How to improve the quality and value of your risk reporting in 5 simple steps
Thereis increasing pressure on businesses to provide better information about therisks that they face. Better risk reporting is seen as integral to bettercorporate governance.
Events such as the financial crisis in 2007 and thespillage at BP’s Deepwater Horizon oil rig have brought the issue of riskreporting in to sharp focus and highlighted the fact that organisations havewidely underestimated the risks that they face.
Unsurprisingly,following the financial crisis, regulators across the globe called forimprovements in disclosure of risk by financial institutions. Since 2013, allUK companies are required to file a strategic report with their annual accounts(unless the accounts are filed in accordance with the small companies regime) providing“a description of risks and uncertaintiesfacing the company”.
There are, of course, numerous commercial reasons whyan organisation may not wish to disclose the detail of risks that theirbusiness may face and this has often meant that such reports tend to be far toogeneric. ACCA’s 2014 report on Reporting Risk identified a wish list of thecontent for a risk report:
1. identification of the key risks the company faces,preferably in plain English
2. an explanation of why management believes these risks tobe critical
3. an explanation of what management is doing to mitigatethese risks
4. identification of emerging and new risks and
5. an explanation of how management assesses risk throughoutthe year.
Itis common sense that the management of a company should be identifying, on anongoing basis, the existing and emerging risks faced, which of those risks arebusiness critical and what needs to be done to mitigate them. It is alsoimportant to recognise that not every existing or emerging risk can beidentified.
To put this in to context, imagine you stray in to a side street tobe confronted by a mugger with a knife. It is obvious that your focus will be100% on the hand holding the knife and the potential threat to your life. Youwould clearly be forgiven for not identifying the risk associated with a loosepaving slab behind you which, were you to try and run away, you might tripover! It would clearly be unfair to criticise you for not spotting the loosepaving slab notwithstanding that your survival might depend on you not trippingover it.
Itis clear that risk reporting is here to stay but it is wrong to assume that itwill be a panacea which results in all risks a company might face beingidentified. Those companies that are able to provide meaningful risk reports thatshow that they are maintaining a watchful eye on the existing and emergingrisks and understand the potential impacts on their business will likely bemuch better placed to maintain the confidence of their investors and otherexisting or potential stakeholders. Further, insurers are much more likely toprovide favourable terms to those businesses who are able to outwardly displaysuch an approach to risk management.
Guest author: Andrew Crocombe, Partner atKennedys.
This blog has been producedby Bluefin in association with Kennedys Law LLP to provide information aboutthe law to help you to understand and manage risk within your organisation.Legal information however is not the same as legal advice. This publicationdoes not claim to provide a definitive statement of the law and is not intendedas any substitute for specific legal or other professional advice and may notbe relied upon as such. Readership of this publication does not create aninsurer – client, or other business or legal relationship.
Bluefin has acted in goodfaith to provide an accurate publication but does not make any warranties orrepresentations of any kind about the contents of this publication, itsaccuracy or the timeliness of its contents. In the event of any loss or damagesuffered or cost incurred by you or any other person arising out of reliance onthis publication or for any omissions or inaccuracies, Bluefin disclaim to thefullest extent of the law any responsibility or liability.