Effective Risk Reporting – Moving Forward
isk and how it is managed and reported in the private and public sector has been under a constant spotlight in recent years. A series of high-profile corporate failures and incidents had already increased the interest in risk reporting in the early 2000s, but the financial crisis of 2007–8 drove the issue to the top of the agenda for employees, regulators and investors.
There is a general view that the raised profile of risk reporting in the financial sector is having a trickle-down effect on other sectors. Some sectors are inherently more risky than others but, although internal risk management is well developed, it does not necessarily follow that risk reporting is equally advanced. There is no doubt that the financial crisis had helped to bring the discussion of risk in all sectors out of the boardroom and into the public arena.
It is a fact that decisions to pursue opportunities are regularly made in the boardroom. In making strategic decisions about taking opportunities, it is frequently the case that personalities will prevail, and pressure will be made to rush the decision making because the chance to maximise the returns disappear with each passing minute. Many decision makers and entrepreneurs naturally weigh threats and opportunities, and do a mental assessment of risks, but lack the words and structure to explain it.
When that thought process is translated into a visible process that can be communicated to all stakeholders, there will be much better engagement internally and externally.
Reporting risk information has become necessary. It is an important part of the communication process, and often gets missed in the decision making process. Along with more rigorous identification and measurement of broad organisational risks, improved reporting of the risks is needed so that managers and other stakeholders can more effectively consider those risks, and make more informed decisions.
Appropriate external disclosure of organisational risks and risk management initiatives in financial reports promotes trust, openness and transparency. It allows shareholders and financial analysts to properly value company shares. Improved and voluntary disclosures make capital allocation more efficient, thereby reducing the average cost of capital, decreasing price volatility and enhancing securities liquidity. Customer loyalty may also increase as a result of better media publicity.
The quality and success of risk reporting is dependent on various critical factors which include inputs and processes. Inputs relate to the stakeholder risk reporting requirements and expectations, such as regulatory requirements, investors’ and customers’ expectations, etc. These requirements and expectations, along with the various risks the organisation is facing, such as strategic, operational, reporting, and compliance risks, represent the most important inputs to the risk reporting process.
Effective risk reporting should then ultimately lead to greater overall organisational success and increased shareholder value (outcomes). Providing a cause-and-effect format of the various risk reporting activities helps managers understand the value they are receiving from the organisation’s risk reporting efforts.
Risk reporting also provides critical feedback to the risk management process and constitutes an important element in strategic planning. Although risk management continues throughout the year to accomplish strategic and tactical objectives and allow modification of plans as factors change, strategic planning uses risk reports to develop strategic objectives and strategies.
Reporting on risks and risk management will need to be tailored to the requirements and focus of the various stakeholders, whether internal or external.
Internal audiences for risk reporting include the board of directors, the audit and internal control steering committees, senior management, other managers, employees, and integrated supply chain partners. The interests of these various internal constituents vary both in scope and the detail of required risk information.
For improved strategic planning, execution and more informed and improved operational decision- making, these primary internal audiences and decision- makers must receive comprehensive risk reports covering strategic, operational, reporting, and compliance risks, detailed when reported on a real-time basis, and aggregated when reported periodically.
External constituents want more information about corporate activities. Stakeholders expect and demand increased corporate risk disclosure to improve their various decisions. This requires effective external reporting of the risks the organisation is facing, and of the management team’s plans to capitalise on emerging opportunities or to minimise the risk of failures.
It should be made clear that whilst risk management might exist in all decision making processes, there is huge benefit from a structure and process that allows consistent and impartial assessment, response and reporting on risk management. This will in turn give stakeholders greater confidence in the resilience of the organisation to respond to change and challenges.
With the growing awareness of risk management as a discipline, dedicated risk management teams and new regulations place a huge emphasis on risk and its reporting.
Both private and public sector organisations have to meet the needs of an increasingly diverse range of stakeholders. That means risk is no longer treated solely as a financial calculation. Indeed, while the finance function and its related departments – particularly internal audit and treasury – clearly maintain a huge role in risk management, it is increasingly the norm for organisations to look more broadly at non-financial factors and embed them at an operational level.
Risk reporting therefore becomes effective when it provides investors’ confidence – about the economy and companies operating within. Greater disclosure of risks should not be viewed as a weakness and threat; but a chance to demonstrate the strength of an entity’s controls and management, which could be a government or organisation.