Governance, risk and reporting

The UK Corporate Governance code, policed by the Financial Reporting Council has been revised several times since it first emerged. And in 2013 the Department of Business Innovation & Skills (BIS) was driving the agenda.

It felt that companies spent too much time reporting past success and not enough on forecasting future returns, so introduced the requirement for an explanation of business model including strategy and risk. This caused some complications for dual-listed corporations who had also to comply with the US regulator who took a different view. While the UK was encouraging corporations to talk openly and honestly about future risks, the US was much more wary of reporting any risk without some prior legal protection for the disclosing party. Jurisdiction alignment was a barrier to better reporting.

This dilemma highlights the confusion surrounding the word risk itself. The economist Frank Knight wrote on the distinction between risk and uncertainty in 1921 where he postulated that the two terms had not been adequately separated. To him risk was measurable and uncertainty immeasurable, however today we accept risk as a control function thanks largely to the way risk is seen as a threat to business continuity which demands some contingency planning. Risk as opportunity or gain tends to be eclipsed by the understanding of risk as threat. Uncertainty is a word that needs more exposure.

The dilemma also posed the uncomfortable question of the ability of auditors – whose skill lies in forensic examination of performance – to police future forecasts of strategy and risk both of which being speculative defy any comparison with ‘the right answer’. Back in 2013 the European Financial Reporting Advisory Group (EFRAG) took the view that future forecasts should have no place in accountancy practice, which must by definition be evidence based. Although the BIS has since been renamed BEIS, adding ‘Enterprise’ to its remit, it still struggles to ‘boldly go’ into the risk debate.

This brings me to the two remaining questions: what is the purpose of risk reporting and who determines what is a significant or principal risk? Let’s tackle the purpose first as this is marginally the easier of the two. This is the warning to investors that they may lose as well as gain; it is the government’s ‘caveat emptor’ requirement. The purpose of risk reporting is to aid the decision process. It is not to list every possible known eventuality, history shows that crises were always absent from risk registers, catastrophes are always termed ‘unimaginable’ or ‘exceptional’. Good risk reporting within the FRC is articulating future uncertainty with clarity and candour.

Reporting risk to a regulator is not the same as reporting risk to an investor, their appetites are different, what is attractive to one is repellent to the other. This becomes a challenge like a juicy bone thrown to Corporate Communications, or passed between Investor Relations and Compliance. In a stakeholder aware corporation messages need to be adjusted to suit audience expectations, but risk is a topic that comes with baggage. This of course is if it ever leaves the board room with a consensus in the first place. Every director will bring their own perspective to the table about what constitutes a risk and whether it is acceptable or not.

This leads me neatly on to the second question, who defines and determines a risk? Is it the Chief Risk Officer (CRO), Head of Risk & Audit Committee or some other ‘expert authority’ within the organisation? Given that the board should take collective responsibility for risk, there are still a large number of organisations where the board relies on a single individual or a department as the risk authority. Anyone around a board table can identify a risk and should argue for time to debate it, but how often does this really happen?

Risk is a topic that needs to be properly rehabilitated within boardrooms, especially in times of economic and political uncertainty. Risk aversion will not produce growth and will stifle innovation so a more positive approach to risk is urgently needed to stimulate the UK economy, especially with the Brexit negotiations breeding further uncertainty. Throughout 2017 the FRC has been looking at risk reporting within the Financial Reporting Lab and a report is due by the end of the year. The BEIS will be looking to see risk as an enabler not a limiter, so this could be very interesting.

Written by Garry Honey, Chiron Reputation Risk CEO and SAMI Associate.

The views expressed are those of the author and not necessarily of SAMI Consulting.

If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at eSAMIsignup@samiconsulting.co.uk and/or browse our website at http://www.samiconsulting.co.uk

Advertisement