Carillion demise brings lessons in compliance

The collapse of one of the U.K.’s biggest construction firms and major government contractors has highlighted how important it is for assurance functions—including compliance—to ensure that boards have the necessary management information to make key strategic decisions. It also shows that compliance, internal audit, and risk management departments need to provide greater challenges, as well as a critical eye, to check that the strategy and business plan the board is pursuing continues to make sense, especially if market conditions change.

The fallout from Carillion’s collapse is likely to be felt for some time. In March, the U.K.’s corporate governance regulator, the Financial Reporting Council (FRC), began an investigation into the conduct of the company’s former group finance directors Richard Adam and Zafar Khan, and at the end of January—just two weeks after the company went bust—it announced that it was investigating KPMG’s audit work.

On 10 April the FRC also announced plans to enhance the monitoring of the country’s six biggest audit firms, which came a day after it implemented new sanctions to punish poor audit work, including fines of up to £10 million (U.S.$14.5).

Meanwhile, on 10 April, the Cabinet Office, the government department that supports the Prime Minister’s policy making, unveiled plans to exclude suppliers with poor payment practices from winning major government contracts. All of these steps are a response to what happened at Carillion.

Carillion went into liquidation on 15 January after buckling under the weight of a whopping £1.5bn (U.S.$2bn) debt pile. It was the U.K.’s second-largest construction company and was heavily involved in several key building and infrastructure projects, including the forthcoming HS2 high speed railway line, and the Royal Liverpool and Midland Metropolitan Hospitals (both now delayed and unfinished).

Carillion employed 43,000 staff globally, and in 2016 had sales of £5.2bn (U.S.$7.3B). The company, however, took on too many risky contracts with low margins that proved unprofitable (some were as low as 3 percent). Payment delays in the Middle East also hit its accounts. In 2017, it issued three profit warnings in five months and wrote down more than £1bn (U.S.$1.4B) from the value of contracts. Investors dumped shares in droves, and at the time of its collapse, the plummeting share price left it worth just £61m (U.S.$86.3M), with a £900m (U.S.$1,273M) debt pile and a £600m (U.S.$849M) pension deficit.

The company’s shortcomings had been laid bare shortly before it issued its first profits warning. In May 2017 Carillion’s newly installed CFO Emma Mercer flagged up the company’s sloppy accounting just six weeks into her post, pointing out that revenue recognition had become so aggressive that it no longer reflected reality.

“When you have a situation where fund managers seem to know more about the financial state of the company than the board does and are actively trying to short it, then you are in trouble.”
Nauzer Signaporia, Technical Partner, H W Fisher

Shortly after, Carillion’s accountant, EY, produced a report in August 2017 that criticised the structure of the business, management accountability, and its approach to procurement. In addition, it attacked Carillion for prioritising short-term benefits over long-term sustainable performance, especially when the company continued to reward shareholders with handsome dividends that were plainly not feasible. Also, Carillion also committed the cardinal sin of awarding senior executives with sizeable pay-packets and huge bonuses, irrespective of their inability to meet performance targets.

The report went on to say that there was a “culture of non-compliance” in Carillion around bidding for work, with a focus on hastily signing up for jobs in an attempt to secure cashflow, with management seemingly failing to control the number of major projects the firm was taking on. Members of Parliament have branded the company’s seven former board members—four of which were non-executives—as “delusional.”

There has been no shortage of expert criticism levelled at the company’s leadership. Colin Garvie, assistant professor of accounting and finance at Edinburgh Business School, Heriot-Watt University, says “how could the business be doing as well as its accounts suggested, given cash was running low, investors were shorting the stock, the pension fund appeared grossly underfunded, and the value carried in the accounts of the intangible assets was a huge percentage of the value of Carillion?”

Nauzer Signaporia, technical partner at accountancy firm H W Fisher, is of a similar mind. “When you have a situation where fund managers seem to know more about the financial state of the company than the board does and are actively trying to short it, then you are in trouble.”

Experts believe that there are plenty of lessons for compliance functions to learn from Carillion’s collapse, as well as opportunities for the profession to reflect on how it can be more effective in pinpointing danger signs and acting on them.

Arianne King, managing partner at law firm Al Bawardi Critchlow, says that compliance functions need to be more aware of the risks inherent in the industry sectors in which their organisations operate and to question management about what steps they have taken to identify and control them.

King says that it is important for compliance to review internal management structures so that the team leading the project are sufficiently skilled and experienced, as well as ensure that managers have budgeted for adequate labour needs to service a given project. King says that there are typically two danger signs that are often evident in construction projects: firstly, a failure by senior management to appreciate the importance of proper training of construction management staff and project managers (particularly in terms of understanding project costs and finance); and secondly, an inclination to favour long-standing employees—irrespective of technical competence—in management roles.

Carillion and spreadsheet risk

Companies need timely and accurate information if they are to continue to operate effectively, and Carillion’s collapse has exposed a significant risk that many organisations either downplay or continue to ignore—the problem of spreadsheet reliance.
Spreadsheets remain key components in many business processes; their power and flexibility are highly valued by both staff and management and, as such, finance departments rely heavily on them.
But IT consultants and other experts have warned for many years that despite a growing awareness of the limitations—and problems—associated with the popular software package (inputting errors are commonplace, and there is no comprehensive audit trail to uncover errors), companies continue to rely heavily on spreadsheets for financial and performance management reporting without implementing effective controls and protocols on how the data is inputted and checked.
And because the software is available on just about every computer and laptop, it is easy for employees to access the documents and add changes, leading to multiple versions of the same group of figures. Carillion is just the latest company to fall victim to poor Excel usage.
“The Carillion collapse shows the risk that the unmonitored and uncontrolled use of spreadsheets poses to businesses,” says Henry Umney, CEO of computer governance consultancy ClusterSeven, which specialises in preventing spreadsheet risk.
In Carillion’s case, its staff were using multiple versions of multiple spreadsheets simultaneously in multiple offices to manage its sub-contractor and employee workload, resulting in poor and unprofitable workforce management. Often, several contractors were sent out to complete the same jobs.
“Despite spreadsheet error majorly impacting businesses, companies simply aren’t affording these powerful, flexible—but error-prone—tools the attention they deserve,” says Umney.
Below are some top tips that Umney says compliance teams can bear in mind to ensure spreadsheets are used properly and that their risks are controlled. These include:
Conduct a process of discovery to locate your key spreadsheets that are central to your business processes and your management reporting;
Identify the data lineage between these spreadsheets, and assess the business risks associated with them;
Categorise these spreadsheets based on their importance to the business (e.g. high, medium, low);
Apply a control framework to these files based on the needs of the organisation’s end-user computing policy, or its business needs, to monitor for change management, version control, and remediation. Decommissioning some spreadsheets might be necessary too.
— Neil Hodge

“Senior executives in the construction industry typically work in the construction industry for their entire careers,” says King. “In that sense, they are isolated from the rest of the business world and the way they run their businesses appears bizarre,” she adds.

Another very common problem that plagues building firms, says King, is the industry’s focus on short-term cashflow. “It is fairly common in the construction sector that seemingly liquid companies suffer a speedy decline. This is often the result of a mix of poorly managed risks, insufficiently priced contracts, and too much debt.”

“It is astonishing how many contractors we encounter that enter into sizeable contracts without any legal advice whatsoever. This is almost unheard of in any other industry,” she adds.

French Caldwell, chief evangelist at GRC apps company MetricStream, says that the Carillion collapse highlights a cashflow challenge associated with organisations that rely heavily on government contracts. In order to win new projects, he says, companies bid for them with low, loss-making amounts, but then try to cover shortfalls and accounting ledger losses by winning new contracts and expanding the scope of current work—an approach that proves unsustainable in the long-term, especially if government funding priorities change.

“If cashflow starts to diminish, the gaps become apparent and the organisation doesn’t have enough capital to complete initiatives or fulfil short-term liabilities,” he says.

In the end, the best way to assess a company’s underlying financials is to see how much cash it actually holds. “One lesson for the compliance function is to have a stronger grasp—both in terms of understanding and accessibility—over accounting issues and to constantly look at the ‘bigger picture’,” says Caldwell. “Instead of analysing items case-by-case where losses can be balanced out by the opportunity to forge new relationships and repeat business, compliance and the internal audit function must be able to identify when the organisation is continuously relying on loss-making bidding. The activity could reveal short-sightedness at boardroom and senior executive levels and suggest that other areas of the company should be investigated for excessive risk-taking as well.”

Val Jonas, CEO at risk strategy consultancy Risk Decisions, says that the Carillion failure highlights some key steps that compliance functions should take to strengthen the value they provide—one of which is to ask critical questions about corporate strategy.

For example, she says, the Carillion compliance function should have been questioning whether the company had a balanced portfolio of contracts and projects, how many of these were meeting their stage-gate objectives and payment schedules, and whether there was a risk of penalties and defaults. She adds that compliance should also have been asking questions around how sensitive and resilient the company was to changes in market conditions, and whether it had a short, medium, or long-term strategy to address concerns.

“Any board needs sufficient early warning to act if the answers to these kinds of questions aren’t good,” says Jonas. “The problems at Carillion were similar to the 2008 banking crisis: instead of sub-prime mortgages, Carillion had sub-prime contracts and, in the end, it was impossible to trade out of such a bad position.”

Jonas says that too many organisations made the assumption that since government agencies were continuing to award Carillion contracts, the company must therefore be a going concern—despite the stock market downgrading its view of Carillion for some time.

As a result, she says that compliance functions should provide relevant Key Risk Indicator (KRI) information to the board by examining the company’s own results, as well as trend data taken from the wider market. This will help keep track of the company’s actual performance, how much cash it is actually holding, and what financial preparations it may need to make to meet any changes in the market. “KRIs and trends provide an insight into the major company risks the board need to address. This is the basis for risk-based decision making,” she says.

More widely, Jonas says that compliance needs to provide a stronger challenge. “Compliance needs to do its own due diligence, remain independent in thought, and form its own opinions instead of following those of the market generally,” she adds.