Sound risk reporting is acknowledged as one way to hold boards more accountable for the management of risk and the delivery of business objectives. With greater scrutiny from more and more stakeholders, what should boards be doing to improve transparency and effectiveness in their risk communication practices?
Companies' refusal to be honest is one of many barriers to better risk reporting.
Risk reporting is too often a process-driven exercise and current risk reporting practices often fall short being too generic, bland, poor on qualitative information or too compliance based.
Boards, auditors and investors need to challenge executive directors more. They need to ask, ‘What if this went wrong?’ And the management need robust answers.
Risk reports fail to provide the specific information that users would find useful. Vague information stops users deriving any meaningful conclusions. By being confusing it could be creating more risks.
Some of the specific challenges identified include:
Reluctance to be negative
Companies don’t want to:
· talk about the negative, especially in annual reports which are meant to be upbeat
· give the impression they have more downside exposure than competitors.
Companies question whether the increase in risk management regulation since the global financial crisis (GFC) is necessary. Risk officers are concerned that risk reporting is a box-ticking exercise.
Reporting is meant to produce better risk management. Instead reports are formulaic, generic and too PR-orientated.
A good risk report wish list
Users want to see an honest explanation of how risk is managed in the context of the business strategy and model.
· key risks identification in plain English
· management to explain clearly why it believes these risks are critical
· management to explain how it is mitigating risk
· new and emerging risks to be identified
· management to explain how they asses risk throughout the year.