CORPORATE RISK REPORTING RULES
How many times have you heard or seen a senior executive quoted as saying that their company operates within a robust risk framework, or words to that effect? It is hard to imagine any board member saying otherwise, so entrenched has the importance of risk management become in the minds of corporate UK.
If anyone doubts that to be the case, they should read ‘Roads to Ruin’, the Cass Business School study commissioned by Airmic into the reasons why 23 large companies failed. Without exception, avoidable risk management shortcomings lay behind every one of the crises, which led to shareholder losses totalling tens of billions of dollars and cost 20 chairmen and chief executives their jobs.
You might think, therefore, that the risk reports that publicly quoted companies produce every year, as required under the corporate governance code, would throw light on this important subject. Doing so is a useful discipline in its own right, not to mention a key element of transparency. It is something that shareholders and other stakeholders should demand.
Indeed, some risk reporting is exemplary. ICSA and Airmic have recently published examples of good practice – three each from the eight main industrial sectors. Two-thirds of these companies came from the FTSE 100, the rest from the FTSE 250.
Unfortunately, these companies are not typical. We judged risk reporting mainly by five different criteria: (i) risk agenda, setting out the reasons for undertaking risk management activities and the anticipated benefits; (ii) the quality of risk assessment; (iii) risk response, including the extent to which the risks facing the company are managed within the risk appetite; (iv) risk communication within a company and whether or not a ‘glass ceiling’ exists that prevents vital information from reaching board level; and (v) risk governance.
Jul-Sep 2013 Issue