Companies' refusal to be honest is one of many barriers to better risk reporting.

Risk reporting is too often a process-driven exercise and current risk reporting practices often fall short being too generic, bland, poor on qualitative information or too compliance based.

Boards, auditors and investors need to challenge executive directors more. They need to ask, ‘What if this went wrong?’ And the management need robust answers.

Risk reports fail to provide the specific information that users would find useful.  Vague information stops users deriving any meaningful conclusions. By being confusing it could be creating more risks.

Some of the specific challenges identified include:

Reluctance to be negative

Companies don’t want to:

  • talk about the negative, especially in annual reports which are meant to be upbeat
  • give the impression they have more downside exposure than competitors.

Box ticking

Companies question whether the increase in risk management regulation since the global financial crisis (GFC) is necessary. Risk officers are concerned that risk reporting is a box-ticking exercise.

Reporting is meant to produce better risk management.  Instead reports are formulaic, generic and too PR-orientated.

A good risk report wish list

Users want to see an honest explanation of how risk is managed in the context of the business strategy and model.

They want:

  • key risks identification in plain English
  • management to explain clearly why it believes these risks are critical
  • management to explain how it is mitigating risk
  • new and emerging risks to be identified
  • management to explain how they asses risk throughout the year. 

About Jamie Lyon, lead author, ACCA