The global body for professional accountants

Related Links

Does risk reporting in Pakistan deliver value to investors or is it primarily driven by compliance? Syed Faraz Anwer provides answers and proposes some solutions

This article was first published in the November 2013 International edition of Accounting and Business magazine.


Risk reporting is relatively new in the context of Pakistan and not many industries are actively pursuing it. So says Syed Faraz Anwer, partner for risk advisory and business improvement services with AF Ferguson, the PwC network member firm in Pakistan.

As the firm’s focal point for risk advisory, Anwer has led the development of standardised methodologies and service delivery standards. He says that in Pakistan the banking industry has been in the vanguard of developments, driven on by the regulators: ‘In the last eight or nine years there have been a lot of regulatory drives, a lot of handholding, and a lot of capacity building initiatives taken by the State Bank of Pakistan.’

Risk infrastructure

These developments have not just been in risk reporting but also in the underlying aspects of risk governance: structure and systems as well as the tools and models that go into risk reporting.

One trend over the past two years has been a focus on enterprise risk management as well as individual risks. This is also in response to the financial crisis, although as Anwer points out, banks in Pakistan remained largely unscathed by the crisis because of the lack of diversification in financial products.

‘We didn’t take a direct hit, but there have been many indirect learnings,’ he says. ‘Banks and regulators have been mindful of the financial crisis and what could go wrong in Pakistan as well. So all these elements of capital planning and capital management have been in force, as well as aspects such as portfolio management and exposure reviews, etc.’

This has made the banks the frontrunners in risk reporting in the country. They have to address a number of different stakeholders – not just investors via annual reporting and internal reporting to boards and annual committees, but also the regulators and the ratings agencies.

Too much information

‘The problem is that the information provided is detailed yet vague, making it difficult for audiences to derive any meaningful conclusions,’ says Anwer. ‘Without an expert pointing out which are the important bits and which do not carry much significance, you get a lot of information that may not make any sense.’

Anwer points out that while institutional investors attach a great deal of importance to risk disclosures, smaller investors – who make up the majority of the investor population – are not as aware of the benefits of a risk report.

‘This makes it very difficult for organisations to decide how much information to disclose and how to disclose it,’ he explains. ‘They also have concerns about how investors will perceive this information. Sometimes they feel that if there is more risk information, then there is a perception that there is more risk.’

Generic commentary

This has led to reports containing little more than extensive generic commentary on risk, which generally covers those aspects already known to sophisticated investors. 

Anwer believes that information should be put more simply and its potential impact on investors assessed before it is shared.

‘Information should not just be there for information’s sake, it should only be shared when it makes sense to share it with others and you understand what value it would lead to,’ he says. ‘There has to be proper time spent by the board, by senior management and all the key stakeholders, on what should be reported and what the value is of reporting it.’  

He believes the regulators should also play a role in guiding and following up on the process of risk reporting.

Make it specific

To be relevant to investors, risk reports need to be practical and institution-specific, which requires a high level of board sponsorship.

‘I think the importance attached to risk reporting should be far higher than it is currently,’ Anwer says. 

‘It’s simply a question of priorities for the boards.’

External auditors can add value here by helping boards identify what information can be shared that will actually raise awareness rather than simply listing what resources and systems the bank uses to manage risks. The external auditors also need to build their own capacity and move beyond a tickbox approach of simply recording what has or hasn’t been reported.

Report benchmarking is also important to allow investors to be able to compare organisations and to raise organisations’ own awareness of potentially valuable information on which they could be reporting. 

However, Anwer believes that while what is reported on could be standardised, how it is reported should be left to the discretion of local communities. ‘That way the market can force the disclosure quality improvement on its own,’ he says.

Similarly, if organisations want to attract foreign investment they will need to tailor the information accordingly. 

He adds that sophisticated investors are well aware that it is not always in the interest of organisations or indeed themselves to provide certain information. 

‘Some information will be very sensitive and in that case they would expect the organisation to provide information about how they manage risk in general,’ he says. 

That covers the number of times that its model is internally evaluated and validated, the kind of structures that it has in place internally, the role of the audit committee and the role of the risk management committee.

Defining risk appetite

Similarly, when it comes to disclosing the overall appetite for risk, there are aspects of, for example, capital management strategies which no organisation would wish to disclose. 

Anwer says: ‘If this is not shareable, then at least you can share the information about how you calculate your risk appetite. There are varying bases: it might be return on capital, earnings or assets, portfolio concentration, or exit and entry strategies. Sharing how you define your risk appetite can provide a lot of comfort to shareholders.’

Again, a specific, practical and relevant risk response is of more value to an investor than a generic response. ‘If you write that you have all the required methodologies and principles and accepted best practices, the investor will not be able to relate to that,’ he says. ‘But if you say, “for capital calculations I have this risk engine and for market management I have that risk engine and for the data requirements I have this type of data warehouse,” then this information is not confidential – your competitors will know it – but it will let investors know you are investing in technology and are forward-looking.’

Anwer continues: ‘Managers don’t always know what strategic risk reporting is about: they are not comfortable with their own risk » assessment procedures, their own risk criteria, their own ways of managing risk. If someone comes up with a tough question at an AGM, what would they tell them? They rely on generic statements to make sure no specific questions are asked – you don’t want anyone to question the details of what you do because you may not be able to satisfy them.’

Sharing promotes confidence

An organisation should be aware that its investors are often not so well informed as its business competitors because they don’t have the same resources and information sources.

‘If your competitors already know something, then it’s probably a good idea to share it with your investors and give them more comfort about the way you will be doing business in the future,’ Anwer says. ‘Even if it’s not known by competitors it can still be a good idea to share.’

Anwer believes that while real-time risk reporting is some way away, there is a case for increasing the frequency of risk reports and making them available in different ways.

‘Risk reporting frequency should be expanded in some form or other,’ he says. ‘There should be more institutional reporting and more structured and elaborate reporting to the regulators. The ratings agencies are also a problem because they only come on board once a year and sometimes there might be little information on what is happening to the organisation during the course of the year.’

Online and automated reporting will help provide information tailored to each stakeholder’s needs, an issue that Anwer believes regulators should address: ‘There is a need for the regulator to review what banks share with investors because there really is too much for a general investor to digest. If the regulator wants to have more information it should create templates. You can’t have one standardised tool or that whole batch of risk reports is going to be hundreds of pages long.’


By potentially confusing buyers in this way risk reporting could itself be creating more risk, says Anwer. 

He believes that risk reporting should be taken out of the financial statement, which is a backward-looking reflection of the accounting numbers rather than an analytic exercise.

‘The risk report should be a separate report or as a last resort only included in the annual report,’ he says. ‘This would focus attention more on the value of what is actually included in the risk report. 

‘Does the risk report include information about the in-use testing of risk models or methodologies? Does it talk about risk linked to your business? Does it talk about value creation, about research? It should do. 

‘If you use risk numbers in your performance evaluation, for example, this is going to be a big comfort for the investors.’

Mick James, journalist 





Last updated: 14 Jul 2014