The Bruce Column — Making risk-reporting more robust
12 Nov, 2013
The Financial Reporting Council is bundling all its risk reporting guidance together and trying to make it more rigorous. Robert Bruce, our regular resident columnist, takes a look at the consultation paper.
It is a risky business, risk. Recent years have seen a steady escalation of measures to ensure that risk management is dealt with effectively within companies and the detail and nature of those processes made clearly known to investors.
It has become a risk in itself. As the latest consultation paper on the topic from the Financial Reporting Council says - ‘the ability of the board to understand and address the risk facing the company is itself a major risk factor.’ It is one of those areas where the risks have outrun the guidance on how to deal with them.
But now the FRC is bundling up its different sources of guidance and aiming by doing so ‘to raise the bar’. The result will be more responsibilities for boards, auditors and investors. And the hope is that, by shifting the process away from reporting on procedures and towards explanatory narrative, mindsets will gradually be changed.
In the past the FRC has been less successful. The consultation paper looks back at its 2005 recommendation that companies should confirm action was being taken to remedy any failings or weaknesses that a risk review might have shown. The idea, as the FRC points out, was to encourage greater transparency. Instead: ‘Many companies have simply cut and pasted the sentence from the guidance into their internal control statements. On its own, this does not indicate whether or not any significant failings or weaknesses have been identified’. As a result the new proposed guidance says that a board should ‘explain what actions have been or are being taken to remedy any significant failings or weaknesses identified from that review’.
All of this re-thinking on the part of the FRC has come about since the publication of the Sharman report on the lessons which should be learned from the way the concept of going concern and liquidity risk was applied during the financial crisis. And now they are pulling that work together with the 2005 and 2009 guidance on other broad aspects of risk. The result will be more coherent and also more rigorous. But it should be. Risk-reporting has inevitably moved up the priority list in recent times. And, as the FRC says: ‘For investors, as providers of risk capital, knowing how the board is managing and mitigating risks is an important indicator when judging whether the company will be able to deliver the value that investors seek’.
It is in the terminology used that the different emphasis and intent shows through most clearly. The previous guidance suggested that: ‘The board should, at least annually, conduct a review of the effectiveness of the company’s risk management and internal control systems and should report to shareholders that they have done so’.
That was about cajoling. The proposed new guidance is much more emphatic. ‘The board should carry out a robust assessment of the principal risks facing the company, including those that would threaten its solvency or liquidity. In the annual report the directors should confirm that they have carried out such an assessment and explain how the principal risks are being managed or mitigated. They should indicate which, if any, are material uncertainties in relation to the company’s ability to continue to adopt the going concern basis of accounting’.
This is all about getting to grips with risk and bringing about changes in behaviours. The old boilerplate is going to have to go.