As the phrase suggests, a joint venture is a business agreement between two or more parties that choose to enter into a partnership for profit. But it also means joint exposure to adverse consequences and potentially significant exposure to the owners’ objectives, particularly from a strategic, financial, and reputational perspective.
Even with less than 50 percent ownership or control, the parent company can be subject to liability if there is actual knowledge or deliberate ignorance of any inappropriate conduct. There have been numerous cases where owners have been impacted by actions within a joint venture or subsidiaries. In February 2015, the U.S. Securities and Exchange Commission (SEC) fined Goodyear Tire & Rubber Co. US$16 million after alleging its subsidiaries in Kenya and Angola bribed government officials, employees of private companies, and government-owned entities to obtain sales. The bribes were recorded as legitimate expenses in the books from 2007–2011, a violation of the U.S. Foreign Corrupt Practices Act (FCPA). Goodyear’s self-reporting and cooperation in the investigation resulted in a less severe fine. In a 2011 case, London-based multinational alcoholic beverages company Diageo also was fined US$16 million by the SEC because its subsidiaries in India, South Korea, and Thailand bribed foreign government officials to gain sales and tax benefits.
In addition to financial considerations resulting from poor joint venture governance, evidence has indicated that other consequences, particularly reputational and license to operate, can have more significant impacts on the owner. Generally, the perceived largest severe impact would be to corporate reputation, rather than legal, financial, and regulatory impacts.
The role of internal audit and risk management is vital to support management in the development and ongoing monitoring of the joint venture governance framework. Joint venture owners’ audit strategy and risk management processes will require high coordination and strategic thought between the relevant owner audit departments/risk teams and joint venture teams, if applicable.
With a vast range of joint venture structures and operations across several industries (including the owner directly operating the joint venture on behalf of the owners or the joint venture having its own operating and management structure), the owner’s implementation of an effective governance process can be challenging.
A typical, nonoperated owner challenge is ensuring that risk management within the joint venture is effective. Effective risk management will depend on the nature of the joint venture relationship, including level of influence, ownership/management control, and the owner’s appetite for control monitoring and risk management.
Regardless of the chosen approach, the minimum requirement is an effective risk and control monitoring process by both the owners and operators. The joint venture operator may have implemented a formal risk management program, including risk analysis, control assessments, and monitoring; however, the minimum requirements should include implementing a risk-proportional risk management process by both the owner and operators, which will give owners an adequate comfort level over the joint venture.
Embedding a risk management process allows the owner to structure governance processes and understand the risk exposures and control effectiveness relating to joint venture operations. In addition, monitoring risk management processes and connecting joint venture risks can provide owners with necessary insight into the potential for exposure.
The implementation and ongoing monitoring of a risk management process will depend on several factors. A key aspect is the area of ownership control versus influence. Existing tools and methods are used to determine control for legal and financial reporting purposes (e.g., greater than 50 percent joint venture ownership would normally indicate control); however, risk exposure in joint ventures should be managed based on the breadth and areas of risk impact.
A critical aspect of joint venture governance is determining the level of exposure that joint venture operations may have on the achievement of the owner’s strategic objectives. In other words, is the joint venture a financial investment, does the owner have “skin in the game,” or are there additional nonfinancial consequences or financial impacts greater than the investment value if things go wrong? Potential consequences surrounding a financial investment are generally limited to financial exposure; however, if the joint venture is more than a mere financial investment, additional consequences such as reputational, community, environmental, and strategic risk impacts may materialize.
Some key points for management, internal audit, and risk management to consider when determining governance strategy include:
- Risk process. Is an effective risk management process in place (and in larger organizational settings, does the process include a dedicated risk management team)? Is the risk process aligned with the owner’s process or best practice?
- The availability and maturity of risk monitoring information. The ability to obtain and analyze information provided by the joint venture will depend on influence (e.g., strength of relationships between the joint venture and owners) or the embedding of monitoring and information provisions within it (e.g., formal requirements included in agreements for governance and provision of information).
- The risk maturity of both owner and joint venture. Is the strategy achievable, considering the relative risk maturity of all parties? The risk management framework should consider risk awareness and control monitoring at the joint venture level.
- Risk culture. Will the organizational culture within the existing joint venture governance process support effective risk management? Key enablers or indicators can include tone at the top, communication between joint venture and owners, and creation of risk or governance committees.
- Commercial sensitivity (anti-trust). Will the provision of information between the joint venture and owners align with anti-trust requirements? What are the controls in place to ensure that the joint venture and owners appropriately maintain commercially sensitive information?
- Continuous control monitoring and provision of information. Regardless of the strategy selected, the control monitoring performed by the owner should be designed to ensure the provision of timely and accurate data. Ideally, the control design and feedback will allow the risk and control owner to understand whether the control is about to fail (i.e., leading indicator) rather than following a control failure (i.e., lagging indicator).
A Joint Venture Case Study
Given the realization of joint exposure, the implementation of a risk-proportional risk and audit process will enable the owner to gain adequate comfort over joint venture operations. The process to develop the strategy from inception was explored by fictional Company XYZ.
Company XYZ is a 50/50 owned joint venture. Both joint venture partners are industry owner-operators with separate management and operational structures. The joint venture board includes representatives of the owners and members from the joint venture company management team.
While legal and accounting interpretations of the joint venture structure indicate that owner No. 1 does not control operations at the company, significant risk exposures to owner No. 1 were identified during the board governance process. During a risk strategy session, two options were identified to implement a risk-proportional risk management process.
- The joint venture maintains the risk profile and communicates it to owner No. 1 periodically. The company completes control monitoring through internal processes.
- Company XYZ risks included in owner No. 1’s risk profile are based on percentage of ownership and impact. No specific risk monitoring is performed or formalized by owner No. 1.
- Generally, the financial impact of risks is to be calculated based on owner No. 1’s equity ownership (50 percent), and other impacts (reputational; health, safety, environment; and legal) are included at 100 percent.
The advantages to this arrangement are fewer dedicated resources with a focus on the joint venture company risk management process and reliance on existing processes. However, the disadvantages are the lack of ownership and risk monitoring performed by owner No. 1, the risk profile not necessarily representing owner No. 1’s view or assessment, and the inclusion of a high number of operational risks within owner No. 1’s profile.
- The joint venture company’s material risks are individually assessed and included directly from owner No. 1’s perspective within the established risk management process.
- The risk ratings will be decided based on work completed by the joint venture entity, but can be different depending on the effectiveness of owner No. 1’s control or perspective.
- Owner No. 1’s operational management governance hierarchy is the primary owner of risk and control.
The advantages of this option are an accurate reflection of the joint venture (owner) risk profile, appropriate governance and accountability residing with owner No. 1’s risk and control owners, and the ability to enhance a balanced control-monitoring process. The disadvantages, however, could include initial increased efforts to develop and embed the risk process and supporting internal control and governance frameworks.
Following review and consultation by all stakeholders, owner No. 1 identified Option 2 as the preferred risk management process. However, this approach required the identification and formation of the risk profile, with consideration of several key factors.
Ownership Given the absence of existing defined risk management roles with owner No. 1, decisions around risk and control ownership were informed based on the existing governance structure and oversight from owner No. 1. Through the risk management process, the level of governance and oversight would be generally formalized and enhanced by detailing owner No. 1’s risk and control responsibilities.
Risk Profile The risk events within the owner’s risk profile can be articulated in several ways and need to be consistent with the remainder of the risk profile to ensure a consistent and comparable process. Generally, the owner’s risk profile for the joint venture could include a blend of:
- 1:1 Risk. Significant risks that might coexist on the joint venture risk profile require both owner and joint venture control monitoring due to the implication of the risk and impacts.
- Consolidated Risk. Owner risks that consolidate or merge subordinate joint venture-identified risks will reflect the appropriate risk elements, but allow the ability to focus the owner control monitoring on joint venture governance and monitoring, rather than on the more detailed control monitoring in 1:1 risk.
Performance Metrics The performance metrics developed for the owner’s risk will likely be different from the joint venture risk metrics, so different strategies will need to be used. Typically, the metrics from the owner’s perspective will be at a higher level than the joint venture operational controls, with a focus on monitoring and joint venture oversight. One example of owner metrics could involve performing periodic review of the joint venture operations risk management process. However, the joint venture operations metrics could involve monitoring directly related to the risk, such as ratings, critical control performance, action tracking, and event monitoring. These metrics will be incorporated within the risk and control documentation to ensure correct focus by the owners.
Risk Documentation and Criteria Risk documentation must be developed to reflect the minimum requirements for the intended monitoring that owner No.1 performs. An example of risk monitoring criteria for the two different types of risk could include:
- 1:1 Risk. Operational monitoring directly related to the risk, including assessment ratings, performance metrics, and remediation or issues tracking; and oversight of key risk and control performance through the joint venture’s risk and critical control owners.
- Consolidated Risk. Periodic review (a minimum of every six months) of the overall joint venture risk management program/process by a nominated risk or audit professional. Ongoing monitoring of joint venture risk management action tracking (e.g., remediation tasks or audit findings) related to potential failure of causes for owner No. 1’s risks.
Provision of Information Concurrent strategies should be considered to obtain the necessary data for owners’ control information and monitoring needs. By formalizing monitoring by owner No. 1, new and more frequent information flows may be necessary with mechanisms in place to ensure that information provided is timely and accurate. A key consideration is that any information provided between the joint venture and owners, especially commercially sensitive information, is in accordance with relevant anti-trust regulations.
Audit Approach/Verification Before implementation, obtaining owner alignment on the audit approach and inspections is critical. Internal audit will need to decide about timing, coordination, and co-participation, and important areas of audit scoping and criteria will need to be decided. The owner and joint venture should determine whether the audits will be measured against joint venture procedures, owner’s procedures, or best practice. Ideally, these will be aligned; however, when there are differences, there needs to be consultation among joint venture and owner’s management and governance teams on the agreed reference points for appropriate risk management and control monitoring.
Joint ventures can cause significant exposure and adverse consequences to the owner’s objectives, even with the absence of owner control. Implementing a risk-proportional risk management process will maximize the opportunity to achieve both joint venture and owner strategic objectives. Risk management and internal audit should be active in joint venture governance, from thought leadership and support during governance strategy development to control monitoring, execution of joint venture audits, and follow-up.
Developing the right audit and risk process will include thought and definition around the correct risk and exposures from the owner’s perspective and the implementation of risk performance criteria and monitoring. Ongoing, continuous monitoring throughout the process, supported by risk and audit, will be vital in ensuring that owners have an appropriate level of oversight and, ultimately, comfort over joint venture operations.