Organisations benefit from high-quality reporting about risk management. Stakeholders greatly appreciate receiving information about risks and about the way in which an organisation is managing these risks. Another benefit is that clear reporting forces the board to take stock and draw up a list of the risks and risk management systems. This is an important first step on the road to improving the quality of the risk management process. Directors can create value by adopting a positive approach to new rules and codes that encourage them to produce high-quality risk reporting. Internationally harmonised standards for risk reporting can promote clear reporting too.
Investors understand that companies can only make profits if they make a conscious decision to take certain risks – no risk, no reward. It is a known fact that risks and returns are inextricably interlinked, which is why investors expect to receive accurate information about both aspects. Note that the public sector is exposed to risks in a similar way when it comes to the realisation of the formulated goals. Stakeholders do not mind accurately described risks that they can comprehend, even if these risks increase the volatility of the forecasted results. However, their pet hate is when risks suddenly appear from nowhere that the organisation failed to describe or only described in very broad terms. This is true especially if these risks lead to material financial setbacks that hit stakeholders like a bolt from the blue.
In other words, an organisation’s use of external reporting to explicitly discuss the risks it is facing is a very effective way of satisfying stakeholders’ need for information about risk profiles and risk management. At the same time, this reporting means that the organisation can manage the expectations of regulators and other stakeholders about the results and their volatility. This in turn means that they feel that any fluctuation in the desired outcome of the objectives is less unexpected.
Risk reporting pays off
Reporting about risks is integral to the quality of the risk management process at organisations and contributes to its improvement. High-quality risk reporting by directors requires them to first obtain an accurate view of the most important risks and of the effectiveness of the internal controls designed to mitigate these risks. In many cases, these new insights then lead to improvements in the risk management system. As a rule, when drawing up a list of their risks, organisations discover a variety of ‘low hanging fruit’ and can significantly reduce their exposure to certain risks with relatively little effort.
Companies, government bodies and other public organisations can no longer circumvent accurate risk reporting. One example of mandatory legislation is the European Transparency Directive, which came into force recently[i]. This Directive is designed to bring about greater consistency and transparency in external reporting by listed companies. The Directive has twin goals here, namely to improve the protection enjoyed by investors and to create a more efficient market. Annual reports must contain a section on risk that sets out the major risks and uncertainties that the issuing institution is faced with. The board must explicitly confirm in a statement that the annual report describes the material risks that the company has to deal with. As a rule, corporate governance codes require the board to provide information in the annual report that not only describes the most significant risks but also how effective their systems are in dealing with those risks.
Taking a positive approach
It pays for directors to implement the relevant provisions of the corporate governance codes in a way that benefits their company. After all, proper risk management – including accurate reporting – gives companies a competitive edge and creates value. Proper risk management brings benefits for directors of not-for-profit organisations too, as it creates greater trust on the part of regulators and other stakeholders. Nevertheless, we have noticed some reluctance to discuss risk management practices in the financial statements. This may be down to directors’ unwillingness to provide stakeholders with another frame of reference – namely ‘risk management’ – that the latter could then use to judge their managerial performances.
However, good directors do not need to be afraid of providing additional parameters or yardsticks to be judged by: in contrast to popular belief, accurate, transparent reporting about risks can actually protect directors against liability claims. The increasing juridification of society has meant that directors are afraid of called to account for the risks and controls they have reported on. However, in many cases transparency on the part of directors beforehand is deemed to be an excellent defence.
Whatever the case, it is the top management that bears the ultimate responsibility for prudently managing the risks an organisation faces. Indeed, providing clear information to stakeholders (about the specific risks faced, about the ways in which management is endeavouring to contain these risks and about the effect that these risks could have on the results) reduces the risks involved in directors’ and officers’ liability. This is because stakeholders will have no reason for claiming afterwards they were not properly informed about the relevant risks.
Better risk reporting
In practice, organisations and their directors must grapple with a whole host of issues relating to the reporting of risks and risk management (see separate box: ‘Grappling with transparency’). We recommend basing the layout of the risk reporting section in annual reports (referred to as the ‘risk paragraph’) on the different elements of the management cycle – namely: planning, execution, monitoring and adjustment (‘plan, do, check, and act’). This results in the following structure:
- a description of the organisation’s strategy, formulated objectives, associated risk profile and information about the board’s risk appetite;
- a description of the existing risk management systems and internal controls;
- an explanation of the risk policy pursued, the implementation of the controls, shortcomings in internal control, incidents etc. during the period under review; and
- any adjustments to the objectives, and any future measures to improve internal control.
Additional guidelines – preferably implemented internationally – in the field of risk reporting should certainly increase transparency for both the drafters and users of this information. Naturally, this is neither a simple process nor a short one. At the European level, the above-mentioned Directive means that a few more cautious steps towards harmonisation have been taken, something that is definitely needed given the significant differences in national regulations within the EU. Note too that the ISO (the International Organization for Standardization), a collaborative network of 156 national standardisation organisations, is currently drafting a set of risk management guidelines[ii]. This should lead to the harmonisation of standards as International Risk Reporting Standards’ (IRRS), in the same way as was done with the IFRS International Financial Reporting Standards. These will also affect reporting by not-for-profit organisations.
The planned international harmonisation will probably focus on general quality requirements to be set for risk reports and not on their literal content. These standards could for example require a clearer link to be made in the reporting between the description of strategy and risk profile on the one hand and an explanation of the risk management activities pursued on the other.
Summary and conclusions
Risk reporting is primarily about the proper management of expectations. In the case of companies, openness about the volatility of results and useful information on the quality of the internal control system can help reduce the cost of capital and thus increase value. It is also plausible to argue that in theory this should also improve the quality of the risk management process, which ultimately benefits the company’s value creation activities too. Note too that the proper management of expectations is just as important a task in the public sector. Here the role of the budget as a defining framework for the organizational activities implies that additional emphasis is placed on clarifying the choices made regarding the organisational objectives. After all, these objectives are geared towards creating value for the various stakeholders.
In practice, organisations and their directors are still grappling with a whole host of issues relating to the reporting of risks and risk management; global standards for risk reporting should shed some light on these issues. Stakeholders’ confidence rests on their belief in the integrity of the directors and on the associated honest and accurate provision of information. This belief will certainly be encouraged by the provision of well-structured information about risks and controls and about expectations and outcomes.
Grappling with transparency
In practice, directors still have a lot of questions about reporting on risk management issues. Some of the FAQs include:
- How detailed should the list of risks be? Should we endeavour to provide exhaustive disclosure or is it better to list the most significant ones only?
- How should we deal with the risk interdependencies?
- How can risks be quantified sensibly?
- How often and in how much detail should the effectiveness of the internal controls be determined?
- How are ‘shortcomings’ to be assessed? What level of ‘materiality’ defines a shortcoming?
- What degree of assurance regarding the effectiveness of the risk management systems and internal controls can reasonably be expected (including of directors)?
- What is the external auditor’s role when it comes to assessing the quality of the risk reporting?
[i] The Act dated 25 September 2008 for the amendment of the Dutch Financial Supervision Act (Wet op het financieel toezicht, Wft) and a number of other laws implementing the Transparency Directive (2004/109/EC) came into force on 1 January 2009.
ii] ISO 31000: 2009 Risk Management – Guidelines on principles and implementation of risk management.