In a perfect world, investors, board members, and executives would have full confidence in companies' financial statements. They could rely on the numbers to make intelligent estimates of the magnitude, timing, and uncertainty of future cash flows and to judge whether the resulting estimate of value was fairly represented in the current stock price. And they could make wise decisions about whether to invest in or acquire a company, thus promoting the efficient allocation of capital.
Unfortunately, that's not what happens in the real world, for several reasons. First, corporate financial statements necessarily depend on estimates and judgment calls that can be widely off the mark, even when made in good faith. Second, standard financial metrics intended to enable comparisons between companies may not be the most accurate way to judge the value of any particular company - this is especially the case for innovative firms in fast-moving economies - giving rise to unofficial measures that come with their own problems. Finally, managers and executives routinely encounter strong incentives to deliberately inject error into financial statements.
Every business enterprise involves the risk that it will fail to achieve its objectives. The higher the risks it faces, the higher the return it will want to justify the risks that it takes. These risks are specific to its particular business model and its particular circumstances, but other businesses that have similar models and are in similar circumstances are likely to face similar risks.
The demand for risk reporting
A growing demand for better reporting of business risks has emerged in recent decades. This is based on the belief that
improved understanding of business risks by investors and other users of corporate reporting should lead to better
stewardship of companies and to a more efficient allocation of resources.
It is generally accepted that there was a widely-shared underestimation of risk before the financial crisis of 2007 and beyond. This has reinforced calls for improved risk reporting, by banks in particular, in the expectation that it should help make future crises less likely. but the crisis has also led to calls for better risk reporting by companies in all sectors.
The demand for better risk reporting is an entirely legitimate one, and risk reporting can and should be improved. but careful consideration needs to be given to how it should be improved and to how far the expectations of all those who now call for change can be met. Risk in business is about much more than the possibilities of corporate failure. Yet unexpected collapses, especially when there is a rash of them in a crisis, inevitably focus attention on the quality of risk reporting and may give rise to unrealistic expectations that better risk reporting could prevent future failures. but in a competitive economy business failures are inevitable, and it would be unreasonable to expect risk reporting to provide a reliable early warning of which businesses are most likely to fail - still less to prevent their failure.
Experience of risk reporting Researchers who have looked at the experience of risk reporting by businesses across different sectors often express a degree of disappointment with it, sometimes suggest that disclosure requirements have had limited effect, and tend to make comments along the lines that there is "formal disclosure but substantial non-disclosure". Actual research findings are mixed. While there is some evidence that both quantitative and qualitative risk reporting may have been useful, there is also evidence that qualitative risk reporting is not considered useful by some users of corporate reporting. Indeed, users appear to have conflicting views on risk reporting - some finding it useful, some not.
Risk reporting challenges
We have identified five main reasons why the usefulness of risk reporting by businesses across different sectors sometimes seems to be in doubt:
1. It is impossible to know even after the event whether most qualitative, and some quantitative, risk reporting
is accurate or inaccurate. This must limit the reliance that users can place on it.
2. There are often competitive costs to informative risk disclosures and they also have potential costs for managers.
These costs may exceed the perceived benefits of risk reporting, leading to uninformative disclosures. Indeed, risk
reporting creates its own risks and so needs to be undertaken by preparers, and interpreted by users, as an exercise in risk management.
3. It may well be appropriate to comply with requirements for the provision of risk lists by making generic disclosures,
even though they will be seen as boilerplate.
4. The effectiveness of a firm's risk management depends on the quality of its managers, and this is something
that statements of the company's attitude to risk and disclosures of internal structures and procedures are unlikely to reveal.
5. There are some risks that firms will never report and others that they are always liable to understate.
The way forward: It is important to have practical solutions to the problem of how to improve risk reporting. Risk reporting requirements vary widely among different jurisdictions, and so it would be impractical to put forward improvements to them that would have general validity. In any case, and perhaps more importantly, the evidence suggests that risk reporting requirements often have only limited effectiveness.
For these reasons, our suggestions - set out in seven principles - do not include any proposals for new or tougher regulation. The principles are purely points for consideration by those interested in improving risk reporting and by preparers of corporate reporting information, and are intended to apply to public companies in all sectors.
The seven principles for better risk reporting are: 1. Tell users what they need to know. Users of corporate reporting want information about a company's risks so that they can make their own assessment of risk. Companies should focus on this objective in deciding what to disclose.
2. Focus on quantitative information. Disclosing more detailed analyses of the quantitative data that firms already provide would give helpful new information. Too much weight has been placed on the production of descriptive risk lists. This is not a call for quantification of risks, which usually involves dubious assumptions about the probability of future events. Nor is it a call for qualitative information to be neglected. What we have in mind is more information on the breakdown of firms' activities, geographically and by sector, and on their assets, liabilities and commitments.
3. As far as possible, integrate information on risk with other disclosures. Financial reporting provides much information on risks already, and this should be integrated with other risk disclosures. but information on risk should also be integrated with firms' descriptions of their business models, their forward-looking disclosures, their discussion of past performance, and their financial reporting. A firm's risks are usually inherent in its business model, so explaining the business model should involve explaining its risks. Risk is forward-looking and cannot be fully understood except in the context of broader forward-looking information about a firm's performance, plans and prospects.
4. Think beyond the annual reporting cycle. Many risks stay the same from one year to the next. Others are highly variable and information on them needs to be updated more frequently than once a year. The internet, rather than the annual report, would probably be the right place for information on both sorts of risk.
5. Where possible, keep lists of principal risks short. Users are currently faced with long and indigestible risk lists that are all too easy to ignore. Where it is useful for companies to disclose other risks as well as those identified as the principal ones, they should still do so.
6. highlight current concerns. It is likely to be of interest to users to know what risks are currently most discussed within a firm. These will often be different from the firm's principal risks, and disclosing them could give users a valuable insight into the business.
7. Review risk experience. Companies could usefully review their experience of risk in the reporting period. What went wrong? What lessons have been learnt? How do their experiences match up with the risks that they had previously reported?
As for banks, their quantitative risk disclosures have already been expanded since the onset of the crisis through changes in accounting standards, implementation of Pillar 3 of the basel II Accord on banking supervision and expansion of its requirements. Further improvements may be possible. stress tests organised by banking and insurance supervisors, where they are based on appropriate assumptions, can also provide valuable information about risk, and it would be helpful to explore the use of such disclosures as an additional form of risk reporting by banks and insurers.
A risk management strategy provides a structured and coherent approach to identifying, assessing and managing risk or uncertainties followed up by minimizing, monitoring and controlling the impact of risk realities or enhancing the opportunity potential by applying coordinated and economical resources.
Our experts partner with clients on corporate planning, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.
