ordinary is reported, this information is not taken into account. “Maybe it’s undeserved, but if nothing special is reported, then I won’t take any of the information into account. It has never happened to me in all my years of experience that a discrepancy in this area has influenced my analysis or valuation of a company.”
Analyst C states that risk management and internal control systems obviously have their use in a company, but he doubts if it’s valuable to investors and analysts that companies report on these systems. He thinks that these disclosures are currently done in a way which offers no additional value and is not a differentiation factor between different companies. In order to make them more efficient, analyst C says that companies could maybe publish the internal audit reports. This allows an external party to really assess the quality of the 20
internal control systems. The report of the external auditor is more important to analyst C, he claims they are trained to assess the company and this approval is more valuable than a disclosure on the internal control systems. He feels a lot of the legally required disclosure on Risk management and internal control systems is considered a waste of time and money rather than an added value. It requires resources to comply but on the other hand it forces companies to think about working on a more efficient and effective risk management and internal control structure.
Case D: Equity Analyst at Petercam Analyst D is a first-year sell-side analyst at a top Belgian asset manager. He specializes in industrial stocks and has close relations with the top management of the firms he analyzes.
1. Most important sources of information as input for the analysis and valuation of a company Analyst D mainly focusses on quantitative elements when analyzing a company. The annual report is the main source of information, from which the balance sheet, cash flow statement and profit and loss statement are the most important parts. The others, like the corporate governance statement for example, are read diagonally and deemed of lower importance. He also looks at specific risks to which a company is subject, such as currency risk and metal price exposures which are important for industrials. Other than this, he contacts the management of the company on a regular basis to gain a deeper understanding of how the company works. Additionally, Analyst D tries to contact other stakeholders such as important clients. 2. Knowledge of Risk management and internal control frameworks The framework by which a company implements its risk management or internal control systems is irrelevant to analyst D. He claims this has no impact on his
21
analysis whatsoever and is not familiar with any of them, this is outside of his area of expertise. “I’m not aware of any legal requirements on risk management or internal control reporting, and honestly I don’t think that this is relevant to my valuation… I’m not at all preoccupied with internal control. ”
3. Value and interpretation of Risk management and internal control information Internal control reporting is not important to analyst D, he assumes that internal and external audit ensure quality internal control systems. He considers it more important to obtain good data and analyze it, rather than checking if a company’s internal control is adequate. Analyst D thinks that these disclosures could be of value to other parties, but doesn’t help in the financial valuation. He doesn’t question the value of risk management and internal control systems, but he does question the use of disclosing them. The single aspect of risk management which does add some value for analyst D is the specific disclosure on currency- and interest rate risk. These often have a more or less quantifiable impact on the company earnings, which are one of the most important aspects of the financial analysis of a company. “I consider reading internal control and risk management disclosures to be like reading the terms & conditions when you buy a new car. At a certain point, you have to assume that new information won’t necessarily improve you judgment or improve the quality of your valuation.”
Case E: Financial analyst at Petercam Analyst E is a young sell-side analyst at a top Belgian asset manager. He specializes in biotech stocks and has close relations with the top management of the firms he analyzes. 1. Most important sources of information as input for the analysis and valuation of a company Analyst E covers biotech and pharmaceutical stocks, he states these companies are valued in a slightly other way than the companies in other sectors. Valuation is done based on the information found in the annual report, such as the balance sheet, cash flow- and profit and loss statement. A large 22
part of the valuation process is done based on statistics, by which historic data is being extrapolated into predictors for future success of a certain project or new drug. This quantification is very technical and specific for the sector. 2. Knowledge of Risk management and internal control frameworks Analyst E has no knowledge about any risk management or internal control framework. Even when COSO was mentioned, he had no idea. He claims that in his career, he had never ever read this kind of information in the annual report and has therefore never used it in his valuation. 3. Value and interpretation of Risk management and internal control information Concerning internal control, Analyst E doesn’t have any use for information on the specific systems which are being used. He claims to briefly review what the external auditor publishes on this topic, but this information isn’t that valuable. Risk management is often pretty straightforward to analyst E, he claims that the companies he reviews are prone to very different risks than other companies. Companies nowadays tend to disclose no more than the legally required risk management information, which contains very little added value. Large companies might disclose more, but since I mainly cover midcap companies this is not relevant. Since this disclosure is often so limited, analyst E claims it’s not worth his time to take it into account considering there’s no value in it. “Theoretically, I do agree that these disclosures result in increased information available to investors which is beneficiary to them, but in reality it’s not that simple.”
Case F: Independent financial analyst at Demes Analyst F is an independent analyst with a lot of financial expertise. After previous experience as Forex dealer, financial analyst and head of equity strategy at various institutions, he’s currently managing director of his own asset management firm.
23
1. Most important sources of information as input for the analysis and valuation of a company As an independent financial analyst and self-employed investment advisor, Analyst F has no access to expensive data suppliers such as Bloomberg or Reuters, he therefore relies on other sources such as research from foreign brokerage houses. Analyst F normally starts of his analysis with reviewing the activities, history and financial performance of a company to understand the company and its future potential. He claims that the financial data –especially the cash generation- are most important in his analysis. Elements like risk management systems or internal control are very difficult to assess for outsiders and are of less importance to his analysis. He also uses the analyst presentations which are made available through the company website, these give very important background information and future insights. Other important sources include financial key figures found in the annual report and the other analysts’ earnings estimates. Furthermore, analyst F is in close contact with the top management of some of the companies he follows. 2. Knowledge of Risk management and internal control frameworks Analyst F is not familiar with the current frameworks in risk management or internal control. Specifically for internal control, he believes that companies are obligated to report on them so they would think about them. For outsiders, the quality of these systems is impossible to assess. Weaknesses will only be revealed when there is a problem.
3. Value and interpretation of Risk management and internal control information Analyst F is aware of the risk disclosures in the annual report and actively reads these passages. He claims that this looks to be very general and focusses on the external elements on which the company has no grip and how it deals with
24
these risks. To assess them, analyst F consults outside sources such as customers or suppliers, not the company itself. In his opinion, companies will tend to publish as little as legally required since disclosure means giving up confidential information. He doesn’t focus too much on elements like risk management and internal control disclosure since this doesn’t add a lot of value and you risk losing the view on the main elements. Analyst F claims that all of the non-financial elements are so diverse that the company can in fact tell investors what they want to hear, this reduces the informational value of this kind of information.
Case G: Independent financial analyst Analyst G is a seasoned professional with both a background in audit at a ‘Big 4 audit company’ and financial analysis. He currently works on an independent basis, offering his expertise and wealth management services to his own clients. 1. Most important sources of information as input for the analysis and valuation of a company For his analysis, Analyst G mainly uses information from the annual report. For Belgian clients he also occasionally consults ‘company web’ which gives you a more accessible overview of some information. Even though most of his valuation is based on quantitative information, he also takes into account qualitative information such as the quality of the management, the past performance of companies in terms of reaction speed to new trends on the market. Most of this information is also extracted from the annual report. The report of the external auditor is also reviewed by analyst G, which is quite an important document. 2. Knowledge of Risk management and internal control frameworks Analyst G considers the COSO framework to be the best framework, or at least the most used one. He has a good understanding of the framework and its main concepts for risk management as well as for internal control. Analyst G states that a common standard of framework for both these areas (for example: 25
everyone adapting COSO) would be beneficiary for the market. This single dominant design would make comparison easier, which is actually the goal of a framework according to analyst G. 3. Value and interpretation of Risk management and internal control information According to analyst G, these disclosure requirements certainly have their use. They encourage companies to actually think thoroughly about what risks they incur, both internally and externally. The disclosure is also important because if a company has to deal with large risks, it obviously has a large impact on the investment value of the company.
8.3 Cross Case Analysis 8.3.1 Sources of information for financial analysis If we take a look at the 7 cases, we can spot a few obvious trends here. Every financial analyst who was interviewed indicated they used roughly the same sources of information upon which they perform their analysis and valuation. The most prominent one, which was mentioned by every participant, is the annual report. According to every analyst, the annual report is the base document from which most of the information was extracted. The analysts tend to focus on the three core financial documents, namely the balance sheet, cash flow- and profit and loss statements. These standardized documents contain almost exclusively quantitative information, which is easy to use during an analysis or when constructing a valuation model. The exact construction of these valuation models is kept secret by the analysts and the company they work for, they couldn’t disclose exactly how their models worked and how they processed the input into an actual company valuation. As most analysts indicated, this is an indispensable piece of information and by far the most important input for the financial analysis of a company. They’re also easy to access since the annual report of a quoted company is available for free to every (potential) investor. The second most important source of information used by analyst is direct contact with the company management. Five of our seven analysts indicated that they contact the 26
management on a regular basis to obtain extra information or to ask them specific questions. Most analysts indicated that this direct relationship with the company is something they truly value and which often leads to a better insight into the company’s activities. Contrary to the annual report, this source of information is not accessible to everyone. Besides these two main sources of information, some analysts indicated that they also perform their own research. Three of our seven analysts mentioned that they actively do their own research and look up information which is not provided by the company itself. Factors which are investigated include the market size, industry segmentation, pricing aspects or an assessment of the management quality. This information is obtained by interviewing other stakeholders such as clients or suppliers as well as by using third party research. Two analysts said they also actively value whether the company has hit its earnings targets in the past and whether they beat analyst’ expectations or not. For quoted companies, beating estimates or missing them is a big deal which can have a substantial impact on the stock price. Other elements which were important to analysts appeared to be more industry specific. In the biotech and pharmaceuticals industry for example, analysts heavily rely on statistic probabilities of failure. This is based on extrapolation of historic data and this is simply not feasible or useful in other sectors. In other sectors such as the real estate sector, companies often invite their investors and analysts covering the company to investor days or other company events. This gives them a chance to get a better feel with the company and to interact with middle management. The fact that most of the input for the company valuation should come as no surprise. As we have seen in the literature study, nearly all of the valuation techniques used, are solely based on quantitative data, of which most are easy to find in the annual report. Analyses performed by professionals are more elaborate and include other elements such as a technical analysis. This technical analysis however is left out of this discussion since this is outside of the scope of this paper.
8.3.2 Knowledge of frameworks
risk
management
and
internal
control
27
While frameworks on risk management and internal control have been around for many years and have gained acceptance in the corporate environment, it’s still strange to see that most of the analysts have never heard of this or couldn’t name a single one. Since companies are legally required to dedicate a chapter of their annual report to risk management and internal control procedures, we would assume that reading these is part of the analyst his due diligence. The majority of the analysts consider this outside of their area of expertise and admit not knowing or caring about it. They indicated that this type of qualitative information is not easy to implement in their valuation models and not a differentiation factor between companies. Some analysts claim that companies only disclose their frameworks on risk management and internal control information to comply with legal requirements. According to them it has almost no real value to them and isn’t useful in determining a company’s value. Two analysts indicated that these disclosure requirements are useful since they force companies to think about their risk management and internal control structures so they can improve their effectiveness. None of the interviewees challenged the usefulness of risk management and internal control systems to a company, but these are seen as internal functions of the company. They argue that it’s hard for external parties to assess the quality of these internal functions, and therefore they can’t properly value them or include them in their analysis. In two cases however, analysts reported being aware of the frameworks and having a basic or more profound knowledge of them. They spontaneously mentioned COSO as a framework for risk management and internal control. One analyst knew what COSO was and explained that he remembers it from his previous function as an internal auditor. He did however admit that as financial analyst, he didn’t deem the disclosure of the framework which a company used to be an important element in his analysis. The other analyst was fully aware of the existing frameworks and demonstrated a profound knowledge of COSO. He claimed this is the standard framework used in the industry. This knowledge is maybe attributable to the fact that he is a certified auditor and has previously worked as a manager at the auditing department at PwC, which requires a profound understanding of internal control and risk management. It’s baffling to see that the knowledge and awareness about risk management and internal control frameworks by analysts is rather limited. Seeing that the majority of the interviewees admitted that they’ve never heard of them, we can assume that the 28
framework used is not deemed important in the valuation of a company by analysts. The only 2 analysts which did acknowledge the risk management and internal control frameworks, have a background in either auditing or internal auditing. We can’t be certain that this is the reason they are familiar with these frameworks but it’s certainly a possibility. Since even the analyst who arguably had the best knowledge about risk management and internal control didn’t consider the disclosure of the framework to be relevant information for financial analysis, we can conclude that analysts don’t take this into account.
8.3.3 Perceived value of disclosure of risk management The analysts’ perception of the disclosure of risk management is a little more ambiguous. Some analysts value the company’s disclosure of their exposure to different kinds of risks, since this gives them a simple overview of what external factors might influence the company’s results. Another argument is that the (mandatory) disclosure of such information should convince companies to at least think about their environment and the risks to which they are prone. This could strengthen the risk management systems and risk awareness in general, but generally won’t affect the analyst’s valuation of the company. Most analysts admitted that this kind of information is rarely used as an input for their analysis. Some of our interviewees mentioned that they only follow a limited number of companies and therefore have a pretty good idea of the risks to which a specific company is prone. Consequently, for these analysts the value of disclosing specific risks and how the company deals with it, is of lesser value. Some analysts indicated that they do check major risk factors of a company and how these are being dealt with. The biggest concern here appears to be the direct impact on the bottom line. The risks most frequently mentioned include commodity price risk, currency risk and interest rate risk, which should not be considered a surprise since these are relatively speaking the easiest ones to quantify and integrate into the existing valuation models. Again we have to note that if this information is taken into account, the impact on the final valuation won’t be that substantial. Other analysts declared that they don’t value this kind of information at all and consider it irrelevant to their analysis. They tend to focus more on the core financial aspects and focus their energy on analyzing the quantitative data which they can access. The fact 29
that this information is often hard or impossible to quantify is one of the main reasons why these analysts don’t consider this information valuable. We can state that the disclosure of risk management information will probably not have a large influence on the valuation of a company by a financial analyst. As we already mentioned during the part on risk management frameworks, some analysts consider the disclosure of this type of qualitative information to be hard to interpret and implement in their analysis. Most of the disclosures of risk management information is often too general and limited to the legal requirements.
8.3.4 Perceived value of internal control information The disclosure of internal control information is of no real value to most of the interviewed analysts. The most commonly heard argument is that internal control is a part of the internal operation of the company and this is not really verifiable. This makes it difficult to assess the quality of the internal control systems. Most analysts consider the system of internal control useful in a company but the disclosure is not an element which is considered important or useful in the valuation. Some analysts argue that this disclosure is only done to comply with the legal requirements rather than to inform investors or analysts. This begs the question whether it’s useful for companies to still report on internal control, since it would only bring extra costs to the companies and won’t significantly impact their valuation. A few analysts argue that the legal disclosure requirements raise corporate awareness and stimulate companies to think about it and improve it where necessary. In general, the sentiment on internal control disclosure was rather negative. Most analysts agree that it does not impact the valuation of the company and it poses an extra cost to the company to prepare these statements and hire the external auditor for verification. A couple of analysts even suggested that putting this kind of information in the annual report renders this important source of information into a hefty document which becomes increasingly filled with clutter. US firms are currently only required to disclose internal control procedures related to financial reporting (Sarbanes Oxley 2002) and not concerning effectiveness and efficiency of operations, though this might be useful information to investors and analysts. Including this type of internal controls
30
–as defined by COSO- could maybe increase interest of analysts in internal control disclosures.
8.4
Conclusion
After carefully analyzing these interviews, it was obvious there were some remarkable trends present in the responses. First of all, the sources which analysts used for their analysis were roughly the same. Much of the analysis was based upon the information found in the annual report, especially the quantitative information found in the balance sheet, cash flow statement and profit & loss statement. Analysts claimed that this information was easy to process and they were able to easily analyze it by using models. This is consistent with the findings in our literature study, which stated that most of the company valuation was based on mathematical formulas, used in corporate finance. The analysts also indicated that they combine a lot of these quantitative methods and combine them into a model. They didn’t want to elaborate on the exact construction of this model since this was considered proprietary information, but some did state this was nearly solely based on quantitative input. The qualitative information, such as the disclosure of risk management and internal control information was considered to be less important to analysts for multiple reasons. First of all, they were hard to integrate into the existing models since the data is not easy to quantify. The disclosure of risk management and internal control information is also hard to compare between different companies. This is where the frameworks could come in handy but as we discovered, most analyst were not even familiar with them. The fact that they have no knowledge of the systems or most widespread framework gives us the suspicion that the disclosure on risk management and internal control information is not deemed relevant and is neglected by the analysts. The only two subjects who were familiar with the COSO (or any other for that matter) framework admitted that this was because they had a background in audit and that they didn’t include these disclosures in their analysis. The influence of the disclosure of risk management and internal control information besides the framework used was less concordant. Some analysts claimed they did value this kind of information in some way and considered it useful information. Unfortunately, none of them explicitly said how or to what extent this had an impact on
31
their valuation. The other analysts explained straightforward that this didn’t play a role in their valuation and that they didn’t pay attention to it. All analysts however seemed to agree that risk management and internal control were useful systems for a company which added value. Some claimed that forcing companies to report on those systems would encourage them to think about it more thoroughly and in this way improve them. This statement was previously made by Linsley and Shrives (2000) and our interviewees appear to support this theory. The second advantage we found during the literature study was reported by Dobler (2005) and Healy and Palepu (2001). They concluded that reporting on risk may decrease the firm’s risk premium demanded by the investors and decrease the firm’s cost of capital. The interviewed analysts appeared to be more sceptical towards this statement. They accepted the theoretical premise but were not sure whether this would also be the case in practice. The fact that most analysts admitted not paying that much attention to risk management disclosures and that some even admitted not including them in their analysis at all, makes us question the findings by Dobler and Healy & Palepu.
The interpretation of internal control information disclosure by our analysts was more one-sided. Most of them agreed that these disclosure were not really valuable to their analysis. They considered internal control outside of their area of expertise. Some of them did feel however that the reporting requirements served as an incentive for companies to think about their internal controls and encourages them to improve upon them. This seems to confirm the findings in the study of McMullen (1996). Deumes (2008) found that reporting on internal control enables investors to more efficiently monitor management. This reduces the information risk as well as the agency problems with which investors are often confronted. These findings appear to be contradicted by our results, since our research suggests that disclosure of internal control information does not influence the valuation of a company at all. This could mean that reporting on internal control doesn’t really reduce the information risk or not sufficiently for investors (and analysts) to consider the disclosure of internal controls as a way to more efficiently monitor management.
32
9. General Conclusion The literature study showed us that risk management and internal control are 2 important processes which can contribute to the internal functioning of a company. Over the last decades, these functions have been the subject of a lot of research and have evolved to more formal processes. To meet the demand for comparability and basic structure, frameworks were introduced for the implementation of risk management and internal control systems. The dominant design in these areas is by far the COSO framework, which has been accepted as the standard and is currently being used as such by the majority of large companies.
Partly due to (corporate) scandals, stakeholders demanded more elaborate corporate governance mechanisms to be put in place. Lawmakers responded to these needs by imposing new legal requirements concerning these subjects. In Belgium this resulted in the Corporate Governance Code (2009), while in the US the Sarbanes-Oxley act was enacted in 2002. These new legal requirements forced companies to implement certain risk management- and internal control systems and report on their functioning. Previous research has indicated that risk disclosure may decrease the company’s cost of capital by reducing the information asymmetry between stakeholders and the company, which in turn leads to a lower required risk premium. Several researchers also concluded that the obligation to report on risk urges companies to more actively manage their risks. Similar effects were found when investigating influence of mandatory internal control disclosure.
Since financial analysts are a main provider of advice and company valuations to potential investors, we wanted to determine the impact of risk management and internal control disclosures on their valuation. For our own empirical research, we interviewed seven financial analysts and compared their interpretation of risk management and internal control information and determine the impact it had on their evaluation.
The first conclusion is that analysts tend to focus on quantitative information and that the corporate governance statement, in which both risk management and internal control information is found, is not deemed an important input for their valuation. They 33
use proprietary models which are based on some of the company valuation methods described in the final part of the literature study. The information disclosed on risk management and internal control is hard to implement in these models, since it’s often hard to quantify.
Secondly, we found that analysts are not familiar with frameworks for risk management or internal control. We can therefor conclude that during their analysis, they do not take into account the framework used for risk management or internal control. A possible reason for this is that these frameworks haven’t been around for very long. The oldest COSO framework on internal control was published in 1992, the oldest on risk management in 2004.
Thirdly, our research showed that analysts do think risk management and internal control have value, but most of them consider these two processes to be part of the internal functioning of a company. The disclosure of risk management and internal control information therefore is not very valuable to them. Half of our respondents indicated they don’t include risk management disclosure in their analysis at all, others claimed these elements are being taken into account but they have a very limited impact. The most important disclosures are those concerning currency risk and interest rate risk, since these are more or less quantifiable. The impact of internal control information disclosure on the analysts’ valuation is negligible.
These results are not in line with our expectations based on the previous research done on this subject. While other studies indicate that the disclosure of risk management and internal control information is valuable, we found that analysts don’t take this kind of information into account. The influence of these factors on their valuation is limited and this raises some questions. Financial analysts have a big influence in the pricing of companies, since their analyses are used by a lot of individual and institutional investors. If they don’t see the value, one could wonder why these disclosures are advantageous to companies.
If we look at the discussion of legal versus voluntary disclosure, our research suggests there is no reason why companies would disclose more information than necessary. If there is no value in this, companies will stick to reporting the legal minimum to avoid 34
additional disclosure costs. One possibility is to increase the legal requirements in this area, but previous research pointed out this could lead to a lower company value due to additional compliance and disclosure costs. Lawmakers and professionals could work together to find out which specific disclosures could be deemed valuable to investors (and analysts) so that they’re not done in vain. A common standard such as the COSO framework could play a crucial role here.
This is definitely a point worth investigating in the future and this discussion should also be followed by lawmakers and organizations such as COSO. Additional risk management and internal control disclosure should be mandatory since currently it adds no value and therefore there’s no incentive for companies to voluntarily disclose.
35
Bibliography Beasley, M. S., Clune, R., & Hermanson, D. R., Enterprise risk management: An empirical analysis of factors associated with the extent of implementation. Journal of Accounting and Public Policy, jg. 24, nr. 6, 2005, 521-531. Belgian Corporate Governance Code, 2009, URL:
(15/02/2014).
Belgian Law of 06/04/2010 reinforcing corporate governance, Belgisch Staatsblad, April 23 2010, p. 22709-22719. Beretta, S., Bozzolan, S., A framework for the analysis of firm risk communication, The International Journal of Accounting, vol. 39 (2004), 265-288. Bungartz, O., Risk Reporting – Anspruch, wirklichkeit und systematic einer mfassenden risikoberichterstattung deutscher unternehmen, 2003. Colquitt, L. L., Hoyt, R. E., & Lee, R. B., Integrated risk management and the role of the risk manager. Risk Management and Insurance Review, jg. 2, nr.3, 1999, 43-61.
COSO Internal Control – Integrated Framework, 1992, URL: < http://www.coso.org/documents/Internal%20Control-Integrated%20Framework.pdf > (15/02/2014).
COSO Internal Control – Integrated Framework, 2011, URL: < http://www.coso.org/documents/coso_framework_body_v6.pdf > (15/02/2014).
COSO Internal Control – Integrated Framework, 2013, URL: (15/02/2014).
COSO Enterprise Risk Management – Integrated Framework, 2004, URL: < http://www.coso.org/publications/erm/coso_erm_executivesummary.pdf > (15/02/2014).
Deumes, R., Corporate risk reporting: A content analysis of narrative risk disclosures in prospectuses, Journal of Business Communication, jg. 45 nr.2, 2008, 120-157.
iv
Deumes, R., Knechel, W.R., Economic incentives for voluntary reporting on internal risk management and control systems, Auditing: A Journal of Practice and Theory, jg. 27, nr. 1, 2008, 35-66. Dobler, M., How Informative Is Risk Reporting? A Review of Disclosure Models, Munich school of Management, 2005. Dobler, M., Incentives for risk reporting – A discretionary disclosure and cheap talk approach. International journal of accounting, jg. 43, 2008, 184-206. European Parliament and Council, Directive 2006/46/EC, 2006. European Parliament and Council, Directive 2003/51/EC, 2003. FCPA Act, 1977, URL: < http://www.fas.org/irp/crs/Crsfcpa.htm > Fernàndez, P., Company valuation methods. The most common errors in valuations. Working paper, 2007. Fischer, T. M., Vielmeyer, U., Analyse von Risk disclosure scores. Zeitschrift für international und kapitalmarktorientierte rechnungslegung, jg. 4, nr. 11, 459-474. Golshan et al., Risk management, performance measurement and organizational performance: A conceptual framework, 2012. Hampton, John J., 2009, Fundamentals or Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure and Seize Opportunity. Healy, P. M., Palepu, K. G., Information asymmetry, corporate disclosure, and the capital markets: A review of the empirical disclosure literature. Journal of Accounting and Economics, jg. 31, nr. 1–3, 2001, 405−440. Hermanson, D. R., Lapides P. D., Lu, W. What Internal Auditors Should Know About Corporate Governance. Internal Auditing, September / October edition, 2000, 9-12.
Jorgensen, B. N., Kirschenheiter, M. T., Discretionary risk disclosures. The Accounting Review, jg. 78, nr. 2, 2003, 449−469. Kajüter, P., Risk Disclosures of Listed Firms in Germany: A Longitudinal Study, 2004 (unpublished working paper). Kajüter, P., Risikoberichterstattung: Empirische Befunde und der Entwurf des DRS 5, Der Betrieb, nr. 3, 2001, 105-111. Kleffner, A. E., Lee, R. B., & McGannon, B., The Effect of Corporate Governance on the Use of Enterprise Risk Management: Evidence From Canada, Risk Management and Insurance Review, jg. 6, nr. 1, 2003, 53-73. v
Lang, M. H., Lundholm, R. J., Corporate disclosure policy and analyst behavior. The accounting review, vol. 71, Nr. 4, 1996, 467-492. Linsley, P. M., Shrives, P. J., Risk management and reporting risk in the UK. The Journal of Risk, jg.3, nr. 1, 2000, 115−129. Linsley, P., Shrives, P.,Risk reporting: A study of risk disclosures in the annual reports of UK companies. The British Accounting Review, jg. 38, nr. 4, 2006, 387404. McKinsey & Co, Koller, T., Goedhart, M., Wessels, D., Valuation: Measuring and Managing the Value of Companies, 5th Edition. 2010.
McMullen, D. A., Raghunandan, K., Rama, D. V., Internal control reports and financial reporting problems. Accounting horizons, jg. 10, Nr. 4, 1996, 67-75. Pagach, D., & Warr, R., The Effects of Enterprise Risk Management on Firm Performance, 2010. Sarbanes-Oxley act: Section 302, 2002, URL: (15/02/2014). Sarbanes-Oxley act: Section 404, 2002, URL: (15/02/2014). SEC Final Rule: Management’s Report on internal control over financial reporting and certification of disclosure in exchange act periodic reports, 2003, URL: Solomon, J. F., Solomon, A., Norton, S. D., & Joseph, N. L., A conceptual framework for corporate risk disclosure emerging from the agenda for corporate governance reform. The British Accounting Review, jg. 32, nr.4, 2000, 447−478. The Institute of Internal Auditors, Sarbanes-Oxley Section 404: A guide for management by internal control practitioners, 2008, URL: Verrecchia, R. R., Discretionary disclosure. Journal of accounting and economics, nr. 5, 1983, 179-194. Woods, M., Reber, B., A comparison of UK and German reporting practice in respect of risk disclosure post GAS5", at European Accounting Association Conference, Seville, April 2003.
vi
Appendix Appendix 1: List of questions for interviews
During your analysis, what sources of information do you use? (in short, as introduction) o Quant. Data (Bloomberg, Reuters etc.) o Annual Report Which parts specifically? What are the most relevant passages? Besides the quantitative data (P&L, BS, CF) what other information is deemed relevant? Do you take into account Industry description, the company’s risk profile, and risk management system disclosures, internal control information disclosure…? o Press releases If non-financial, how are these analyzed? E.g.: new business opportunities, how are these evaluated? If financial, are they simply inputted into models? Does your analysis and valuation include a lot of non-quantifiable elements? o Risk information o Risk management systems Familiarity with frameworks (e.g. COSO) and their implications? Most important elements Legal requirements: Aware of requirements? Opinion? Too elaborate/narrow? o Internal control systems Familiarity with frameworks (e.g. COSO) and their implications? Most important elements? Legal requirements: Aware of requirements? Opinion? Too elaborate/ narrow? What about deficiencies: What’s the implication and repercussion on your analysis? How do we value this? o How do you perceive the disclosure of this kind of information in general? Do you feel that the more a company discloses, the better (provided it doesn’t include huge downside risk)? Do you consider the information to be valuable in its content, or is it more seen as a way of complying with regulation. What motives do you see for a company to disclose more information on their systems? Would an increase in regulation in this field significantly help you in your analysis? Is it in your opinion valuable to force companies to publish this kind of information or would it be better to enable companies to do this on a voluntary basis as a sign of ‘goodwill’? Do you see any disadvantages to increasing regulation on the disclosure of risk management and internal control information?
vii
Appendix 2: Interview Request sent to analysts
Subject: Interview Aanvraag Geachte heer …
In het kader van mijn masterproef aan de Universiteit Gent ben ik nog op zoek naar financieel analisten die bereid zijn om deel te nemen aan mijn onderzoek. Het onderzoek onder begeleiding van Prof. Dr. Sarens- spitst zich toe op de disclosure van risk management- en interne control informatie door bedrijven en de interpretatie hiervan door financieel analisten. Zou u bereid zijn hieraan mee te werken en uzelf beschikbaar te stellen voor een interview (eventueel telefonisch)? Het interview zou maximum een half uurtje van uw tijd in beslag nemen, maar zou een grote toegevoegde waarde zijn voor mijn masterproef. Indien u hieraan wil meewerken, gelieve enkele data door te geven die in uw planning passen en ik zal mij hier volledig naar schikken. U kunt mij bereiken via email of op het nummer +32496961353. Bij voorbaat dank. Met vriendelijke groeten,
Dries De Craemer Master Handelsingenieur: Finance Universiteit Gent
viii
Appendix 3: Interview Transcripts
Interview 1: Herman van Der Loos (Petercam) Analyst A Dries: U bent gespecialiseerd in de vastgoedsector, in het analiseren van dergelijke bedrijven, waar haalt u dan voornamelijk uw informatie? VDL: Het grootste deel van de relevante informatie wordt natuurlijk uit het jaarverslag gehaald, maar ook ons persoonlijk contact met de bedrijven is hierbij zeer belangrijk. Bij alle cijfers wordt er een persbericht gepubliceerd, voor de jaarcijfers is dit natuurlijk een uitgebreider persbericht. Het jaarverslag komt enkele maanden later, is een stuk dikker en bevat veel nutteloze informatie zoals foto’s en brol die moet verschijnen door de wetgeving. En ook bijkomende informatie. Dus vooral dit jaarverslag is zeer belangrijk. Er zijn ook cijfers die niet schriftelijk worden vrijgegeven, dan bellen we het bedrijf op of gaan we op bezoek bij het bedrijf. Ze organiseren ook vaak investor days, waarbij het bedrijf 1 à 2 keer per jaar ons uitnodigt en dit vooral behandelt als een PR event. Daar worden ook relevante (constructie/fabrieks-)sites bezocht en wordt ook toegang tot het middle management gegeven wat altijd interessant is, omdat we doorgaans communiceren met investor relations afdelingen van grote bedrijven of bij kleine bedrijven met de CEO/CFO. Ook country managers stellen zich op zo’n events beschikbaar. Dries: Dus tijdens de analyse houdt beperkt u zich niet enkel tot de kwantitatieve informatie en het cijfermateriaal dat u voorgeschoteld krijgt? VDL: Onze job is kwantitatief natuurlijk, we proberen ook alles te objectiveren en modelleren. In deze modellen brengen we ook onze toekomstvisie en onze assumpties in. Deze modellen geven ons dan een algemene output, maar hierbij komt ook een zekere feeling kijken. Stel dat 2 bedrijven eenzelfde dividend yield geven, moet er ook gekeken worden naar andere factoren en mogen deze niet als gelijk beschouwd worden. De toekomstvisie is hierbij belangrijk en die is in vele gevallen subjectief en gebaseerd op kwalitatieve gegevens. De kwaliteit van de winst en cashflows is zeer belangrijk. Dries: Houdt uw ook rekening met andere factoren zoals het risk management systeem van een bedrijf, zijn positie binnen een bepaalde sector? VDL: Bedrijven worden in de meeste gevallen eerst en vooral beoordeeld door een externe auditeur, bij de bedrijven die ik voornamelijk behandel zijn de grondstof- en wisselkoersrisico eerder beperkt. Men moet er ook rekening mee houden dat ‘de waarde’ van een bedrijf niet bestaat, de ene analist zal het anders beoordelen dan de anderen. In de vastgoedsector is dit eerder beperkt aangezien in veel gevallen 95% van de activa per kwartaal wordt beoordeeld door een taxateur op een gestandaardiseerde manier. Onze speelruimte is dus in dit geval beperkt en er is minder interpretatie-effect, de risico’s liggen anders. De diversificatie van het portfolio van een dergelijk bedrijf is iets waar in die sector dan wel veel naar gekeken wordt en waar interpretatie door een analist dan wel weer relevant is. Risico is vaak heel moeilijk te objectiveren met cijfers door hun grote mate van onzekerheid, hierbij zijn assumpties dan weer belangrijk. Dries: Bent u bekend met de frameworks die bedrijven gebruiken voor Risk management procedures? We stellen vast dat het COSO framework het vaakst gebruikt wordt, bent u hiermee vertrouwd of geeft dit een positief/betrouwbaar signaal naar u toe? VDL: Neen, hiermee ben ik niet bekend, voor mij is dit een beetje een black box. Veel bedrijven gaan wel in hun jaarrekening opnemen wat de grootste risico’s zijn waarin ze blootgesteld worden en sommige gaan ook de invloed van dergelijke risico’s aangeven. Bijvoorbeeld als de rentevoet met 1 procentpunt stijgt of daalt, zal de invloed op onze earnings per share stijgen of dalen met een bepaald bedrag. Wederom is dit voor het ene bedrijf makkelijker te berekenen dan voor een ander. In de vastgoedsector is dit vanzelfsprekend eenvoudiger dan in een meer gediversifieerd (industrieel) bedrijf. Meer dan wat hierin vermeld wordt kunnen wij niet echt achterhalen, dit behoort tot de interne keuken
ix
van een bedrijf en wij kunnen hier moeilijk schattingen over maken indien deze informatie niet gegeven is. Dries: We stellen vast dat bedrijven ook vaak een passage van hun jaarrekening wijten aan de disclosure van hun risk management frameworks en ook aan hun systeem van interne controle. Leest u deze passages en in welke mate betrekt u deze in uw analyse? VDL: Ja, die passages zijn er inderdaad en deze worden ook gelezen. Ik ga me echter meer baseren op andere gegevens zoals (kwantificeerbare) operationele en financiële gegevens. Het ligt in onze job om risico te appreciëren en zeker aangezien wij reeds meerdere jaren de verschillende bedrijven volgen, hebben we een goed idee van de risico’s waaraan een onderneming blootgesteld is. Is een bedrijf bvb betrouwbaar qua estimates en vooruitzichten, zit er veel fluctuatie en volatiliteit in hun earnings ten gevolge van bepaalde externe factoren (ten gevolge van gedragen risico’s) zijn factoren waar rekening mee gehouden in de valuatie. Kennis van de sector en ervaring hierin is hierbij ook zeer belangrijk. Dries: Specifiek over Risk management en IC disclosure. Wat vindt u van de wettelijke vereisten op dit vlak? Zou een toename van de vereisten extra nuttige informatie voor jullie kunnen betekenen? VDL: Een jaarverslag begint vaak met risk factors, deze analyse is vaak al zeer mooi uitgewerkt. Dries: Klopt, maar specifiek over de systemen die gehanteerd worden moet een bedrijf ook verplicht rapporteren. Dit stuk bevindt zich in de corporate governance statement. VDL: Het corporate governance statement op zich bevat voor ons weinig nuttige informatie, voor mij is dit een zeer formeel statement dat door elk bedrijf een beetje op dezelfde manier wordt verwoord en omvat gewoon wat de wet oplegt. Eerlijk gezegd bekijk ik deze passages niet. Dries: Dus of een bedrijf hier nu meer of minder informatie over zou publiceren zou voor u geen verschil uitmaken in uw analyse? VDL: Nee, het zou geen verschil maken. Ik vind het leuk om weten dat er systemen zijn van corporate governance, zowel op vlak van risk management als interne controle maar daar blijft het bij. Zoals vele elementen in dit CG statement beschouw ik het als gegeven maar zoek ik hier verder niks achter, het maakt mij echt niet uit wie nu compliance officer is of hoeveel mijnheer x of y verdient per jaar als non-executive chairman. Dries: En de passages over RM en IC worden door u dan ook als niet relevant beschouwd? VDL: Als de wet nog meer algemene voorschriften oplegt zal dit naar mijn mening alleen de kosten van notering door bedrijven vergroten en geen echte meerwaarde veroorzaken naar investeerders of analisten toe. Het is niet omdat de wetgever allerlei verplichtingen oplegt dat de beleggers hierbij beter uitkomen. Zo’n informatie wordt door mij als professional niet bekeken, ik neem aan dat een belegger dit ook niet zal doen. Ik denk dat de toekomst zo zal zijn dat er meer openheid zal komen zoals bij fondsen. Er zal meer in mensentaal gecommuniceerd worden door middel van duidelijke rapporten. Veel bedrijven zijn minder open dan vroeger, de rapporten zijn wel dikker geworden en er zijn meer verplichtingen maar ik heb zelf de indruk dat er minder relevante informatie doorstroomt. Om maar een voorbeeld te geven uit de vastgoedsector, een schatting per pand wordt niet meer gedisclosed terwijl dit wel degelijk nuttige informatie was. Dat zou de onderhandelingskracht misschien zogezegd kunnen verminderen, dit is echter “B*llshit”. Vroeger was de gewoonte dat bedrijven hun projecties publiceerden voor de komende 3-4 jaar, er zijn bedrijven die dit nog steeds doen maar sommige beperken zich tot slechts het komende jaar. Dit is jammer want die mensen zijn in staat om de meest educated guess te doen op dit vlak. Ik stel vast dat de kosten van notering enkel maar toenemen door additionele verplichtingen tot disclosure, zonder dat dit tot veel nieuwe interessante inzichten leidt. Vaak hebben de kleinere bedrijven het lastig met al die verplichtingen, natuurlijk hebben grote multinationals daar minder last mee. In nieuwe prospectussen bvb staan soms 300 pagina’s informatie
x
waarvan er misschien 40 echt nuttige informatie bevatten. . Ik stel vast dat de communicatie over de jaren heen alvast niet verbeterd is ten opzichte van vroeger. Dries: Desalniettemin stellen we vast dat sommige (voornamelijk grotere bedrijven) nog meer informatie disclosen dan wettelijk vereist. Op de passages van Risk management en internal control wordt soms uitgebreid ingegaan op de toegepaste frameworks en systemen. Heeft dit dan naar uw mening meerwaarde voor analisten? VDL: De initiële reactie –voornamelijk bij jongere analisten - zal waarschijnlijk zijn dat dit een zeker gevoel van zekerheid geeft maar dit mag ook geen illusie zijn. In sommige sectoren kan dit misschien handig zijn, zeker in diegene die aan veel en diverse soorten risico’s onderhevig zijn door zeer volatiele markten. Maar meer rapportering en meer openheid zal in dit soort sectoren niet leiden tot minder risico voor de belegger, dit neemt niet weg dat de onderliggende activiteiten inherent risicovol blijven. Een degelijk functionerend systeem om om te gaan met risico wordt eerder als een vanzelfsprekendheid beschouwd. Ik voel me niet beter af door deze overflow aan informatie, het wordt simpelweg een kakafonie. Bepaalde heel belangrijke informatie wordt bvb verscholen in de nota’s van bepaalde secties, waar ze quasi onvindbaar zijn zonder bij het bedrijf zelf te informeren waar ze staan. VDL: Specifiek voor de risico’s en risk management procedures gaan we eigenlijk naar een systeem waarbij de grote concurrenten simpelweg kijken hoe en wat gerapporteerd wordt bij de ander en deze informatie wordt fijntjes herwerkt. Dit levert geen meerwaarde op voor de beleggers. Zo wordt de informatie over bepaalde risico’s compleet overbodig. Ik plaats me zeer sceptisch tegenover dit soort verplichtingen van de wetgever. Ik blijf erbij dat zowel bedrijven als wetgever meer baat zouden hebben bij een minder uitgebreid jaarverslag wat geschreven wordt in simpele mensentaal zodat het toegankelijker wordt voor iedereen. Dries: Vanuit de academische wereld kwam naar voor dat de disclosure leidt tot een lagere informatie-asymetrie en lagere cost of capital dus hier zou dus weldegelijk waarde inzitten voor bedrijven? VDL: Een bedrijf zal de inspanning voor dergelijke disclosures doen en de nodige inspanningen leveren hieromtrent omdat ze kapitaal in de markt willen ophalen. Dit is de grootste motivatie waarom ze dergelijke disclosures doen. Waar ik wel zie dat disclosure van risk management verbeterd en waardevol kan worden is op vlak van contact tussen de analisten en de bedrijven op persoonlijk vlak. Als analist hebben wij zoals eerder vermeld goeie contacten met het management, dit wordt over de jaren heen opgebouwd, dit is niet zo vanzelfsprekend voor een junior analyst bvb. Als bedrijven zich op deze manier meer openstellen tov analisten, zelfs in termen van risk management en interne controle, zou dit wel degelijk nuttige informatie kunnen opleveren.
Interview 2: Geert Van Herck (Leleux associated brokers) Analyst B Dries: Wat zijn de fundamentele gegevens die gebruikt worden tijdens uw analyse, hoe worden die verwerkt en hoe gaat uw om met informatie die gediscloset wordt met betrekking tot risk management en interne controle? GVH: Als analist kijk je in de eerste plaats naar kwantitatieve gegevens zoals omzetontwikkeling, EBITDA, bedrijfswinst, marges, bepaalde extreme gevallen die grote schommelingen kunnen verklaren. Specifiek over risico management gaan wij bvb bij grondstofbedrijven nagaan of ze ingedekt zijn tegen bepaalde marktrisico’s zoals grondstofprijzen omdat deze typisch vrij volatiel zijn. Ook bij bedrijven die sterk afhankelijk zijn van grondstofprijzen als input is deze indekking belangrijk, denk aan de zilverprijzen bij AGFA, kerosineprijzen bij de luchtvaartmaatschappijen. In dat opzicht wil men daar wel een bepaald zicht op zodat we zien welke contracten wanneer gekocht worden tov de marktprijs om zo na te gaan wat de invloed kan zijn van prijsfluctuaties op de winstsituatie. In die vorm wordt inderdaad rekening gehouden met risico informatie. Ik ga echter niet bij elk bedrijf
xi
specifiek op zoek naar welke risico’s ingedekt worden op welke manier. We moeten een zicht krijgen op wat een bedrijf doet, welke markten ze bedienen, wat zijn de inputkosten en hoe worden die ingedekt? Dries: Dus specifiek kijkt u naar de policies bij de bedrijven met betrekking tot deze risico’s? In het jaarverslag bvb wordt een deel gewijd aan de publicatie van Risk management en interne controle, bekijkt u deze passages en welke informatie haalt u hieruit die relevant is voor uw analyse? GVH: Puur met de systemen voor RM en IC die in plaats gezet worden door een bedrijf hou ik geen rekening. Dries: Kent u de standaarden met betrekking tot deze systemen? Hebt u bvb al van het COSO framework gehoord? GVH: Euh nee, hier heb ik nog niet van gehoord. Dries: Dit framework wordt door bedrijven het vaakst gebruikt voor hun risk management en interne controle operaties. Mag ik hieruit concluderen dat u geen rekening houdt met het disclosen van dergelijke informatie? GVH: Het is misschien belangrijk een onderscheid te maken tussen fundamentele analisten en technische analisten, 95% is fundamenteel geïnspireerd. Persoonlijk probeer ik een mix van beide te gebruiken, vanuit sommige informatie zijn de trends heel erg belangrijk. Dikwijls mogen cijfers nog slecht zijn, zolang de koersen verder op een aanvaardbaar niveau blijven het ik er niet veel problemen mee. Als ik een bedrijf analyseer durf ik vaker voorkeur geven aan het technische dan aan het fundamentele. In dat opzicht ga ik in de jaarrekening minder op zoek naar diepgaande informatie over bijvoorbeeld risk management en interne controle. Dries: U baseert zich dan voornamelijk op kwantitatieve elementen? GVH: Ja. Dries: Kwalitatieve informatie speelt dus een mindere rol? GVH: Ik overloop het wel eens, bvb. sinds de financiële crisis durven bedrijven in hun communicatie altijd delen meegeven over hun netto schuld of uitstaande obligaties die moeten geherfinancierd worden. Dit rente- en financieringsrisico wordt dan wel interessant om eens te bekijken. Specifiek ga ik niet verder in op de risico analyse. Dries: En op vlak van interne controle, houdt u rekening met de disclosure van dergelijk informatie? GVH: Ik houd hier geen rekening mee. De wetgeving legt regels, structuren en verplichten op die in het jaarverslag moeten verschijnen maar als je dit bekijkt leidt dit tot een gigantisch document dat veel nutteloze informatie bevat voor onze analyses. De delen over corporate governance ga ik héél snel door, ze bevatten weinig informatie. Dries: U beschouwt de regulering eigenlijk dus een beetje als overbodig op deze vlakken, aangezien ze niet echt leiden tot toegevoegde waarde in uw analyse? GVH: Ik denk dat de noodzaak aan regulering er een beetje gekomen is na de crisis van 2007-2009. De beleggers waren toen vragende partij voor meer openheid en informatie, de overheid volgt dit dan, maar uiteindelijk merk je dat als de crisis voorbij gaat, toch als de vrees wegebt, dat er hier minder naar gekeken wordt. De initiële vraag om meer zicht te krijgen op de risico’s en dergelijke vermindert met de jaren. Dries: Ok, dus u beschouwt het momenteel als minder interessante informatie uit de jaarrekening? GVH: Ik sta er neutraal tegenover maar ik ga er persoonlijk nooit naar op zoek gaan of veel belang aan hechten voor mijn analyses. Ik houd in beperkte mate rekening met de eerder vermelde risico’s maar met de meeste niet echt. Het lijkt me logisch dat elk bedrijf blootgesteld wordt aan risico’s zoals vertraging van wereldeconomie of de wisselkoersfluctuaties. Dries: Ziet u dan een reden waarom sommige bedrijven meer publiceren dan andere? Zeker aangezien er naar uw mening weinig rekening mee gehouden wordt? Sommige gaan er verder in dan nodig. GVH: Het heeft volgens mij ook wat te maken met de Public relations strategie van bedrijven. Een bedrijf wil het vertrouwen van de belegger verkrijgen door allerlei informatie te disclosen die eerder niet werd vrijgegeven. De crisis was mede veroorzaakt door falende risk
xii
management structuren dus om zich in te dekken gaat een bedrijf ervoor zorgen dat het hierop goed presteert. Hetzelfde geldt voor de meer recente polemiek rond de hoge bonussen en verloning van top CEO’s, in de corporate governance statement wordt hier ook veel meer over gediscloset dan vroeger, maar de echt toegevoegde waarde hiervan voor analisten is minimaal. Het is misschien een poging om de afkeer die beleggers hebben ten opzichte van bedrijven en hun wild kapitalisme te doen verminderen. Dries: Uit de literatuur blijkt eigenlijk dat de disclosure van dergelijke informatie de informatie asymmetrie tussen belegger en bedrijf zou moeten verlagen, wat tot lagere onzekerheid leidt bij de beleggers, wat op zijn beurt resulteert in een lagere cost of capital. Heeft dit theoretisch voordeel dan ook effect in de échte wereld? GVH: Het zou kunnen in geval van efficiënte markten dat hoe meer informatie beschikbaar is, hoe meer er hiervan verwerkt wordt in de koersen. Dat het effectief de WACC van een bedrijf zou verlagen lijkt me zeer sterk. Als een bedrijf het op de beurs zeer goed doet zullen de fundamentele onderliggende factoren voornamelijk beter zitten dan bij de voornaamste concurrenten, ik denk dat de disclosure van RM en IC informatie hier weinig rol bij speelt. Ook het psychologisch effect van dergelijke wetgeving hieromtrent mag niet over het hoofd gezien worden. Als het allemaal goed gaat op de beurs zal er geen haan naar kraaien maar bij serieuze correcties, bubbels of zaken van fraude zullen er automatisch stemmen opgaan om de regulering te verstrakken. Ik denk dat de disclosure van RM en IC informatie ook in zekere mate hierdoor gereguleerd geworden is en ontstaan is. Beide systemen hebben ongetwijfeld hun nut, ik betwijfel alleen of het effectief nut heeft hierover te rapporteren. In de praktijk zullen mensen die hiermee bezig zijn en werken er weinig waarde aan hechten. Het heeft een zeer beperkte meerwaarde.
Interview 3: Marc Leemans (Bank Degroof) Analyst C ML: Voor bedrijven met veel trading zoals banken of commodity traders zou ik wel eens ingaan op risk management en interne controle structuren maar goed, ikzelf heb een tijd in interne audit gewerkt en het uitschrijven van dergelijke procedures is 1 ding, het effectief uitvoeren en controleren ervan is een heel andere zaak. Om nu te zeggen dat ik dit tussen bedrijven ga vergelijken wat gezegd wordt over interne controle en RM is overdreven maar ik neem het wel mee in mijn valuatie. Dries: Welk soort informatie gebruikt u vooral voor uw analyse en welk soort analyse voert u uit? ML: Ik ben eerder een fundamentele analist, ik ga diepgaande analyses uitvoeren vanuit voornamelijk kwantitatieve gegevens. Deze komt voornamelijk uit de gekende bronnen zoals Bloomberg, Reuters maar voornamelijk het jaarverslag van de ondernemingen zelf. Dries: Op welke passages van de jaarverslagen focust u zich dan voornamelijk, naast de balans, CF en P&L? ML: Ik ga vaak ook de segment- en industrie informatie raadplegen, uiteraard na de voornaamste financiële kerncijfers. De indeling van de business op verschillende vlakken, zowel geografisch als strategisch of per divisie, geven een mooi beeld van het bedrijf, hoe de marges in deze onderdelen bvb variëren kan altijd nuttige informatie opleveren. Specifiek naar Risk management toe leidt dit ook tot interessante inzichten, als we bvb kijken aan welke risico’s een bedrijf blootgesteld wordt en hoe het ermee omgaat (vb. Wisselkoersen van verschillende munten, welke worden gehedget etc.). Als ze gegeven zijn kijk ik ook vaak naar volumes en prijzen, ook het deel over financiering, interest indekkingen van specifieke leningen. Dries: bedoelt u dan eerder de corporate policy van bedrijven van hoe ze hun interest risico’s dekken? ML: Nee, ik bedoel eerder de hedging van individuele grote leningen. De policy van bedrijven op vlak van hedging van interest rate risk komen wij vooral te weten uit gesprekken en discussies met het management, waar we als analist zeer dicht bij staan.
xiii
Dries: Persberichten ed., bevatten deze veel relevante informatie voor u ? ML: Enerzijds de kwartaalresultaten, zeker met het al dan niet behalen van de forecast qua omzet, winst en groeiverwachting zijn zeer belangrijke inputs voor onze valuatiemodellen. Die resultaten en de eventuele outlook die een management geeft worden als zeer interessant beschouwd. Onze sell-side analisten maken ook zelf estimates over deze cijfers dus het al dan niet behalen van deze cijfers is zeer belangrijk. Dries: Specifiek over Risk management en interne controle, bent u vertrouwd met de frameworks die bedrijven gebruiken om hun systemen te implementeren, zoals COSO? ML: Van COSO heb ik een zeer elementaire kennis, ik weet vaag wat het inhoudt en ik weet dat het meest gebruikte framework is. Dries: Bepaalde disclosures zijn wettelijk verplicht, zoals de vermelding van welk framework gebruikt wordt. Wanneer u deze informatie leest in de jaarrekening, hebben deze gegevens invloed op uw valuatie van het bedrijf? Wordt dit gekwantificeerd? ML: Dit is naar mijn gevoel niet iets waar de dag van vandaag market practitioners diep op ingaan. Dit is moeilijk te kwantificeren, en dus ook weinig bruikbaar. Indien we niets speciaals aantreffen (wat overigens nog nooit gebeurd is in mijn ervaring) in deze passages dan worden deze echt als niet relevant beschouwd. Misschien is het ten onrechte dat we hier geen rekening mee houden, maar om eerlijk te zijn is dit nu eenmaal het geval. Als ik persoonlijk al een deel van de corporate governance sectie van een jaarverslag lees, is het eerder diagonaal. Dries: Ziet u meerwaarde in de disclosure van Risk management en internal control systems in de jaarrekening? ML: Tjah, voor banken en verzekeringsmaatschappijen heeft dit misschien zijn nut maar ik denk dat van wat gediscloset wordt het toch onmogelijk is om als extern analist te weten of er een breach op deze policy ’s gebeurd zou zijn. Ik heb nog nooit een rapport gelezen waarin bvb een internal control deficiency gerapporteerd werd. Ik vind de huidige statements zoals ze gepubliceerd worden totaal geen meerwaarde bieden en al helemaal geen differentiatiefactor tussen verschillende bedrijven. Ik heb nog nooit een dergelijke factor laten meespelen in mijn valuatie van een bedrijf. Dries: Zou de industrie dan baat hebben denkt u bij een verandering in de legale vereisten? Aangezien de wettelijke vereiste publicaties toch geen meerwaarde schenken? ML: Het is moeilijk om hier een eenduidig antwoord op te geven. Men zou al de interne rapporten van de interne audit moeten publiceren bij de interne controle informatie, dit zou al potentieel een waardevolle informatiebron zijn. Als je ziet dat ze bepaalde Internal control procedures hebben maar die worden 10 keer per jaar met de voeten geveegd worden, dan kun je je vragen stellen over de kwaliteit van de cijfers van het geheel. Daar heb je in principe wel de externe audit voor. Het heeft echter geen nut om een trend in te zetten zoals in Frankrijk, waar bvb het stuk over de remuneratie policy zeer uitgebreid wordt terwijl de relevante cijfers slechts een dun deeltje innemen. Dit is misschien wel belangrijke informatie maar het zal geen invloed hebben op mijn waardering. Dries: Mijn vraag is eigenlijk heel kort, worden dergelijke elementen van RM en IC meegenomen in uw valuatie. Stel dat ik u 2 operationeel identieke bedrijven voorleg met dezelfde cijfers en industrie, maar de een met zwaar uitgewerkte en vooral toegelichte controlestructuren, de ander met zuiver de wettelijke vereisten qua toelichting. Zou er voor u een verschil qua waardering zijn of baseert u zich er niet echt op? ML: Heeft dit waarde, waarschijnlijk wel. Maar op waarderingsvlak zal dit verschil ‘peanuts’ zijn. Ik hecht meer waarde aan de fundamentele gegevens die ik krijg, vooral kwantitatief dan. Grote kans dat het door mij zelfs niet gelezen wordt in hun jaarverslag. Wat ik wel telkens lees is het verslag van de auditor, en akkoord ookal gaat het hier maar om een zeer beperkte passage- de al dan niet goedkeuring. Ik ga er van uit dat deze mensen op voldoende wijze hun werk doen en aan bepaalde standaarden moeten voldoen. Wat er voor zorgt dat de uitleg over de interne controle structuren voor mij eigenlijk overbodig gemaakt wordt, theoretisch kan dit misschien waardevol zijn maar in de praktijk is dit niet echt het geval.
xiv
Dries: Zou een vermindering van de regulering op dit vlak dan voordelen en/of nadelen betekenen voor bedrijven en investeerder? ML: Mijn gevoel is dat de verplichtingen op vlak van RM en IC disclosure eerder tijd en geldverspilling is, eerder dan een echte toegevoegde waarde. Om die allemaal op te stellen en te laten controleren zijn veel resources nodig. Aan de andere kant geeft het bedrijven wel de verplichting om er eens over na te denken en te werken aan een meer efficiënte en effectieve interne controle en RM structuur. Ik betwijfel ook of deze structuren in de tijd veel veranderen. De systemen blijven waarschijnlijk vaak jaar na jaar hetzelfde. Dries: Bent u ooit al in de situatie gekomen waarin een disclosure van risk management of internal control information geleid heeft tot een red flag of van enige andere invloed geweest is op uw valuatie? ML: Nee, die waardering is bij mij altijd hoofdzakelijk uit de cijfers gekomen. Als externe analist ben ik eerlijk gezegd niet echt bezig met de dagdagelijkse interne werking van een risicomanagementsysteem van een bedrijf. Bij een prospectus van een nieuw bedrijf zal het wel altijd gelezen worden zodat ik een inzicht kan krijgen in welke risico’s van invloed kunnen zijn, de echte invloed ervan hangt echter van veel meer factoren af. Dries: Stel dat een bedrijf nu heel afhankelijk van een bepaalde grondstofprijzen is en blijkt dat de resultaten een serieuze klap krijgen door grote stijging van kosten of daling van omzet ten gevolge van slechte hedging. Wordt dit dan niet als belangrijk beschouwd en worden dan geen vragen gesteld bij de interne werking van die risk management systemen? ML: Hier wordt wel zeker naar gekeken maar dit is vaak een risico dat duidelijk geïdentificeerd is in de jaarrekening en meestal is een management ook redelijk transparant in de hedging policies. Voor AB Inbev zullen er veel meer risico’s mee komen kijken, zoals interest en wisselkoersrisico fluctuatie, hierover communiceren ze meestal vooraf duidelijk hoe het ingedekt wordt. Deze gegevens kunnen dan misschien wel meegenomen worden in de waardering van het bedrijf, zeker als de verwachtingen voor een interest rate of een munt van een bepaalde afzetmarkt verwacht worden te stijgen of dalen.
Interview 4: Junior Cuigniez (Petercam) Analyst D Dries: Met welke elementen houdt u rekening tijdens uw analyse? Houdt u tijdens uw analyse rekening met Corporate governance elementen en nog specifieker met Internal control en risk management information? JC: Ik baseer me voornamelijk op kwantitatieve informatie maar ook kwalitatieve informatie speelt zeker zijn rol. In het jaarrapport lees ik in grote lijnen het corporate governance statement, en de specifieke risico’s waaraan bedrijven onderhevig zijn zoals currency risk en metal price exposure (mijn vakgebied). Ook andere elementen zoals grote aandeelhouders die management functies invullen moeten volgens de corporate governance code aan bepaalde voorwaarden voldoen. Die statements lees ik dan wel, nu de waardering van een beursgenoteerd bedrijf hangt bijna volledig van andere factoren af. Dries: Andere bronnen van informatie? JC: Mijn grootste bronnen van informatie zijn enerzijds het cijfermateriaal dat beschikbaar is (Balance sheet, CF, P&L) en anderzijds het management zelf waar ik regelmatig contact mee heb. Ook klanten bvb probeer ik soms te contacteren om hun inbreng te horen. Als sellside analist kom ik vaker in contact met het bedrijf, wij doen onderzoek naar aandelen en kunnen aandelen aankopen/verkopen voor onze klanten en spelen broker. Dries: Specifiek naar Risk Management toe, bedrijven worden geacht een deel van hun jaarverslag te wijten aan risk management en interne controle, komen deze passages aan bod? Maakt u een onderscheid tussen verschillende frameworks? JC: Ik moet eerlijk stellen dat dergelijke passages door mij zelden gelezen worden, ik heb eerlijk gezegd nog nooit van COSO of van enig ander framework rond risk management gehoord. Ik heb ook het gevoel dat dit buiten mijn vakgebied gaat en neem dit niet mee in mijn analyse.
xv
Dries: Ziet u enig nut in het publiceren van dergelijke informatie of vindt u het de kost niet waard voor de bedrijven. Ze zijn er legaal toe verplicht, zijn deze normen dan naar uw gevoel te streng? JC: Ik vermoed dat de kosten hieromtrent nog wel meevallen, moest het echt een cost center zijn denk ik wel dat ik het zou weten. Ik bestudeer zeer volatiele bedrijven, de kosten van dergelijke zaken maken heel weinig uit. Als je bvb kijkt naar staalbedrijven, daar is het pricing effect veel belangrijker. Door de zeer hoge vaste kostenbasis zal een kleine compliance kost niet veel uitmaken. Het allerbelangrijkste in dergelijke sectoren blijft je sales en je marges, op basis hiervan wordt het grootste deel van de valuatie gedaan. Ik ben niet op de hoogte van de vereisten inzake risk management disclosure en interne controle rapportering, ik denk ook eerlijk gezegd niet dat dit van grote meerwaarde zou zijn in mijn valuatie. Voor mij is internal control niet echt belangrijk, de data die wij te zien krijgen is intern geaudit en daarna nog eens extern geaudit. De beursgenoteerde bedrijven die wij volgen worden quasi altijd geaudit door KPMG, Deloitte, PwC of EY dus wij gaan er van uit dat de data die wij krijgen correct is. Je kunt je evenwel vragen stellen bij bepaalde assumpties (zoals bvb bij de impairment test) maar daar blijft het dan ook bij. Met interne controle ben ik absoluut niet bezig (Verwarring tussen interne audit en interne control). Dries: U hecht dus totaal geen belang aan de disclosure van interne controle en risk management systemen? JC: Wel, het is zowat het equivalent van een nieuwe wagen kopen en alle user terms na te lezen. Op een bepaald moment moet je niet meer verder graven naar de kwaliteit van de data en moet je ze gewoon als betrouwbaar aannemen, met die interne procedures hou ik geen rekening. (hierbij verwijzend naar RM en IC disclosure). Als sell-side analist ben je veel vaker bezig met de zeer grote lijnen, om een algemeen beeld van een bedrijf te schetsen, dat toch uitgebreider is dan bij buy-side analisten. Wij volgen tot maximaal 10 bedrijven en zijn hier op dagelijkse basis mee bezig, hierin voeren we dan voornamelijk ook onderzoek naar hoe groot een bepaalde markt bvb is. De zaken die u bespreekt zijn in onze analyse niet belangrijk. Dries: U vindt dergelijke mechanismes dus van ondergeschikt belang? JC: Ik vind het belangrijk om aan goeie data te komen maar het is niet mijn job om na te gaan of het bedrijf intern juist gecontroleerd wordt. De assumpties van de externe audit zijn het enige punt waarop ik een andere visie op kan hebben en waar ik op let. Hoe hun intern controle systeem werkt maakt mij niet veel uit. De rapportering rond dergelijke systemen is voor mijzelf als analist totaal niet van belang. Misschien is dit voor andere partijen (zoals counterparties) wel waardevol, het kan geen kwaad hierrond te rapporteren. Het jaarverslag bevat sowieso al een hele grote hoeveelheid informatie die voor ons toch niet erg nuttig is. Dries: Acht u een verlaging van Legal requirements op dit vlak van invloed op uw waardering? JC: Voor ons zal dit weinig veranderen. Persoonlijk vind ik dat dergelijke systemen zeker niet slecht zijn, zeker financiële markten hebben sowieso al de perceptie tegen, daarom zou elke disclosure van kwalitatieve data misschien wel ondersteund moeten worden. Maar voor ons als analisten zal dit weinig veranderen denk ik. De waarde van een bedrijf ligt volgens mij niet te vinden in dergelijke data. Een exacte waarde plakken op een bedrijf is onmogelijk, afhankelijk van uw assumpties kom je altijd op een subjectieve waarde. Dit verplicht ons te focussen op de grote lijnen zoals de marktgrootte, de pricing aspecten, het mix-effect. Zo’n klein element zoals RM en IC disclosure is absoluut onbelangrijk, natuurlijk met dien verstande dat de data dat ze naar buiten brengen voldoende betrouwbaar is. Een puntje van risk management dat ik misschien wel gebruik zijn de disclosures rond currency risk en IR risk. De impact van dergelijke risico’s op het bedrijfsresultaat zijn een belangrijk deel van mijn analyse, ik ga er ook van uit dat als een bedrijf de impact beschrijft, dat deze dan ook klopt.
Interview 5: Roderick Verhelst (Petercam) Analyst E
xvi
RV: Ik volg specifiek biotech dus dat is ongeveer een van de meest risicovolle sectoren. Deze risico’s zijn vaak allemaal mooi toegelicht in het jaarverslag maar dit is eigen aan de sector. Het probleem is dat vele risico’s in andere sectoren zoals het currency risk of interest rate risk nog makkelijk te volgen en te kwantificeren is, in deze sector ligt het helemaal anders. De risicofactoren zijn vooral verbonden aan het succes van een product of niet, dit is een zeer binaire industrie en is bijgevolg moeilijk in te schatten en te verwerken in modellen. De informatie die een bedrijf ons toestuurt is vaak zeer algemeen, ik moet me in de kwantificatie veeleer op de statistiek baseren, gebaseerd op historische gegevens op bepaalde (ziekte) domeinen. Heel veel slaagkansen zijn statistisch bepaald en kunnen geëxtrapoleerd worden naar het bedrijf in kwestie. De kwantificatie hiervan is zeer technisch en zeer specifiek voor deze sector. Er zit ook een redelijk verschil tussen wat het bedrijf als risico aangeeft en wat ik persoonlijk als risico zie. De risicofactoren hangen dus louter af van de historische/statistische gegevens, deze gegevens worden dan ook gebruikt in de analyse maar komen niet vanuit de jaarverslagen, dit is eigen onderzoek. Er is een groot verschil tussen verschillende ziektes en/of specialisaties, sommige kunnen zelfs als sector op zichzelf beschouwd worden door de compleet verschillende stappen die een bedrijf moet zetten om tot ontwikkeling en verkoop over te gaan. Dries: Bent u op de hoogte van de verschillende risicomanagement disclosure vereisten? Frameworks zoals COSO? Hoe worden deze geïnterpreteerd? RV: Ik ben hier helemaal niet van op de hoogte en heb nog nooit van het COSO framework gehoord. Ik heb hier in mijn carrière ook nog nooit rekening mee gehouden, ik bekijk de informatie in het jaarverslag zelfs niet. Dries: Zelfde vragen, maar met betrekking tot IC? RV: Hier kijk ik wel naar maar ik baseer me vooral op wat de auditor hierover publiceert. Ik ga hier vaak wel dieper op in en bekijk of hun assumpties overeen komen met de mijne en probeer hier dan mijn conclusies uit te trekken. Bij verdere vragen contacteren wij het bedrijf zelf. Op het systeem op zich over hoe een bedrijf aan interne controle doet, ga ik mij totaal niet baseren, dit is nutteloze informatie voor mij. Dries: U beschouwt het dus als overbodige disclosure? RV: In principe zou het nuttig zijn indien er meer details gediscloset wordt door bedrijven omdat we dan kunnen we er meer mee aanvangen. Bedrijven rapporteren nu vaak gewoon wat ze wettelijk verplicht worden te rapporteren, dit biedt geen meerwaarde. Grotere bedrijven zullen misschien wel meer disclosen maar aangezien ik me iets meer op small cap en mid caps focus is dit bij mij niet het geval. Als ik maar zo’n beperkte informatie ontvang kan ik er ook niets mee doen, dus ik hou er geen rekening mee. Dries: Zou een verhoging van de disclosure door bedrijven (al dan niet vrijwillig) kunnen leiden tot voordelen voor de bedrijven? (via lagere informatie asymmetrie, lagere Wacc) ? RV: Dit lijkt me theoretisch gezien niet onlogisch maar of dit in de praktijk ook zo zou zijn is een andere zaak. Hoe meer informatie beschikbaar zou zijn, hoe meer rekening ik ermee kan houden natuurlijk maar dit is momenteel het geval niet. Als er meer transparantie zou komen zou dit misschien wel het risicoprofiel naar beneden kunnen halen maar momenteel is het gewoon de moeite niet om mij ermee bezig te houden. Als analist ga je vaak uit van de worst case, dus indien we meer informatie krijgen hierover zouden we al enkele assumpties kunnen versoepelen en dit zou potentieel invloed kunnen hebben op onze valuatie, ik spreek hier natuurlijk wel over de biotech sector. Dries: Wat zijn uw bronnen van informatie momenteel dan? En wat vindt u hierin relevant met betrekking tot RM/IC? RV; Jaarverslag en het management zelf zijn de voornaamste bronnen maar veel informatie over die 2 onderwerpen krijgen wij niet. Ze zullen er wel iets van vermelde maar meestal is dit zo algemeen dat er weinig mee aan te vangen valt. Ze limiteren zich tot wat ze moeten disclosen.
xvii
Interview 6: Gert De Mesure (Bvba DEMES) Analyst F
During your analysis, what sources of information do you use? (in short, as introduction) o Quant. Data (Bloomberg, Reuters etc.)
As an independent financial analyst and self-employed investment adviser I have no access to this kind of expensive data suppliers, although I regularly consult the websites of Bloomberg and Reuters. I also regularly use research of some foreign brokerage houses. o
Annual Report Which parts specifically? What are the most relevant passages? Besides the quantitative data (P&L, BS, CF) what other information is deemed relevant? Do you take into account Industry description, the company’s risk profile, risk management system disclosures, internal control information disclosure…
When starting with the analysis of a company, I first review the activities, the history of the company and the track record of its financial performance. Once I understand the company and its business I will try to assess its future potential. Obviously the financial data are the most important, with a strong focus on cash generation. Elements like risk mgt system disclosures or internal control facts are very difficult to assess for outsiders and are of less importance for my analysis. o
Press releases If non-financial, how are these analyzed? E.g.: new business opportunities, how are these evaluated? If financial, are they simply inputted into models?
In your summary of potential information sources you are forgetting the analyst presentations that are mostly available on the company’s website. These presentations give very important background information and do mostly contain some kind of insight in the future. A press release with general statements is interesting for journalists, less for financial analysts. Of the press release I only use all the financial tables (p&l, balance sheet, cf statement). An important part of the analysis consists of the earnings estimates of financial analysts, which are normally easy to find on Internet. As these analysts are mostly in close contact with the management, their estimates can be very accurate. For Belgian companies I am myself in close contact with the top management of the company.
Does your analysis and valuation include a lot of non-quantifiable elements? o Risk information
When you are reading the list of potential risks, it looks very general. Important in this list are the external elements on which the company has no grip, for instance raw material prices (price of metals, oil or others). To assess this kind of risks you need to consult other sources and not the company involved. In general you always know that suppliers, customers, personnel provide some degree of risk to the company. In fact you have to focus on the main risks. o
o
Risk management systems Familiarity with frameworks (e.g. Coso) and their implications? Most important elements Legal requirements: Aware of requirements? Opinion? Too elaborate/narrow? Internal control systems Familiarity with frameworks (e.g. Coso) and their implications? Most important elements? Legal requirements: Aware of requirements? Opinion? Too elaborate/ narrow?
xviii
What about deficiencies: What’s the implication and repercussion on your analysis? How do we value this?
The fact that companies need to report on their internal control systems means they are obliged to think about them, but for outsiders it is impossible to assess the quality of it. You will only know about weaknesses when there is a problem, for instance on bad customer debt or on the valuation of inventories. o
How do you perceive the disclosure of this kind of information in general? Do you feel that the more a company discloses, the better (provided it doesn’t include huge downside risk)? Do you consider the information to be valuable in its content, or is it more seen as a way of complying with regulation. What motives do you see for a company to disclose more information on their systems? Would an increase in regulation in this field significantly help you in your analysis? Is it in your opinion valuable to force companies to publish this kind of information or would it be better to enable companies to do this on a voluntary basis as a sign of ‘goodwill’? Do you see any disadvantages to increasing regulation on the disclosure of risk management and internal control information?
We may not forget that companies cannot disclose everything for reasons of confidentiality. Another point is that when you focus too much on all this kind of items, you risk losing the view on the main elements. That is also the problem sometimes of quarterly reporting: analysts focus on all the data per quarter, but they lose the view on the long term strategy. In all your questions there is not one mention on the long term strategy. This is very important if you want to understand the company. Every action taken is mostly linked to this strategy. All the non-financial elements are so diverse that the company can in fact tell you what you want to hear.
Interview 7: Vincent Koopman (03/03/2014) Analyst G Mr. Koopman: Er zijn pure, objectieve gegevens te vinden in een jaarrekening, daar heb je verschillende instellingen voor, je hebt Graydon, company web en je hebt daar alle mogelijke analyses. Banken doen ook analyses en gaan nog een stap verder, die gaan alles wat in verband staat met een immaterieel goed elimineren. Specifiek voor banken, sinds het Basel III akkoord, komt de sterkte van uw balans, de sterkte van de analyse van een bedrijf naast de cijfers ook neer op de kwaliteit van het management, pas erna komt de waarborgstructuur. Ze gaan nu eerder kijken naar de subjectieve elementen, heeft het management zijn woord gehouden? Zijn er aflossingen gemist of niet? Zijn ze proactief of reageren ze op de markt? Zijn ze conservatief in het opstellen van hun cijfers? Zijn er geen verassingen achteraf? Weten ze zich te omringen door goeie adviseurs? Banken gebruiken vaak modellen om bedrijven te analyseren vooraleer ze een krediet of lening toestaan. Ikzelf kijk voornamelijk naar de kwaliteit van het management en de indicatoren die ik net vernoemd heb. Veel zit ook in de woordkeuzes die gebruikt worden in gepubliceerde documenten. Enkel in de jaarrapporten zal je daar veel over vinden natuurlijk. In België is de verplichting hierrond zeer beperkt. Er moet opgenomen worden of een bedrijf onderhevig is aan bepaalde risico’s, als deze aanwezig zijn. Dit staat neergeschreven in het wetboek der vennootschappen. Ook het gebruik van financiële elementen moet vermeld worden in de jaarrekening. Dries: Wordt deze info in de jaarrekening en jaarverslagen actief bekeken door analisten? Naar persberichten toe wordt hier naar gekeken?
xix
Mr. Koopman: Ja hier wordt naar gekeken maar het wordt weinig beschreven. Je zult weinig content vinden hierover. In IFRS staat er een deel over Risk Management. Dries: Het is bvb. In de US onder SOX verplicht te vermelden welk framework gebruikt wordt door een bedrijf zowel voor risk management als voor interne controle. Belgische bedrijven publiceren deze informatie ook vrijwillig. Wordt hiernaar gekeken? Mr. Koopman: Dit kan van belang zijn, maar in US wordt ook vereist dat de externe auditor de boekhouding certifieert, dit zit verwerkt in GAAP. Dries: Kwantitatief zijn de modellen beter gekend dus hier gaan we niet verder op in, maar ik stel vast dat er ook verschillende ondernemingen zijn die veel informatie publiceren over risk management en interne controle structuren. In welke mate wordt hier rekening mee gehouden? Mr. Koopman: Ook het verslag van de externe auditor wordt zeker bekeken en als belangrijk beschouwd. Risk management van interne processen en van externe factoren zoals wisselkoersrisico en Legal risk moeten allemaal opgevangen worden door een intern systeem. (Te ver ah afwijken van de kern) Dries: Onderzoek heeft uitgewezen dat disclosure van risk management information en internal control information de cost of capital zou verlagen en op die manier ook de valuatie van een bedrijf ten goede zou komen. Specifiek ga ik na of de disclosure van die informatie van invloed is op de valuatie door analisten. Mr. Koopman: Sinds de bankencrisis in 2008 zijn de legale vereisten op vlak van risk management verstrengd voor de banken. De legale vereisten in België zijn echter nog steeds niet zo uitgebreid als in Amerika. Het is ook interessant om jaarverslagen raad te plegen van Umicore en Zyrtec, deze ertsbedrijven beschrijven in gedetailleerde mate hun risico’s. Dit zijn ook beursgenoteerde ondernemingen die wel wettelijke verplichtingen zullen hebben op dit vlak. Dries: Uit de literatuur wordt vaak de vraag gesteld wat de invloed is van die Legal requirements op de disclosure van bedrijven. Denkt u dat bedrijven voordeel hebben bij een uitgebreide wetgeving op dit vlak? Ziet u incentives voor bedrijven om vrijwillig RM en IC informatie te publiceren? Mr. Koopman: Ik denk dat het zeker zijn voordelen heeft, het zet bedrijven aan om op zijn minst eens goed na te denken over de risico’s die ze lopen en over hun omgevingsfactoren, zowel intern (Vb. Personeel of IT infrastructuur) als extern(financiële risico’s). Een zekere disclosure is belangrijk, aangezien grote risico’s de value at risk van een investering aanzienlijk vergroten. Dries: Er zijn momenteel verschillende frameworks die gebruikt worden zoals COSO, bent u hiermee vertrouwd? Mr. Koopman: COSO is inderdaad het bekendste framework, hier is zeker veel over te vinden zowel voor interne controle als risk management. Het is natuurlijk altijd zoeken naar een standaard, degene die het sterkste lobbyt of simpelweg het beste en meest efficiënte framework biedt zal overleven en als standaard aangenomen worden. Dries: Dus in naar uw mening heeft de industrie baat bij 1 enkele standaard. Mr. Koopman: Ja, dan kan dit ook gestandaardiseerd zijn en gebruikt worden als referentie kader, wat eigenlijk de bedoeling is van een dergelijk framework.
xx
Appendix 4: Matrix of Within Case – Cross Case
xxi