By Eric Tracey, investor, Governance for Owners
An integrated and individual approach to risk reporting is the key to helping investors make the right decisions.
When I read about a company’s strategy and objectives I want to read about risk as well. You can have higher and lower risk strategies depending on what you are trying to do but risk is inherent: what you want to see is how two companies that do ostensibly similar things are going about, or might go about, them in a way that is different, and that’s what you want to understand.
I want to read about what the directors are really worrying about – not something that is just made up for the annual report.
The great challenge in all reporting is that it gets taken over by advisers. They either make it all very bland or alternatively put everything in but the kitchen sink, in which case it becomes completely useless. That’s the biggest threat to good risk reporting.
Risk reporting should contain a certain amount of policy, but it’s more about what’s changed than what carries on from year-to -year.
What you want people do each year is not to quite start from a blank sheet of paper, but it’s important to say this is what we’ve done this year. Reporting needs to be in the past tense – if it just becomes a whole series of policy statements then it frankly becomes pretty meaningless.
I am also not impressed when issues of commercial sensitivity are used as a barrier to risk reporting.
It’s a fantastic smokescreen to hide all sorts of things and I don’t give it much credence at all. You ought to be able to describe your risks to the business without giving away something that you should keep secret. It’s precisely because it’s sensitive that something should be reported to shareholders.
Where the law limits what can be said, looking forward, there is still a lot that can be said about the company’s approach to risk and who is managing it.
If I saw something that said risk is the responsibility of the audit and risk committee, I’d be more wary than if a company told me that risk is the primary responsibility of the CEO and the management team. Those would be quite different statements.
Similarly a company’s risk appetite can be better communicated by talking about what the company actually does and is revealed in the decisions the company makes. It is reflected in the exposures taken, and whether you are comfortable with them and if the return you are getting is acceptable.
What’s important is that this risk appetite and approach is reflected right through the business all the way up.
In good companies that’s what they try to do – they say, this is how we do what we do, this is how we approach risk, now let’s write that story. So you don’t have these enormous exposures that the board is not fully aware of, which is clearly what happened in the financial crash, when there would have been people somewhere in the banks who understood the risks.
I want to get a clear understanding of regulatory risks and how these are shaped by the various financial control authorities around the world. More standardisation of the reporting of risk around the world would in theory be a good thing, but the perfect should not be the enemy of the good.
While you can’t object to standardised international reporting, you don’t want to say you want everyone to be in the same place before you do anything.
As far as frequency goes, I am fine with ‘proper annual reporting’. If you do anything other than that you can overload people with information so that they can’t cope or use it in any way. You need to know what’s going on but the shareholder can’t cope if it’s every quarter or every six months – that’s too often and encourages short-termism.
Risk is the “core of capitalism” and developing an adequate understanding of it is an “interesting challenge.”
Does the growth of risk reporting make organisations more risk averse? Possibly, but it’s not necessarily a bad thing. You can have an adequate discussion of risk without beating the hell out of any entrepreneurial spirits.