Archives For Risk

Risk and Black Swans

accapr —  25 March 2014 — Leave a comment

integrated

Simon Constant-Glemas, VP Corporate and UK Country Controller at Shell

There are few industries more risky (in terms of the obvious risks, at least) than the oil and gas sector. These companies typically work in dangerous environments, often in unstable regions (in terms of both geography and politics) and are subject to the unpredictable variances of commodity prices and exchange rates. As a result, risk reporting is both a critical and contentious subject for the oil and gas sector, as was brutally illustrated by BP’s Deepwater Horizon disaster in the Gulf of Mexico in 2010.

The disaster focused everyone’s mind on risk and risk reporting, particularly in the extractive industries. There has definitely been an increased focus around risk since Deepwater Horizon, because it was such a significant event. That and the financial crisis have made everyone more risk-aware.

I am aware of investors’ desire for more information about risks, but a more considered approach should be taken. Addressing all possible risks in a risk report would be counterproductive – more comprehensive risk reporting doesn’t mean better risk reporting. We employ more than 100,000 people in 70 countries, so any risk that’s applicable to a large multinational would apply to us. It is much better to provide a concise overview of the key risks inherent in the business that are most likely to prevent the achievement of its objectives.

One area where risk reporting might be constrained is where disclosure could be perceived to damage competitive advantage. I don’t think competitive advantage is an issue – you can strike a balance between referencing risk and not giving away critical information. We need to be careful sometimes about things like risks around a particular transaction but the vast majority of the time some information will be in the public domain already and so, if necessary, a more generic reference can be made. Suggestions that companies should try to quantify the potential impact of major accidents and events, though, are more difficult to address.

The fundamental question is whether a risk report can ever helpfully highlight the risks of rare but catastrophic events – analysts argue that an attempt to quantify the financial impact of a disaster on the Deepwater Horizon scale would be useful but understandably, this is something that organisations themselves are reluctant to do.

It’s the Black Swan effect – it rarely happens but when it does, the impact is massive. The difficult conversations about Black Swan events do take place within a company, but specifically disclosing all of the details in a risk report is another thing altogether. If you put a dark lens on everything and, for instance, try to quantify what the financial impact of a very rare disaster could be, you could scare away a lot of investors.

The nature of black swan events means that it is difficult to think about what the impact of an event could possibly be, let alone put a reliable figure on it, but I strongly believe that a thorough consideration of everything that could possibly go wrong is an important part of good risk management, even if the full details are not disclosed publicly. I do wonder if enough thinking goes on around rare events – I suspect that not enough people considered the probability of the entire inter-bank lending system grinding to a halt overnight before the financial crisis happened.

The main problem discussing Black Swan events in a risk report is that the context of probability is difficult to get across. Ideally a risk report should contain enough detail to start the necessary conversation between stakeholder and management. The quality element of risk reporting comes down to the conversation about risk that takes place, and that conversation should start with the risk report. A detailed discussion about risk is more likely to come out in a discussion between the CEO or finance director and analysts and other stakeholders – the annual report is not really the place to go into that sort of detail.

It is these conversations that are the most valuable to stakeholders, and also why more frequent risk reporting would not be particularly helpful. A certain amount of risk is strategic and it would feel more like crisis management if risk reporting was carried out more frequently than it is today. The crystallisation of an emerging risk or emergence of a new risk would certainly warrant disclosure but risk reporting should not be confused with robust and timely management information.

There are parallels to be drawn here with the increased regulation faced by multinationals since the financial crisis. There has been a huge increase in it since the financial crisis and the question is whether that drives better risk management or not. There have certainly been unintended consequences – at Shell we are captured by criteria that are not intended for us, simply because we are large. In my view it has the potential to distract organisations from good risk management.

My main concern is the raft of new regulatory requirements could result in organisations seeing risk reporting as just another tick-boxing exercise, rather than driving better risk management. We have to be careful that we’re not reporting on risk in order to satisfy a process, but that risk management is used effectively as a way to differentiate the business. In the past risk management was focused on mitigation, but today it is part of adding value to the organisation.

Advertisements

Frank Curtiss, head of corporate governance at RPMI Railpen Investments

Investor primacy and a clear narrative in the voice of management are key elements in risk reporting.

What I want to see is an honest explanation in the context of the business strategy and the business model and how that risk is managed. While I recognise that other stakeholders will want to look at corporate reports and there is a wider public interest, the purpose of reporting is about stewardship and accountability to those who provide the risk capital.

Boilerplate reports are of little use, as are reports which drag investors into the micromanagement of the business.

A boilerplate approach may be what your lawyers think is a good idea and you may think you can’t be faulted but you can. Even worse is just an exhaustive list of risks, some of which are so obvious. What we need to know are the key risks, why management thinks they are critical and what they are going to do about it.

As a member of the IIRC working group I am naturally a keen proponent of integrated reporting, and keeping risk reporting connected to the broader risk management approach of the company.

It’s also about integrated thinking and working across the company. We see enthusiastic companies taking part in the IIRC pilot programme where finance and corporate social responsibility and investor relations are working together, not in silos.

The less enthusiastic finance departments tend to throw out excuses about sensitive information and increasing the reporting burden. In many cases they should be reporting on these things anyway if only for management information. There’s clearly a balance between informing the markets and giving the game away, but the more transparent companies don’t seem to have a problem. If people tell me ‘it can’t be done, it can’t be done’ I just tell them that some people are already doing it.

Some of the companies I think demonstrate good risk reporting include:

  • Admiral – highlighted the risk relating to their change of strategy in the CEO’s statement – which is where it should be
  • Aggreko – written in a personal voice, refreshingly honest and doesn’t shrink from telling us the potential risks to revenue
  • BT – very good description of the business model and very good up-to-date risk section – we don’t want to read the same thing year after year
  • Great Portland Estates – they explain the strategy pretty clearly, each risk is identified and discussed with helpful cross references to other parts of the report
  • Provident Financial – lending to subprime customers is a very risky business and terribly topical: the risk section is very good and tells what their risk committee agenda is.  But it’s a hugely controversial sector and they know they need to explain it—we don’t need that level of detail from every company.

Often higher levels of transparency can be found in those areas, such as gambling and tobacco, where the ‘licence to operate’ is in question. They are all too aware that the spotlight is on them and they’ve got to justify themselves.

But some industries are in general better than others – the extractive industries are generally ahead of many financial services organisations, for example.

An important factor is the general level of information that is around. There’s the risk of assuming prior knowledge. For a mid-tier company there’ll be nothing like the level of analysis that there is on say, the big telecoms providers and their peers. And even the most clued-up investors don’t know everything – they’re not present at board meetings or risk committee meetings or audit committee meetings so the more that a company explains the better.

In recent years RPMI has shifted its asset allocation considerably away from UK equities and is now a truly global investor across a number of countries. I would like to see a more closely aligned international standard of reporting. However with even English-speaking countries with common traditions having wide variations, it is difficult for companies simply to import a better reporting regime into a different jurisdiction.

There’s got to be a race to the top, that’s why I support the IIRC attempt to promote best practice internationally. There’s definitely a willingness by governments and regulators to embrace this, but investor and privately led initiatives tend to be more successful, as by definition regulation has to be more detailed. We don’t hope to change it tomorrow but we might see a significant step-change between now and 2020.

By this time I hope that more and more reporting will have moved online, hopefully in standardised formats that make it easier for investors to mine and work with the data.

An annual report is useful as a snapshot for stewardship purposes—but as technology improves you will see dynamic integrated reporting as reporters and users become more confident, and that will eventually replace the massive end-of-year annual report.

I have seen a lot of progress in risk reporting since the financial crisis. Risk has now become something that can be discussed when previously it was a four-letter word. The better reporters are telling us something useful about risk—the levels of disclosure used to be terrible across the board, now there are plenty that are not.

Successive generations of management will wonder what all the fuss was about. The benefits of better quality information and greater transparency must outweigh the risks of an enhanced disclosure regime, and any unhelpful side effects will be more than balanced by the positives.

The big challenge now is the mass of companies whose risk reporting is inadequate at best:

There are some shining examples, good reports that tell the story honestly and in the voice of the company. The trick is to get the others up to speed.

High quality risk reporting increases investor confidence, not just in terms of the risks being discussed, but also in the overall quality of management:

It provides reassurance in terms of stewardship and responsibility that the management are taking on all this and that they are looking at the right risks.

Ultimately it’s all about what management think and what they are doing.  And if a company can’t explain its own strategy and its business model itself, then who can?

integrated

By Eric Tracey, investor, Governance for Owners

An integrated and individual approach to risk reporting is the key to helping investors make the right decisions.

When I read about a company’s strategy and objectives I want to read about risk as well. You can have higher and lower risk strategies depending on what you are trying to do but risk is inherent: what you want to see is how two companies that do ostensibly similar things are going about, or might go about, them in a way that is different, and that’s what you want to understand.

I want to read about what the directors are really worrying about – not something that is just made up for the annual report.

The great challenge in all reporting is that it gets taken over by advisers. They either make it all very bland or alternatively put everything in but the kitchen sink, in which case it becomes completely useless. That’s the biggest threat to good risk reporting.

Risk reporting should contain a certain amount of policy, but it’s more about what’s changed than what carries on from year-to -year.

What you want people do each year is not to quite start from a blank sheet of paper, but it’s important to say this is what we’ve done this year. Reporting needs to be in the past tense – if it just becomes a whole series of policy statements then it frankly becomes pretty meaningless.

I am also not impressed when issues of commercial sensitivity are used as a barrier to risk reporting.

It’s a fantastic smokescreen to hide all sorts of things and I don’t give it much credence at all. You ought to be able to describe your risks to the business without giving away something that you should keep secret. It’s precisely because it’s sensitive that something should be reported to shareholders.

Where the law limits what can be said, looking forward, there is still a lot that can be said about the company’s approach to risk and who is managing it.

If I saw something that said risk is the responsibility of the audit and risk committee, I’d be more wary than if a company told me that risk is the primary responsibility of the CEO and the management team. Those would be quite different statements.

Similarly a company’s risk appetite can be better communicated by talking about what the company actually does and is revealed in the decisions the company makes. It is reflected in the exposures taken, and whether you are comfortable with them and if the return you are getting is acceptable.

What’s important is that this risk appetite and approach is reflected right through the business all the way up.

In good companies that’s what they try to do – they say, this is how we do what we do, this is how we approach risk, now let’s write that story. So you don’t have these enormous exposures that the board is not fully aware of, which is clearly what happened in the financial crash, when there would have been people somewhere in the banks who understood the risks.

I want to get a clear understanding of regulatory risks and how these are shaped by the various financial control authorities around the world.  More standardisation of the reporting of risk around the world would in theory be a good thing, but the perfect should not be the enemy of the good.

While you can’t object to standardised international reporting, you don’t want to say you want everyone to be in the same place before you do anything.

As far as frequency goes, I am fine with ‘proper annual reporting’. If you do anything other than that you can overload people with information so that they can’t cope or use it in any way. You need to know what’s going on but the shareholder can’t cope if it’s every quarter or every six months – that’s too often and encourages short-termism.

Risk is the “core of capitalism” and developing an adequate understanding of it is an “interesting challenge.”

Does the growth of risk reporting make organisations more risk averse? Possibly, but it’s not necessarily a bad thing. You can have an adequate discussion of risk without beating the hell out of any entrepreneurial spirits.

integrated

An ongoing tension in the debate around risk reporting is the gap between what investors want from a risk report and what companies feel is appropriate to disclose. The arguments are familiar: investors want a full and frank discussion of the risks the company faces; however companies say that providing any more detail than they currently do would require them to disclose commercially sensitive information.

In the first of a series of blogs on risk reporting, Jane Fuller, journalist and financial analyst, says this is a poor excuse for not being completely transparent.

I think it’s used too much as an excuse and it tends to infantilise the role of investors. Companies are effectively saying that they don’t want to frighten the horses.

I have been closely involved in responding to the initiatives developed by the IASB (the International Accounting Standards Board), the UK’s Financial Reporting Council and others since the financial crisis, which have collectively attempted to improve the risk reporting of financial institutions.

I feel that risk reporting in general still has some way to go, although guidance such as that from the Enhanced Disclosure Task Force of the Financial Stability Board has helped. The momentum towards better risk reporting has increased since 2008 – I have had more discussions about how to improve risk reporting since then. Moving things forward with purpose will require a change in attitude.

One of my major concerns about current risk reporting, and one that has been identified by CFA UK, is that risk reports rarely get to the fundamentals of what an identified risk would mean in practice i.e. the oil spill from BP’s Deepwater Horizon rig in the Gulf of Mexico in 2010. The group’s risk reports before the accident might have mentioned safety risks repeatedly, but there would have been little to help analysts in terms of what a rare accident might mean when looking at the financial impact it has.

BP could have said, for example, that accidents rarely happen but if one does, it will be very expensive for us and this is how we would mitigate the impact. Or a pharmaceutical company could disclose its general risk of litigation and say that while it happens on rare occasions, if it does happen the risk is considerable, perhaps illustrating this by disclosing the biggest payouts in the sector in the past.

This approach might cause migraines in many a boardroom but it would result in a far more useful discussion about risk. The main barrier to better risk reporting is companies’ reluctance to be frank. At the moment risk reporting is a process-driven exercise, which describes what they have looked at and the risk-management process, and that is a long way from a truly frank discussion.

The second problem is that risk reports have a management bias – a bias towards putting a gloss on everything. There is not enough challenging going on, from boards or auditors or investors, about the ‘what ifs’ – what if this went wrong? The reaction of some companies seems to be “don’t worry your little head about it.”

Ideally I would like to see risk reports that prioritise the major risks faced by the company, as well as identifying any emerging risks. A few banks, notably Barclays and HSBC, have experimented with this approach since the financial crisis and the results have been interesting.

This suggests that there is some scope for shortening risk reporting in the voluminous discussions and boilerplate lists sometimes produced. Some investors like the very detailed risk reporting you get in a prospectus. I’ve seen risk reports that run to pages and pages, Personally, I would like to see see risks prioritised, without losing too much detail. I would rather have 20 pages of risk disclosures and use my own brain than very few. If there is too much narrowing down of the reported risks it is more likely that something will be left out.

I don’t favour frequent or real-time risk reporting. It has to be a stand-back exercise and for that reason, I am generally happy with annual reporting. A focused, standalone interim report, which states the top risks and how the company is handling them, as well as any new risks that have emerged, might be a good addition, but risk reporting twice a year is enough.

The various initiatives designed to improve risk-based disclosures – such as the IAASB’s proposals on material misstatement – have had some impact. But even if the quality of risk reports improves, any sensible investor would see the report as just one element in making a decision. A risk report is the management’s perspective, after all. To get the full picture you need to look more broadly than that. You ask yourself if there is other evidence that you can collect that would shed more light.

It’s a timely reminder that to see the best view, you need to stand back.

JP  03

By Jason Piper, technical manager, tax and business law, ACCA

Certainty is considered by many businessmen to be a useful characteristic when they are trying to make decisions. The ability to predict outcomes is key to the process. Equally, uncertainty introduces unknowable risk, and for the majority of decision makers this will naturally reduce their incentive to follow that particular course. And ultimately, if every possible course of action results in uncertain, unacceptable risk then the outcome will be inactivity – in economic terms, stagnation.

For business decision makers, the uncertainty which surrounds the outcome for tax purposes when the bogeyman of ‘tax avoidance’ is invoked has often been compared to the famous quantum mechanics thought experiment of Schrodinger’s Cat. For those who are not familiar, the cat is sealed (alive) into a box containing a mechanism controlled by radioactive delay which has exactly a 50% chance of triggering, and killing the cat, before the box is opened again to check on the cat’s welfare. Until the box is opened, we cannot know whether the cat is alive or dead.

But that’s exactly the situation taxpayers find themselves in with principles-based anti-avoidance approaches. The application of such methodologies is notoriously difficult, and will ultimately amount to ‘I know it when I see it – but I have to see it to know it’. That is to say, we cannot be certain as to whether a particular scenario falls foul of the principles rule until it is tested against the rule by the courts. Until then, the tax liability is in the same conceptual limbo as the cat – and with it the business decision maker.

Until the case is tested, the business will not know how much cash it will have left at the end of the fiscal year to reinvest, or pay to its employees as salary. Which is why the Schrodinger’s Cat situation would be an anathema to the cautious business decision maker. The outcome of the transaction could not be known in advance – and once the outcome is known, it is potentially irreversible, with catastrophic consequences for the cat.

In order to try to resolve this difficulty, many jurisdictions have introduced general anti-avoidance rules in one form or another. The argument is that in practice, taxpayers might actually see a net increase in certainty in the system by introducing the meta-law of purposive interpretation as a matter of statute. The truly compliant taxpayer remains in the same state of certainty as without the rule; under neither the strict letter of the tax provisions nor the principles-based rule will their dealings be condemned as ‘illegal’. And with the principles-based system to back up the strict letter, uncertainty is also resolved for the most egregious of schemes – they know with certainty that the proposed structures will fail, because they look wrong. There is no need to go through the complex observation process of interpreting every element of the structures, documentation and returns to see if they comply with the strict wording of the legislation in the view of the particular judge hearing the case.

From the perspective of the compliant this approach might seem to have much to recommend it. But we’re no longer here just looking at Schrodinger’s Cat, the ‘single particle’ uncertainty analysis. There are two boxes, one labelled “underlying tax law” and the other labelled “overarching anti-avoidance rule”. We’ve got two particles to predict, and we’re into the territory of quantum entanglement. That’s the bit about how you can establish the state of one half of a pair of related subatomic particles simply by observing the other – until you’ve observed either though, the system (like Schrodinger’s Cat) is effectively unresolved.

Resolution of the wave form is dependent upon both the strict law and the purposive rule. But if we can predict with absolute certainty the outcome of one ‘observation’ then we know both, and there is no need to stick the cat in the box. For example, a ‘clearly egregious’ case will fail on principles, so there is no need to analyse the strict law position. The net level of uncertainty in the system has been reduced. The limits of uncertainty are now restricted to those few cases where we can predict neither the legal, nor the purposive, outcome.

But the interpretation of intent, of the spirit of the law, is not fixed, and as a result neither are the boundaries of the uncertainty. The defence of principles-based GAARs is that we have ‘certain uncertainty’ – but the risk of populist information of the system is that we have ‘uncertain uncertainty’ in respect of application of the rule, a position no better than that we already inhabit. Business should know whether it’s going to get the cream, or pay the price of being too curious, before ever entering into a transaction. But if the range of uncertainty is itself uncertain, then more and more businesses are going to find themselves in the box, anxiously awaiting their fate. And that is simply not a place they should be.

Post script: There is of course one further wrinkle to all this, which is that the box may never get opened even once you’ve put the cat into it* (David Quentin discusses the issues well here). But the uncertainty about that is more a function of revenue authority enquiry resource than it is underlying tax policy, and while it may be every bit as in need of resolution, the question of whether governments should fund their tax collection authorities properly is hopefully not quite so difficult to answer.

*We’re assuming an otherwise immortal cat. Or perhaps a cat flap round the back that we can’t see. No cats were harmed in the performance of this thought experiment.