There is pressure – and encouragement – for UK companies to improve the quality of their communication on enterprise risk management, says Lee Coppack
A competition is now underway for the best communication of risk by a UK company. Each year, the Investor Relations Society (IRS) gives prizes for the quality of annual reports. This year it has introduced an award for best communication of governance and risk in an annual report. The short list will be announced on 28 September.
The Financial Reporting Review Panel, an independent regulatory body, has already advised: ‘The disclosure of principal risks and uncertainties is likely to warrant greater attention during the forthcoming reporting season. The extent and speed of change in market conditions as a result of the financial crisis affecting banks and, more recently, other sectors of the economy, together with unprecedented increases in some commodity prices means that all companies are facing increased, and possibly different, risks when compared to prior years.’
As early as November 2007, the reporting review panel had identified the areas in the economy likely to be under most strain as the banking, retail, travel, commercial property and house-building industries. It then reviewed 300 sets of accounts mainly for financial periods between December 2006 and June 2007, shortly before the current crisis, and published the results in October 2008.
The issues it most frequently raised with companies related to the disclosure of their principal risks and uncertainties and key performance indicators. In its review, financial reporting panel confirmed the suspicious of risk managers that the compiling a risk register can become an objective in itself. It said: ‘Some companies provided a long list, which fell short of the requirements in two respects. First, the principal risks and uncertainties were not identified and second, there was no proper description of them. A few companies did not disclose any risks or uncertainties at all. In a small number of cases, the panel queried the omission of specific risks.’
On a related area, the panel also noted a number of instances where companies had not provided any reference to their use of financial instruments as required by the Companies Act 1985 although the accounts and summaries of accounting policies clearly showed their existence. ‘In a number of cases, where such disclosures were expected, none were provided.’
Twenty-five years ago, the UK Companies Act 1985 began a process of requiring companies to describe the principal risks and uncertainties that could materially affect their performance in their annual report. Since then, the Companies Act 2006, and, for quoted companies, the Combined Code on Corporate Governance, aka Turnbull, have extended and refined the reporting on risk reporting and risk management.
The objective is to give investors and other stakeholders confidence that the board of the company and its senior managers are aware of the risks that could damage the business materially and that they have controls in effect to reduce or mitigate the risks – in short, an enterprise approach to risk management.
The Financial Reporting Council’s (FRC) 2005 report Internal Control Revised Guidance for Directors on the Combined Code advised that: ‘Investors consider the board's attitude towards risk management and internal control to be an important factor when making investment decisions about a company.’
According to the FRC, management should give the board reports that provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing those risks. The reports should also discuss any significant control failings or weaknesses, including any impact that they had, or could have had, on the company and the actions being taken to rectify them.
In the annual report and accounts, the directors should include meaningful, high-level information to assist shareholders' understanding of the main features of the company's risk management processes and system of internal control, said the FRC.
“Companies are under pressure to make their reporting on enterprise risk management more precise and timely.
This is the essence of ERM communication, said Paul Hopkin, technical director of the UK risk management association, AIRMIC, on the basis that ERM simply means managing all the risks of the organisation. The board communicates about ERM to external stakeholders, notably shareholders and regulators. Internally, it explains the role of different functions and departments in implementing and complying with the system of controls.
Communicating risk and governance
In the current financial climate, companies are under pressure to make their reporting on enterprise risk management more precise and timely. As Erwann Michel-Kerjan managing director of the Risk Management and Decision Processes Center at the Wharton School of Business, points out, the accuracy of a company’s risk management reporting will be apparent mainly in retrospect. ‘What companies are communicating is something is intangible. When they have a failure or an accident, it is tangible. People have difficulty reconciling the two.’
In the criteria for its 2009 award, the Investors Relations Society highlights:
? Clear discussion of risks, highlighting those specific to the company’s operations, including internal and external risks
? Digestible presentation of the key risks and uncertainties and how the management have addressed them in order to minimise their impact on performance, or to exploit them to gain competitive advantage
? An explanation of how risks are managed throughout the business, including discussion of how risks are identified, monitored throughout the business and communicated to the board
? Evidence that the board understands the risks inherent in the operations of the organisation, how it has monitored them and what strategic business decisions it has taken.
The Financial Reporting Review Panel pointed out: ‘Given the speed and pervasiveness of the financial crisis and other market changes, including rising prices and pressures on supply, directors may need to contemplate risks and uncertainties previously thought to be too remote to have warranted serious consideration.’
The panel also drew attention to the Financial Services Authority (FSA) rules that interim accounts require an indication of important events that have occurred during the first six months of the financial year and their impact on the financial statements together with a description of the principal risks and uncertainties for the remaining six months of the financial year.
Simply cross-referencing to the business review section of the directors’ report in the company’s last annual report was not enough, said the panel, even if there had not been a material change. Where the principal risks and uncertainties for the second half of the year had changed from those described in the last annual report or additional risks and uncertainties had arisen, there should be a more comprehensive description. ‘This may be the case for many companies now facing changed market conditions and funding difficulties that were not anticipated when they signed their last set of annual accounts.’
Lee Coppack is editor of StrategicRISK’s sister publication Catastrophe Risk Management