An ongoing tension in the debate around risk reporting is the gap between what investors want from a risk report and what companies feel is appropriate to disclose. The arguments are familiar: investors want a full and frank discussion of the risks the company faces; however companies say that providing any more detail than they currently do would require them to disclose commercially sensitive information.
In the first of a series of blogs on risk reporting, Jane Fuller, journalist and financial analyst, says this is a poor excuse for not being completely transparent.
I think it’s used too much as an excuse and it tends to infantilise the role of investors. Companies are effectively saying that they don’t want to frighten the horses.
I have been closely involved in responding to the initiatives developed by the IASB (the International Accounting Standards Board), the UK’s Financial Reporting Council and others since the financial crisis, which have collectively attempted to improve the risk reporting of financial institutions.
I feel that risk reporting in general still has some way to go, although guidance such as that from the Enhanced Disclosure Task Force of the Financial Stability Board has helped. The momentum towards better risk reporting has increased since 2008 – I have had more discussions about how to improve risk reporting since then. Moving things forward with purpose will require a change in attitude.
One of my major concerns about current risk reporting, and one that has been identified by CFA UK, is that risk reports rarely get to the fundamentals of what an identified risk would mean in practice i.e. the oil spill from BP’s Deepwater Horizon rig in the Gulf of Mexico in 2010. The group’s risk reports before the accident might have mentioned safety risks repeatedly, but there would have been little to help analysts in terms of what a rare accident might mean when looking at the financial impact it has.
BP could have said, for example, that accidents rarely happen but if one does, it will be very expensive for us and this is how we would mitigate the impact. Or a pharmaceutical company could disclose its general risk of litigation and say that while it happens on rare occasions, if it does happen the risk is considerable, perhaps illustrating this by disclosing the biggest payouts in the sector in the past.
This approach might cause migraines in many a boardroom but it would result in a far more useful discussion about risk. The main barrier to better risk reporting is companies’ reluctance to be frank. At the moment risk reporting is a process-driven exercise, which describes what they have looked at and the risk-management process, and that is a long way from a truly frank discussion.
The second problem is that risk reports have a management bias – a bias towards putting a gloss on everything. There is not enough challenging going on, from boards or auditors or investors, about the ‘what ifs’ – what if this went wrong? The reaction of some companies seems to be “don’t worry your little head about it.”
Ideally I would like to see risk reports that prioritise the major risks faced by the company, as well as identifying any emerging risks. A few banks, notably Barclays and HSBC, have experimented with this approach since the financial crisis and the results have been interesting.
This suggests that there is some scope for shortening risk reporting in the voluminous discussions and boilerplate lists sometimes produced. Some investors like the very detailed risk reporting you get in a prospectus. I’ve seen risk reports that run to pages and pages, Personally, I would like to see see risks prioritised, without losing too much detail. I would rather have 20 pages of risk disclosures and use my own brain than very few. If there is too much narrowing down of the reported risks it is more likely that something will be left out.
I don’t favour frequent or real-time risk reporting. It has to be a stand-back exercise and for that reason, I am generally happy with annual reporting. A focused, standalone interim report, which states the top risks and how the company is handling them, as well as any new risks that have emerged, might be a good addition, but risk reporting twice a year is enough.
The various initiatives designed to improve risk-based disclosures – such as the IAASB’s proposals on material misstatement – have had some impact. But even if the quality of risk reports improves, any sensible investor would see the report as just one element in making a decision. A risk report is the management’s perspective, after all. To get the full picture you need to look more broadly than that. You ask yourself if there is other evidence that you can collect that would shed more light.
It’s a timely reminder that to see the best view, you need to stand back.