Risk reporting is a vehicle for communicating the value that the risk function brings to an organisation. It allows for proactive risk management as organisations identify and escalate issues as they arise or before they are realised, to effectively manage risks. Risk reporting demonstrates to the board of directors that the company has the systems and capability in place to deliver on business strategy, and ultimately increase and protect value over the long term. Is your risk reporting relevant enough to enhance shareholder confidence?
Although many companies are undertaking well-structured and comprehensive risk management activities, some are failing to report the full extent of the processes and procedures they have in place. According to Leon Soko, a business analyst and adviser at CURA Software Solutions, it is in the best interests of the board of the company to provide full disclosure on risk management activities. “If the company is undertaking effective risk management actions which are aligned with the success of the organisation and the delivery of the required strategy, tactics and operations, then it is in the best interests of the board, the company, the shareholders and other stakeholders to make this clear.”
Soko elaborates: “Over the past three years, we have watched significant global events unfold. The world has been marked by momentous change: economic, political and environmental. These events have shown how quickly the environments in which we operate can change and this highlights the importance of robust and effective risk management strategies. As landscapes change, so does the environment for risk events. This necessitates improvements in both risk assessment and risk management to make future crises less likely and, ultimately, more quantifiable.”
Soko has identified six practical steps to how risk reporting can be improved:
- Tell users what they need to know
Users of corporate reporting require information about a company in order to adequately measure their risk landscape. Companies should focus on this objective in deciding what to disclose. The company is best placed to know what users of annual reports and financial statements are interested in because it is the board of directors and management that have direct contact with investors, analysts and other users of the annual report and the financial statements.
- Focus on quantitative information
Disclosing more detailed analyses of the quantitative data that firms already provide would give helpful new information. Too much weight has been placed on the production of descriptive risk lists. This is not a call for quantification of risks ‒ which usually involves dubious assumptions about the probability of future events ‒ nor is it a call for qualitative information to be neglected. The focus should be on detailed, measurable breakdowns of firms’ activities ‒ geographically and by sector ‒ and on their assets, liabilities and commitments.
- Integrate information on risk with other disclosures
Financial reporting should be integrated with other risk disclosures. Further to this, information on risk should be integrated with firms’ descriptions of their business models, their forward-looking disclosures, their discussion of past performance and their financial reporting. A firm’s risks are usually inherent in its business model, so, by virtue, detailing the business model should involve explaining its risks. Risk is prospective and cannot be fully understood unless the context of broader information about a firm’s performance, plans and prospects is considered.
- Keep lists of principal risks concise
Users are currently faced with long and indigestible risk lists that are all too easy to ignore. While extensive data is necessary, excess information may render the key factors unclear. Shorter lists make it easier for users to clearly identify where their focus should be.
- Highlight current concerns
It is of interest to users to understand which risks are currently most discussed within a firm. The concerns identified in this way will often be different from the firm’s principal risks and disclosing them could give users valuable insight into the business.
- Review risk experience
The insight garnered from risk reporting transcends just one reporting cycle. Companies must be cognisant of what has been learnt in the previous cycle to adequately mitigate potential risks going forward. The risk landscape is rarely stagnant and requires constant analysis.
Soko concludes, “In a competitive economy, business failures are inevitable and it would be unreasonable to expect risk reporting to provide reliable early warning signs of which businesses are most likely to fail. However, with vigilant assessment, agility and a clear paradigm of analysis, a robust risk reporting system could potentially save companies millions in lost revenue, while ensuring the company achieves its strategic and operational objectives.”