When preparing to report on risk, management should firstly ensure that any regulatory requirements have been complied with.
In many countries there is a regulatory requirement that the management commentary must include a description of the principal risks and uncertainties facing the entity and an expectation that there will be an explanation of how the principal risks are managed or mitigated.
There is no right or wrong number of risks to disclose. Deloitte UK's Annual Report Insights 2019 (a survey of UK listed companies) found that an average number of ten principal risks were disclosed, with the number ranging from four to 19.
Other than regulatory compliance, there are other matters which should be considered to ensure the disclosures are as useful as possible:
- Consideration of both financial and non-financial business risks and recognition that a non-financial risk can have financial consequences. E.g. an operational problem leading to poor quality products and loss of reputation, could lead to a reduction in sales and cash inflow.
- Differentiating between risks which arise from external factors. E.g. risk of a cyber attack or a pandemic (external), and those deriving from the actions of management or the results of strategic decisions (internal). Management are more accountable for internal risks.
- There should be clear prioritisation of risks - stakeholders will be primarily interesting in principal risks.
- Management should consider what is the easiest way to convey the information. E.g. prioritisation can be quickly explained using a risk matrix or risk radar. Connections between risks can be shown in a diagram.
- It is helpful to show whether risks have become more or less significant, or remained the same, since the last report was issued. Changes in the importance of risks can show how management has responded to the risks identified.
- It is useful to disclose emerging risks, even if they are not yet principal risks. This makes the disclosure more future-oriented and allows management to explain their response to a risk which could become significant unless action is taken.
- The description of risk and uncertainty may be more useful if quantitative data can be used to help explain the issue.
- Information on risk is also more useful when it is disaggregated as far as possible, so discussion of risks relevant to specific business divisions or geographical area is encouraged.
- Consider the time-horizon. As the risk gets nearer information needs to increase. It is particularly important to show how management is responding to risks based on the immediacy of their potential impact.
- Avoid boiler-plate disclosures and make the information as specific to the organisation as possible.
- Link risk descriptions to other parts of the narrative report, annual report or financial statements where relevant. E.g. some risks may link to corporate governance disclosures which explain the board’s approach to monitoring and setting risk appetite and policy.
"Principal risks should include, but are not necessarily limited to, those risks that could result in events or circumstances that might threaten the entity's business model, future performance, solvency or liquidity, or result in significant value erosion. In determining which risks are the principal risks, entities should consider the potential impact and probability of the related events or circumstances arising and the timescale over which they may occur." FRC Guidance on the Strategic Report, 2018
Lisa Weaver is an author for accountingcpd. To see her courses, click here.
You need to sign in or register before you can add a contribution.