Sound risk reporting is acknowledged as one way to hold boards more accountable for the management of risk and the delivery of business objectives. With greater scrutiny from more and more stakeholders, what should boards be doing to improve transparency and effectiveness in their risk communication practices?
Companies' refusal to be honest is one of many barriers to better risk reporting.
Risk reporting is too often a process-driven exercise and current risk reporting practices often fall short being too generic, bland, poor on qualitative information or too compliance based.
Boards, auditors and investors need to challenge executive directors more. They need to ask, ‘What if this went wrong?’ And the management need robust answers.
Risk reports fail to provide the specific information that users would find useful. Vague information stops users deriving any meaningful conclusions. By being confusing it could be creating more risks.
Some of the specific challenges identified include:
Reluctance to be negative
Companies don’t want to:
- talk about the negative, especially in annual reports which are meant to be upbeat
- give the impression they have more downside exposure than competitors.
Companies question whether the increase in risk management regulation since the global financial crisis (GFC) is necessary. Risk officers are concerned that risk reporting is a box-ticking exercise.
Reporting is meant to produce better risk management. Instead reports are formulaic, generic and too PR-orientated.
A good risk report wish list
Users want to see an honest explanation of how risk is managed in the context of the business strategy and model.
- key risks identification in plain English
- management to explain clearly why it believes these risks are critical
- management to explain how it is mitigating risk
- new and emerging risks to be identified
- management to explain how they asses risk throughout the year.
"A report that demonstrates how management is handling tough or risky scenarios will be valuable to investors. Providing a link between company objectives and risk factors gives investors a better idea about how the company’s performance will be affected if particular risks materialise."
Driven to the top of the agenda
The global financial crisis (GFC) of 2007-8 drove risk to the top of the agenda for regulators and investors. Although high profile corporate failure had already increased interest in risk reporting in early 2000s.
Users believe risk reporting is improving although there is further to go.
A legacy of the GFC is that risk management and reporting is widely and openly discussed.
The financial services and the extractive industry sectors produce some of the most thorough and innovative risk reports. Pharmaceuticals is seen as willing to be more forthcoming in risk reports.
Good risk reporting gives investors confidence – about the company, its business model and its management.
Greater disclosure of risks is not a threat; it is a chance to demonstrate the strength of the company’s controls and management.