Skip to content

Reporting risk

January 31, 2018

In this blog, Garry Honey, SAMI Associate and CEO of Chiron Risk, looks at how risk is reported and examines some alternative ways of mapping risk.

Disclosure of risk has always been a challenge for listed companies, this was recognised by the FRC when it introduced ‘materiality’ and ‘proportionality’ in previous iterations of the corporate code. The financial crash of 2008 prompted the code to improve risk reporting so the past 10 years have seen more emphasis on this. A new FRC publication on Risk & Viability reporting, from the Financial Reporting Lab, acknowledges the way risk reporting has evolved of late. Apart from the ‘inherent tension’ between revealing useful information to investors and highlighting weakness for competitors to exploit, is the underlying question of confidence and competence.

In disclosing risk, investors expect to see a strategy in place to handle it together with a management team capable of delivering it. Risk is finally being rehabilitated alongside strategy, something the Strategic Report was designed to encourage. Risk had initially been treated as a compliance or control function, a topic with potential to unsettle investors rather than inspire them. In talking to investors the Financial Reporting Lab has finally confirmed what has been known in the City for years: namely that investors expect companies to take risk so they look for a mature conversation about risks consciously undertaken in order to deliver an attractive return on investment. Risk is an inherent part of the investment conversation; combined with strategy it forms the vision of a profitable future for the company.

The Risk & Viability report, based on consultation with investors, sets out areas in which risk reporting can still improve. The main one is the challenge to convince investors that the management team know their own limitations, being realistic about what can and cannot be achieved. There are only four strategies for tackling risk (avoid, manage, mitigate and transfer) but how many risk reports actually match each principal risk to an appropriate handling strategy? Admittedly much risk reporting in the UK also has to take account of jurisdictions where reporting rules are different, but this comes back to the purpose of risk reporting rather than liability in foreign courts. It should not be left to a regulator to specify the types of risk to be disclosed, a company should decide what disclosures would be beneficial to investors and other key stakeholders.

Communicating risk that is both useful to investors and compliant with regulators should not be impossible. Unfortunately much risk reporting still relies on the Heat map or risk matrix (see fig 1). This categorises risk according to probability and severity which satisfies insurers and CFOs as it relies on financial cost or loss as the key spatial determinant. Presenting top 10 principal risks on a heat map focuses attention on the urgent and important risks, and as such is a valuable tool in board meetings to determine priority tasks. Investors, however, expect more than this as it only gives a snapshot in time: it doesn’t take account of the dynamics of risk and certainly doesn’t indicate what management are going to do to combat it. This model is rather outdated and there is a better model which gives investors a more reassuring picture of response to risk.

GH Blog 30 Jan Fig 1fig 1

This advanced model has found favour among a number of corporations keen to show investors that there is some strategic thinking about risk. In short it moves the conversation away from just identifying risks as a passive statement towards an approach known as active risk management. This is shown in fig 2 which employs two different axes: ease of control and ease of prediction. In this way risks can be shown in a way that makes the response strategy self-evident: mitigate, measure, monitor and manage. The latter category naturally covers risks that are easier to control or predict. The significant difference is between the hard to control but easy to predict and their opposites the hard to predict but easy to control. This distinction helps differentiate between financial and strategic risks, some of which are shown as examples in fig 3.

GB blog 30 Jan Fig 2fig 2                        GH blog 30 Jan Fig 3fig 3

The conversation about risk which follows the mapping thus focuses on increasing control of those risks identified as financial, and increasing prediction among those identified as strategic. In this way more of the risks in the yellow boxes are migrated to the green box as they ultimately become operational and by implication manage-able. This approach allows a company to show that effective risk management is not only about increasing control but also increasing predictive skills through consideration of alterative futures via foresight. Risk as future uncertainty deserves this approach and investors welcome it.

The Risk & Viability report from the FRC also found that investors want to know how companies are preparing to address some of the generic business risks such as Brexit impact. It will not be enough to show that the risk has been identified or that contingency has been made for a Hard Brexit or ‘No deal’ exit from the EU in 10 months time. Investors want to see not only that alternative outcomes have been envisaged but that each alternative scenario is described within the context of a compensatory risk appetite adjusted to the marketplace. The dynamics of risk as a future outcome require new reporting that is not afraid of discussing alternatives. We live in uncertain times.

Written by Garry Honey, CEO, Chiron Reputation Risk and SAMI Associate. The views expressed are those of the author and not necessarily of SAMI Consulting.

If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at and/or browse our website at

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: