reporting of organisational risks for internal and ... · pdf filestrategy measurement the...

M A N A G E M E N T

S T R A T E G Y

M E A S U R E M E N T

The Reporting ofOrganizationalRisks for Internaland ExternalDecision-Making

By

Marc J. EpsteinandAdriana Rejc Buhovac

Published by:

MANAGEMENT ACCOUNTING GUIDELINE

MARKETING5

Placed Image

NOTICE TO READERS

The material contained in the Management Accounting Guideline Reporting of Organizational Risks for Internal and External Decision-Making is designed to provide illustrative information with respect to the subject matter covered. It does not establish standardsor preferred practices. This material has not been considered or acted upon by any senior technical committees or the board ofdirectors of either the AICPA or the Society of Management Accountants of Canada and does not represent an official opinionor position of either the AICPA or the Society of Management Accountants of Canada.

S T R A T E G Y


The Reporting ofOrganizationalRisks for Internaland ExternalDecision-Making

By

Marc J. EpsteinRice UniversityandAdriana Rejc BuhovacUniversity of Ljubljana

MANAGEMENT ACCOUNTING GUIDELINE

Published by The Society of Management Accountants of Canadaand The American Institute of Certified Public Accountants

M A N A G E M E N T

Copyright © 2006 by the Society of Management Accountants of Canada (CMA-Canada).All rights reserved.Reproduced by AICPA by arrangement with CMA-Canada.

All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work,please visit www.copyright.com or call (978) 750-8400.

1 2 3 4 5 6 7 8 9 0 PP 0 9 8 7 6

ISBN 0-87051-655-8

INTRODUCTION

The regulatory pressures for improvedrisk assessment and reporting on internalcontrol have increased around the world.The reason—corporate accountingfailures, frauds, internal control breaches,and governance failures have been seen incompanies and countries that thoughtthey were immune to these events. Inresponse, the requirements of theSarbanes-Oxley Act of 2002 in the U.S.and similar new regulations in othercountries are among the many prominentforces driving improved corporategovernance and transparency.Risks that

organizations face are larger and morevaried, and have more global effect.Theserisks relate not only to reporting andcompliance; they also include strategicand operations risks. Increased corporatestrategic alliances and businesspartnerships also create growing riskinterdependencies.

Although risk assessment processesgenerally have improved, inadequate riskreporting in some organizations has led toa failure to fully integrate identified risksinto strategic and operational decisions.When planning a merger or an acquisition,for example, how confident can one be

THE REPORTING OF ORGANIZATIONALRISKS FOR INTERNAL AND EXTERNAL

DECISION-MAKING

CONTENTS EXECUTIVE SUMMARY

A recent Management AccountingGuideline “Identifying,Measuring, andManaging Organizational Risk for Improved Performance”, developed amodel and measures for improving theidentification and measurement of risks to improve management decisions. Clearlythese risks are both larger and morevaried than ever previously thought and,they are more global. Just as seniormanagers need more complete riskassessments for better managementdecision-making, external shareholders and other stakeholders are demandingincreased reporting of these risks to better evaluate corporate performance.

Financial professionals want to provide aclear understanding of the risks and fairdisclosure to both internal and externaldecision-makers without causingunnecessary alarm.This Guidelineaddresses these important issues andprovides guidance for the reporting ofrisks for both internal and externaldecision-making.

INTRODUCTION 5RISK MANAGEMENT 6THE IMPORTANCE OF

ORGANIZATIONAL RISK REPORTING 9CURRENT REGULATIONS AND

GUIDANCE ON REPORTING OF ORGANIZATIONAL RISKS 11

THE RISK REPORTING MODEL 12GUIDANCE ON THE REPORTING

OF ORGANIZATIONAL RISKS FORINTERNAL DECISION-MAKING 17

GUIDANCE ON THE REPORTING OF ORGANIZATIONAL RISKS FOR EXTERNAL DECISION-MAKING 30

CHALLENGES IN RISK REPORTING 35THE IMPORTANCE OF ACCURACY

OF INFORMATION GATHERED ANDPROVIDED TO INTERNAL AND EXTERNAL AUDIENCES 36

RISK REPORTING RELATED TO MERGERS AND ACQUISITIONS 37

ORGANIZATIONAL STRUCTURE AND RESPONSIBILITIES FOR RISK REPORTING 37

CONCLUSION 39BIBLIOGRAPHY 40APPENDIX 1:REGULATIONS ON

REPORTING OF ORGANIZATIONAL RISKS 41

APPENDIX 2: EXISTING GUIDANCE ON VOLUNTARY DISCLOSURE AND FRAMEWORKS FOR ORGANIZATIONAL RISK REPORTING 42

Page

M A N A G E M E N T

5

6

M A N A G E M E N T

S T R A T E G Y


about the expected gains without carefullyconsidering all potential risks, including theirassessed magnitude and probability of occurrence?Decision-makers need to understand the variousorganizational risks, to minimize mistakeninvestments that can cause significantorganizational costs. Managers need good riskreporting systems to integrate risk evaluation into(a) their operational and capital investmentdecisions, (b) review of performance, and (c)compensation decisions. Improved organizationalrisk assessment and internal risk reporting iscritical also for senior management and boards ofdirectors, who are responsible for carefullyestablishing and reviewing corporate processesfor identifying, assessing and managing risk.

The demand for disclosing risk externally is alsogrowing. Investors, financial analysts, and otherexternal stakeholders are increasingly aware ofthe critical role of proper risk management.They want better information on the variousrisks organizations confront, and how toaddress them, and are interested inorganizational risks far beyond the traditionalscope of financial risks.They want concreteassurance that a sound system and process is inplace to identify, assess, and manage risks, so thatthey can better evaluate corporate performanceand make more informed decisions.

Increased measurement and reporting of thisbroader set of risks is necessary, not only tomeet the new regulatory requirements but alsoto improve managerial performance andstakeholder confidence. Senior corporatemanagers need to develop ways to effectivelycommunicate organizational risks and riskmanagement processes both internally andexternally.They face decisions on what toreport to each audience, and the form of riskreports, including how much detail to include.Senior management therefore needs to clearlyunderstand the risks and promote disclosure toboth internal and external decision-makerswithout causing unnecessary alarm orincreasing reporting and compliance risks. Amore effective organizational risk reportingsystem can provide internal and externalstakeholders with information they need to (a)craft strategy, (b) make investment and otherbusiness and personal decisions and, at thesame time, (c) inspire confidence in theorganization’s financial reporting and disclosure.This increased focus on risk can turn riskmanagement and risk reporting into anopportunity and reward.

This Guideline addresses these important issuesand provides guidance on reporting risks to aidboth internal and external decision-making.TheGuideline’s specific objectives are:

• To discuss the role and importance of riskmanagement and reporting for improvedstrategic and operational decision-making bysenior management and other managers (TheRisk Reporting Contribution Scheme).ThisGuideline focuses first on internal riskreporting, then on external risk reporting.

• To address specific risk reporting questions,including the content of risk reports, theirformat, placement, distribution, andcommunication, and the intended impact ofrisk reporting (The Risk Reporting Model).Again, these questions will be addressed firstlyto internal audiences’ needs and requirements,then to those of external audiences.

• To provide templates for real-time andperiodic internal and external risk reports;

• To discuss the challenges in risk reporting,including the potential for inappropriatedecision-making or dysfunctional behavior ofinternal and external audiences.

• To discuss the importance of balancing thedesire for a complete and fair presentation oforganizational risks with avoidance ofoverreaction that could reduce appropriaterisk-taking that is necessary for businesssuccess; and

• To provide guidance on organizationalstructure and responsibilities related to risk reporting.

The target audience of this Guideline is (a)CEOs and CFOs, (b) senior managementteams, (c) boards of directors, (d) members ofaudit committees, and (e) accounting, internalaudit, and finance professionals, all of whomconfront challenges of risk assessment, riskanalysis, risk control, and risk reporting.TheGuideline may also be useful for externalauditors, in particular those who attest to and report on management’s assessment ofthe effectiveness of internal control overfinancial reporting.

RISK MANAGEMENT

In a recent Management Accounting Guideline,“Identifying,Measuring, and ManagingOrganizational Risks for Improved Performance”,Marc J. Epstein and Adriana Rejc developed amodel (the Risk Management Payoff Model) and

T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K

7

measures for improving the identification,measurement, and management of variousorganizational risks to improve managementdecisions. It built on newly created riskassessment requirements of the Sarbanes-OxleyAct of 2002 in the U.S., and similar newregulations in other countries. It also built onwork by the Committee of SponsoringOrganizations of the Treadway Commission(COSO) and the recently issued Enterprise RiskManagement Framework, by further specifying thenecessary tools for identifying and measuring abroad set of organizational risks.

In that guideline, Epstein and Rejc provided acomprehensive overview of the risk management

process (see Exhibit 1), specifically highlighting therole of risk identification and measurement (steps1 and 2 in Exhibit 1). Risk identification andmeasurement represent the focus of thatguideline, as indicated in Exhibit 1.

Risk management starts with ‘Event Identification’.The Guideline suggested that, to minimize riskexposure, organizations should first make acomprehensive list of potential organization-widerisks.Within this step, Exhibit 2 presents abroader framework for identifying risk and listingpotential risks organizations often face (seeExhibit 2).

Listing potential organizational risks couldincrease the attention managers and employees

Exhibit 1: Risk Management Process

Event Identification

Risk Assessment

Accept Risk

Control Activities

Is Risk/Reward

Acceptable?

Avoid Risk Can Risk Be Mitigated?

Information &

Communication

Monitoring

Quantify

Magnitude

Assess

Probability

Quantify

Impact

Cost/Benefit

Analysis

Priority/

Rank

Yes No

No Yes

Reduce Risk Transfer Risk Share Risk

R

i

s

k

R

e

s

p

o

n

s

e

1

2

3

4

5

6

Focus of the Previous

Management

Accounting Guideline

on Risk Management

Focus of the Current

Management

Accounting Guideline

Epstein and Rejc, 2005.

8

M A N A G E M E N T

S T R A T E G Y


pay to events that might indicate risk. Eachorganization can develop a combination oftechniques and supporting tools to identify risks,such as (a) internal analysis, (b) process flowanalysis, (c) discovery of leading event indicators,and (d) facilitated, interactive group workshopsand interviews, brainstorming sessions, etc.Developing these techniques and tools will likelyensure that all relevant risks are identified andtheir sources determined.

Within the ‘Risk Assessment’ step, all risksidentified as potentially important should beassessed for magnitude and probability ofoccurrence.Various quantitative techniques areavailable. In addition to assessing the potentialcost of a risk materializing, benefits accruingfrom an appropriate response to the risk shouldalso be assessed.Quantification of both costsand benefits then makes it possible to determinethe payoff of a risk management initiative.ThisGuideline argues that organizations need aframework of key factors (antecedents andconsequences) that can enable decision-makersto assess (a) the impacts of risks on costs, butalso and more importantly, (b) the benefitsoffered by successful risk management initiatives.

Exhibit 3 describes the key elements of ameasurement model (Risk Management PayoffModel) that includes factors for organizationalsuccess in dealing with risks, strategically andoperationally.The model includes the criticalinputs and processes that lead to risk-relatedoutputs and, ultimately, to overall organizationalsuccess (outcomes). It also includes specificdrivers related to risk-related inputs, processes,outputs, and outcomes. By identifying the causalrelationships between these drivers, managerscan better understand how risk managementstrategies, structures, and systems affectorganizational performance.The RiskManagement Payoff Model demonstrates howimproved risk measurement and managementprovides benefits throughout the organization.Benefits extend to (a) enhanced workingenvironment, (b) improved allocation ofresources to the risks that really matter,(c) sustained or improved corporate reputation,and (d) other gains, all of which lead toprevention of loss, better performance andprofitability, and increased shareholder value.

In addition to the Risk Management Payoff Model,step 2 in Exhibit 1 includes specific performance

Exhibit 2: Organizational Risks

OOppeerraattiioonnss RRiisskkss SSttrraatteeggiicc RRiisskkss RReeppoorrttiinngg RRiisskkss

Economic risks Industry risks

Strategic transaction risks

Social risks

Technological

risks

Political risks

Organizational

systems’ risks

Environmental risks

Financial risks

Business

continuity risks

Innovation risks

Commercial risks

Project risks

Human resource

risks

Health and safety

risks

Property risks

Reputational risks

Information risks

Reporting risks

CCoommpplliiaannccee RRiisskkss

Legal and regulatory risks

Control risks

Professional risks

RRiisskkss


measures for inputs, processes, outputs, andoutcomes. Such metrics will of course vary fromone organization to the next.This ManagementAccounting Guideline offers many measures fromwhich managers can select or adapt metrics thatare more closely aligned with their organization’srisk management strategy. Finally, step 2 in Exhibit1 includes a formula to calculate the ROI of riskmanagement initiatives, so that managers canbetter (a) monitor and manage risks, (b) evaluatethe profitability of risk management initiatives,and (c) evaluate the tradeoffs between differentrisk responses.

Having identified the various risks and measuredtheir potential impact, the organization mustdecide how to respond.This Guideline suggestsvarious approaches and techniques for preventing,mitigating, transferring, and sharing organizationalrisks. Using the quantification process outlined inthe Risk Management Payoff Model, managementcan more knowledgeably determine anappropriate risk response, as well as assess theeffectiveness of existing risk managementprocesses and controls. By creating formal internalcontrol systems, detailing how they will identify,measure, and respond to significant risks to their

businesses, and then communicating the risks tothe appropriate parties,managers can improveorganizational operating efficiency and overallorganizational success.

THE IMPORTANCE OF ORGANIZATIONAL RISK REPORTING

The focus of this Guideline,The Reporting ofOrganizational Risks for Internal and ExternalDecision-Making, is on risk information andcommunication (step 5 in Exhibit 1). Along withmore rigorous identification and measurement ofbroad organizational risks, improved reporting(disclosure) of organizational risks is needed sothat managers and other stakeholders can moreeffectively consider those risks and make moreinformed decisions.

Improved internal decision-making is facilitatedwhen managers apply various analytical approachesto their decisions, and also incorporate numerousvariables into capital investment and operatingdecisions. ROI is calculated, using projections ofrevenues and costs based on the best availabledata. Unfortunately, the decision models of many


9

Exhibit 3: Risk Management Payoff Model

Organizational Success

&

Shareholder

Value

Feedback Loop

INPUTS PROCESSES OUTPUTS

Intermediate Final

Compliance with

Regulation

Business Process

Continuity

Enhanced Working

Environment

Improved Resource

Allocation

Enhanced Internal

Reporting

Improved External

Reporting

Organizational

Reputation

Reduced Earnings

Volatility

Risk

Management

Leadership

Risk

Management

Structure

Risk

Management

Systems:

Measurement &

Rewards

Event

Identification,

Risk Assessment,

Risk Response,

Control

Activities,

Information &

Communication,

Monitoring

Reduced Costs:

Reduction of

Short-term Costs

of Risk,

Reduction of

Long-term Costs

of Risk, and

Reduction of

Other Costs

Increased

Revenues

Increased

Program

Effectiveness

Strategic,

Operations,

Reporting,

Compliance

Risks

External

Environment

Internal

Environment

Strategy,

Structure, Systems

and Resources

Risk

Management

Strategy

OUTCOMES


10

M A N A G E M E N T

S T R A T E G Y


organizations are incomplete, since they do notexplicitly incorporate evaluations of potentialrisks, which has often led to poor decision-making. Organizations can improve decision-making by attempting to formally integrateestimates of a broader set of organizational risk-related costs and benefits into their decisions.These risks include the risks of (a) technologicalobsolescence of product assembly (or theproduct or service itself), (b) financial risks, (c)potential breakdowns in the supply chain, (d)risks inherent in new product or servicedevelopment (and in R&D investments generally),and (e) other risks. As a reliable and timely riskreporting process provides credible informationon organizational risks, employees also can makebetter decisions and accelerate continuous andbreakthrough organizational improvements.

Appropriate external disclosure of organizationalrisks and risk management initiatives allowsshareholders and financial analysts to moreproperly value company shares. Improveddisclosures make capital allocation moreefficient, and reduce the average cost of capital.Voluntary disclosure also decreases pricevolatility and narrows bid-ask spreads, enhancingsecurities liquidity. Customer loyalty may also

increase, and fair and favorable media publicitymay result.

Exhibit 4 represents a framework for monitoringthe contribution of risk reporting.The RiskReporting Contribution Scheme describes the keyfactors (inputs, processes, outputs, and outcomes)for organizational success in risk reporting.

As Exhibit 4 shows, the quality and success ofrisk reporting is dependent on various factors; ofthese, inputs and processes are most critical.Inputs relate to the stakeholder risk reportingrequirements and expectations, such as regulatoryrequirements, investors’ and customers’expectations, etc.These requirements andexpectations, along with the various risks theorganization is facing, such as strategic,operational, reporting, and compliance risks,represent the most important inputs to the riskreporting process.Other inputs include theorganization’s existing risk management strategy,and governance and risk management structuresand systems that provide the context forestablishing risk reporting processes. Existingsystems, including incentive pressures, may eitherinstill risk awareness in the organizationalculture, or inhibit risk management and riskreporting efforts.Therefore, to establish a proper

Exhibit 4:The Risk Reporting Contribution Scheme

Organizational

Success

&

Shareholder

Value

Feedback Loop

INPUTS RISK

REPORTING

PROCESS

Examining the

Critical Success

Factors and Risks

Profiling the

Audience

Cost-benefit

Analysis of

Disclosure

Selecting the Report

Content

Designing the

Report Format

Placement,

Distribution, and

Communication

Compliance with

Regulation

Increased

Investor

Confidence

Improved

External

Decision-Making

Enhanced

Internal

Decision-

Making

Employee

Commitment

Stakeholder Needs

and Requirements

Risk Management

Process:

Steps 1-4

OUTCOMES

Risks: Strategic,

Operations,

Reporting, and

Compliance

Risk

Management

Strategy,

Structures, and

Systems

OUTPUTS

Reports Stakeholder Effects

External

Risk

Reports

Internal

Risk

Reports

Critical Success

Factors

Resources

basis for effective risk management and reporting,an organization must continuously examine thevarious internal and external audiences’(stakeholder) requirements, and establishappropriate risk management structures, systems,strategies, and risk culture. Critical inputs to riskreporting also include available organizationalresources, such as individuals with the necessaryskills and experience, financial resources, andaccess to required information.

Smooth processes require committed corporateleaders and focused efforts of risk managementleaders. Processes include (a) examining the criticalsuccess factors and risks that may endanger achievingbusiness objectives, (b) evaluating the costs andbenefits of informed voluntary disclosure to bothinternal and external audiences, and (c) determiningthe target audiences for risk reports, the reports’content and format, and their appropriateplacement, distribution, and communication.

These processes will ensure various risk reportingoutputs, starting with the internal and externalreports themselves. High quality and timely riskreports provided to selected internal and externalaudiences should have specific stakeholder effects,such as (a) improved internal decision-making(managers), (b) full regulatory compliance(government and regulatory institutions), (c)increased investor confidence in capital markets(shareholders), and (d) more general improvedexternal decision-making (customers, suppliers,other business partners, employees, etc.). Effectiverisk reporting should then ultimately lead togreater overall organizational success andincreased shareholder value (outcomes).Providing a cause-and-effect format of the various risk reporting activities helps managersunderstand the value they are receiving from theorganization’s risk reporting efforts.

Risk reporting also provides critical feedback tothe risk management process and constitutes animportant element in strategic planning. Althoughrisk management continues throughout the yearto accomplish strategic and tactical objectives andallow modification of plans as factors change,strategic planning uses risk reports to developstrategic objectives and strategies. As critical inputsto strategic planning, risk management in general,and risk reporting in particular, reach beyondcompliance with increasing regulation. High-performing organizations will leverage theirinvestments in compliance efforts (such as thoseimposed by the Sarbanes-Oxley Act or otherrequirements) to build a comprehensive riskmanagement and reporting system that will drive

value from a complex, expensive, and mandatoryprocess. Risk reporting will shift from compliance-based to strategy-based, and then further tobusiness-based organizational risk disclosure.ThisGuideline builds on this, and discusses the criticalrisk reporting questions in the light of riskreporting’s strategic and business role.

The Risk Reporting Contribution Scheme can beadapted into any management system. It iscompatible with strategic measurement andmanagement frameworks, such as the balancedscorecard and shareholder value analysis, whichfocus on a better understanding of the causalrelationships and linkages within organizations, andthe actions managers can take to improvecustomer and corporate profitability and driveincreased value. It is also consistent with otherproposed business reporting models, such as theModel of Business Reporting (AICPA, 2004).

CURRENT REGULATIONS ANDGUIDANCE ON REPORTING OFORGANIZATIONAL RISKS

Reporting regulations vary greatly around theworld. However, there is a clear trend towardrequiring greater transparency in financialreporting and more accountability to investorsthat comes from various sources, including theSarbanes-Oxley Act in the U.S., the EuropeanUnion’s Company Law Directives, and comparableinitiatives in other jurisdictions (for example, theCanadian Securities Administrators rules (2002) orthe Companies (Auditing & Accounting) Bill 2003in Ireland—see Appendix 1 for more detail).CEOs, CFOs, directors, and especially auditcommittee members of listed companies are beingheld more accountable for the integrity of theirfinancial statements and the effectiveness ofinternal controls. Directors and audit committeemembers are also taking on greater responsibilityfor oversight of corporate management and theorganization’s relationship with the externalauditor. Investors around the world are thusreceiving new reports from management andauditors on the adequacy of internal control overfinancial reporting.

Although reports on internal control over financialreporting may be instrumental in restoringconfidence in the integrity of financial reporting,the reporting of organizational risks must satisfyneeds for improved internal and external decision-making. Reports on internal control over financialreporting issued by management and theindependent auditor do not provide any assurance


11

12

M A N A G E M E N T

S T R A T E G Y


on the viability of, for example, an organization’sbusinesses, or its ability to achieve financial goals.Internal and external audiences need morecomplete information on the risks organizationsface and how they intend to manage those risks.Yet, reporting regulation in highly regulatedcountries tends to focus on a narrow set ofrisks, primarily market and credit risks, and risksconnected with the use of financial instruments.Currently, regulatory bodies do not explicitlyrequire any integrated framework for broadercorporate risk disclosure.

In the absence of specific regulations, managersconsidering broader disclosure of riskinformation externally can refer to theguidance on effective voluntary disclosureprovided by company experiences, professionalassociations, and academia.The term voluntarydisclosure describes disclosures, primarilyoutside the financial statements, that are notexplicitly required by generally acceptedaccounting principles or regulation.The followingframeworks propose to enrich financialreporting by including a section devoted tocommunicating forward-looking information anddescribing the risk profile of the company (formore detail on the frameworks see Appendix 2):

• A framework for voluntary disclosureproposed by The American Institute of CertifiedPublic Accountants (AICPA, 1994, 2004).

• A reporting framework published by TheCanadian Institute of Chartered Accountants’reporting guidelines (CICA, 2001).

• The COSO Enterprise Risk Management—Integrated Framework (2004a, 2004b).

• A specific model to calculate a riskmanagement initiative ROI proposed byEpstein and Rejc (2005).

• Finally, the SEC’s encouragement of disclosureby companies of forward-looking information intheir annual reports.

Generally, though, an integrated approach to abroader voluntary disclosure of organizationalrisk and internal reporting of risks is still lacking.

THE RISK REPORTING MODEL

The focus on risk reporting for regulatorycompliance is likely to continue. In addition,improved voluntary disclosure will remain aprominent element of greater accountability.Nevertheless, organizations should leverage theknowledge gained by the regulatory-drivencompliance efforts to improve overall risk

management, its process and reporting, forimproved corporate governance and decision-making.

Exhibit 5 provides The Risk Reporting Modelthat is developed to help organizations decide on critical questions related to reportingorganizational risks to internal and externalaudiences, and to carry out risk reporting.Thesequestions relate to (a) the target audience for risk reports, internal or external, each with itsvarious subgroups of stakeholders, (b) thefrequency of a risk report, which can be both real-time and periodic, and (c) its content,format, and finally its placement, distribution,and communication.

As seen in Exhibit 5, some information aboutorganizational risks comes directly from the ‘RiskIdentification’ and ‘Risk Assessment’ steps, whileother information comes from the ‘RiskResponses’ step.They typically differ ininformational accuracy and completeness.Information from risk identification is importantfor on-time risk reporting and completeness ofrisk reports, while information arising from riskassessment and risk response add more accuracyto the disclosure on risk management. Both typesof risk information are important for credibleand on-time reporting of organizational risks.

Organizations must decide on each of the risksidentified, assessed, or responded to, whetherthey should be reported to any of the audiences,and if so, what level of detail to provide.Determining the target audience, an importantstarting point, affects other risk reportingdecisions.Whenever a disclosure is required by aregulatory requirement, as may be the case inexternal risk reporting, the organization mustcomply and provide appropriate disclosure. Onthe other hand, voluntary disclosures should besubject to careful cost-benefit analysis ofaudiences’ needs and the disclosure.Organizations should compare (a) the benefits ofa specific disclosure (type and detail of risk) toimproved internal and external stakeholderdecision-making and the organizations’businesses with (b) the costs of disclosing.

The next section describes in detail the first stepin the Risk Reporting Model, profiling the riskreport audience. Discussion on the audiences forrisk reports will include who they are and theirspecific organizational risk-related interests.Theremaining critical risk reporting issues—frequency, content, format, and placement—willbe addressed separately under the ‘Guidance on


13

Exhibit 5:The Risk Reporting Model

External

Risk

Reports

Internal

Risk

Reports

Internal Risk Report Placement,

Distribution, and

Communication

External Risk Report Placement,

Distribution, and

Communication

R

I

S

K

R

E

P

O

R

T

I

N

G

P

L

A

N

N

I

N

G

E

X

E

C

U

T

I

O

N

Risk Response

Profiling the Risk Report

Audience

Cost-benefit Analysis

of Risk Reporting to

Internal Audiences

Cost-benefit Analysis of

Voluntary Disclosure to

External Audiences

Risk Response Monitoring

Risks Identified and Assessed

Yes

Risk

Disclosure?

Yes

Risk

Disclosure?

No No

1 1

3

4

Determining the Content

of a Risk Report

Designing the Format of

a Risk Report

5 Placement, Distribution,

and Communication

3

4

5

Choosing the Frequency

of a Risk Report 2 2

External

Disclosure

Required by

Regulation

14

M A N A G E M E N T

S T R A T E G Y


the Reporting of Organizational Risks forInternal Decision-Making’ and the ‘Guidance onthe Reporting of Organizational Risks forExternal Decision-Making’, respectively.Thesection numbers correlate with Exhibit 5.

Profiling The Risk Report Audience

Reporting organizational risks should operateon multiple levels to address the needs ofdiverse audiences, each with their own specificneeds, requirements, expectations, agendas, andlevels of expertise. Exhibit 6 presents the mostimportant internal and external audiences forinternal and external risk reports.

Although internal risk reports aim exclusively atinternal audiences, from a broader perspectiveexternal risk reporting, including corporateannual reports, may include both external usersand interested internal groups (see the twodashed arrows in Exhibit 6).

As Exhibit 6 shows, both internal and externalaudiences can be further divided into twosubgroups. On one hand, some audiences (auditcommittees, internal control steeringcommittees, boards of directors, and senior

management among internal audiences, andregistered auditors, regulators, shareholders, andcreditors among external audiences) must orshould be informed about the organizationalrisks and risk management processes because ofregulation or recommendations in standard-setter guidance.Voluntary disclosure to otherinternal audiences (managers, employees, andintegrated business partners), and externalstakeholders (financial analysts, customers,suppliers, community, and media), isrecommended because of anticipated benefitsto improved decision-making.

Responsibilities of some within the internalaudiences are listed below:

• The board of directors has the primaryoversight responsibility for developing andimplementing the organization’s mission,values, and strategy, and must carefully reviewcorporate processes of risk identification,monitoring, and management.The board alsooriginates risk philosophy, risk appetite, andrisk tolerances. Specific reviews of financialobjectives, plans, major capital expenditures,and other significant material transactionsalso typically fall within a board’sresponsibility.These responsibilities requirebroad and transparent reporting on thevarious organizational risks—strategic,operational, reporting, and compliance risks.

Exhibit 6: Internal and External Audiences Interested in Risk Reports

Internal Control

Steering

Committee External

Risk

Reports

Board of

Directors

Audit Committee Regulators

Registered

Auditor

Senior

Management

Employees Suppliers

Integrated

Business

Partners

Shareholders

Creditors

Financial

Analysts

Customers

= required by regulation or recommended by standard-setter guidance

= recommended for voluntary disclosure

Managers

Community,

Media

Internal

Risk

Reports

Profiling the Risk Report

Audience 11

• Regulations require audit committees to beinformed about significant deficiencies andmaterial weaknesses in internal control overfinancial reporting.More specifically, the auditcommittee has been given delegatedresponsibility from the board of directors todirect oversight over internal control, andmust receive assurance of, and otherinformation regarding, internal control frommembers of management directly responsiblefor achieving internal control objectives.

• The internal control steering committee is animportant recipient of internal risk reports,since it must ensure that internal controloversight and internal controls function asintended. Although their risk interests aretherefore primarily oriented to reporting andcompliance risks, they are also interested instrategic and operational risks.The committeeis made up of the president, the vice-presidentand the CFO, the vice-president and Chief AuditExecutive, the senior functional officers, andheads of the operating units of the organization.

• Senior management’s needs for information onorganizational risks are of specific importance.They need relevant, accurate, and reliable riskreports on a real-time and periodic basis foreffective decision-making and control.Only bygenerating a wealth of risk-related informationcan organizations inform senior managementwith facts, not intuition, so that they can thenappropriately integrate that information intomanagement decisions and make moreeffective decisions to optimize companystrategy and goals.

• Similarly, managers need relevant and accuratereal-time and periodic risk reports.Withoutproper internal reporting on organizationalrisks—strategic and operational, in particular—managers cannot (a) make optimal strategicand tactical decisions, (b) evaluate the payoffsof specific risk management initiatives, or (c) make new capital project decisions whileexplicitly acknowledging the potential risks andtheir costs on organizational profitability.

• Employees, for example, prefer to work forcompanies with safe and healthy workingconditions.Thus, they also often wantinformation on the various risks theorganization faces.

• In a growing number of entities, integratedsupply chain partners are considered internalrather than external participants.Interdependence of partners in an extendedsupply chain requires cooperation andcollaboration in risk management. Integrated

supply chain partners need real-timeinformation on various organizational risks,particularly those related to integratedprocesses and technologies so that they cancontribute to maximum customer satisfactionand achieve optimal performance for thesupply chain as a whole.

For years, reporting has often been based onmistrust, as senior management questioned thewillingness of outsiders to handle corporateinformation responsibly.Today, the premise is notjust that senior management should base the riskreporting communication policy on trust to bemore accountable; organizations can also expecttangible benefits from fair and broad disclosure oforganizational risk management.With respect toexternal stakeholders, owners of the organizationwere typically considered the principal externalaudience for external risk reporting. However,with increased recognition of the role ofcustomers, suppliers, creditors, and communitiesin successful achievement of organizational goals,external risk reporting should not be fragmentedbut unitary.

• Owners primarily rely on financial reporting toassess the current financial condition of theorganization, its financial performance over time,and its prospects. However, current andprospective owners have interests beyond therelative transparency of an entity’s material costsand liabilities, and expect information on allorganizational risks (including reputation risks)that could adversely affect the organization’sfuture financial condition and performance. Morespecifically, shareholders have an interest in abroad set of risks, including compliance andreporting risks as well as strategic ones.Thesestrategic risks would include risks such as:changes in supply and demand, changes incompetitive structure, introduction of newproducts and services, concentration risks, risksof technological obsolescence of productassembly or the product itself, engineeringfailures, risks of poorly managed governmentrelations, and environmental risks. In addition,shareholders, creditors, and financial analysts areparticularly interested in some operation risks,such as financial risks (foreign exchange, strategicequity, commodity, asset liquidity, and employeestock option program risks), R&D andinnovation risks, reputation risks, health andsafety risks, etc.

• Creditors have a particular vested interest incomplete and timely disclosure oforganizational risks, to assess credit risks andpotential joint liability for loans secured by, for


15

16

M A N A G E M E N T

S T R A T E G Y


example, contaminated properties.They maybe interested in strategic risks as well.

• With increased regulation of internalcontrol over financial reporting,representatives of regulators and registeredauditors are interested in both external andinternal risk reporting. Primarily, however,they are interested in (a) compliance risks,such as risks of unreliable and incompletefinancial information for internal decision-making and for external reporting, and (b) reporting risks, such as risks of dataaccuracy and reliability. In addition, they may also be interested in operations risks,such as risks related to product quality and product safety, environmentalcompliance, etc.

• The list of external audiences for riskreporting also includes customers, suppliers,and communities (interest groups, media,

the scientific community, and the generalpublic).This extended external audience has wide-ranging interests in the risksorganization face, and how it manages risksand turns them into business opportunities.

Exhibit 7 lists the major risk areas of interest toidentified internal and external audiences.

Exhibit 7 will not universally apply, and theidentified stakeholders’ interests should not beconsidered exclusive.Those audiences that havebecome particularly important with the newinternal control regulations are primarilyinterested in reporting and compliance risks,while other audiences’ interests span strategicand operational risks as well.

The appropriateness of risk report frequency,content, format, and placement can now bediscussed in the light of known audiences.

Exhibit 7: Risks of Primary Interest to Internal and External Audiences

CCoommpplliiaannccee RRiisskkss

Legal and regulatory

Control

Professional

RReeppoorrttiinngg RRiisskkss

Information

Reporting

SSttrraatteeggiicc RRiisskkss

Economic

Industry

Strategic transaction

Social

Technological

Political

Organizational systems’

OOppeerraattiioonnss RRiisskkss

Environmental

Financial

Business continuity

Innovation

Commercial

Project

Human resource

Health and safety

Property

Reputation

BBooaarrdd ooff DDiirreeccttoorrss

AAuuddiitt CCoommmmiitttteeee

SSeenniioorr MMaannaaggeerrss

OOtthheerr MMaannaaggeerrss

EEmmppllooyyeeeess

CCoommmmuunniittiieess aanndd

MMeeddiiaa

Internal Audiences External Audiences

RReeggiisstteerreedd

AAuuddiittoorrss

RReegguullaattoorrss

SShhaarreehhoollddeerrss aanndd

CCrreeddiittoorrss

FFiinnaanncciiaall

AAnnaallyyssttss

IInntteeggrraatteedd

BBuussiinneessss PPaarrttnneerrss

CCuussttoommeerrss

SSuupppplliieerrss

IInntteerrnnaall CCoonnttrrooll

SStteeeerriinngg

CCoommmmiitttteeee

GUIDANCE ON THE REPORTINGOF ORGANIZATIONAL RISKS FORINTERNAL DECISION-MAKING

As shown in the previous section, internalaudiences for risk reporting include the board ofdirectors, the audit and internal control steeringcommittees, senior management, other managers,employees, and integrated supply chain partners.The interests of these various internalconstituents vary both in scope and the detail ofrequired risk information. From the strategic andbusiness perspective, i.e. for improved strategicplanning and execution as well as for moreinformed and improved operational decision-making, the primary internal audiences for riskreports are boards of directors, seniormanagement, and other managers.These decision-makers must receive comprehensive risk reportscovering strategic, operational, reporting, andcompliance risks, detailed when reported on areal-time basis, and aggregated when reportedperiodically. Other internal audiences’requirements or needs are narrower, focused onspecific risks that are not necessarily detailed. Forthis reason, the subsequent sections provideguidance on internal risk reporting specificallyoriented to boards of directors, seniormanagement, and other managers.

The Frequency of Internal Risk Reports

How to decide which risks to report, and in whatdetail, must be discussed in the light of riskreporting frequency. Internal risk reports can beeither real-time or periodic. Reporting frequencytherefore importantly influences the content,format, placement, distribution, andcommunication of risk reports.

Internal real-time risk reporting is specificallyimportant for operational decision-making. Seniormanagement, for example, needs timelyinformation on risks to make informedinvestment decisions. Other managers responsiblefor resource allocations also need real-timeinformation on the risks an organization faces.Such risk reports are provided when specificcircumstances require it, such as the occurrenceof a risk event.The time available to receive dataon a specific risk, process it, and respond to theexternal process is dictated by the timeconstraints imposed by the organization’s risk

management process. Exhibit 8 represents theprocess of determining the risks to be reportedon a real-time basis to internal audiences.

When deciding on what risks to disclose on areal-time basis, organizations need to comparethe costs and benefits of disclosure. As seen inExhibit 8, the cost-benefit analysis of riskdisclosure must be made throughout the riskmanagement process.The completeness andaccuracy of risk information will increase inmoving from risk identification to risk assessment,and then to the risk management (risk response)phase. Consequently, the cost-benefit analysis mayprovide different results.

For identified but not yet assessed risks, a briefcost-benefit analysis must first take place todetermine if they should be reported on a real-time basis. Senior management needs areconsidered, along with the benefits of improveddecision-making, and the potential reduction inappropriate risk-taking by managers.The cost-benefit analysis must specifically considerreporting of risks that endanger the criticalsuccess factors, i.e. those aspects of anorganization’s business that are especiallyimportant to its success. Critical success factors include a handful of activities or unique capabilities of overriding importance to the strategic and operational success of aparticular organization. More generally, todetermine which risks to disclose internally,organizations must consider whether disclosureof a specific organizational risk would adverselyaffect the organization by stimulating managersto make inappropriate strategic or operationaldecisions. Even though definitive quantificationof all costs and benefits of risk reporting iscomplex and difficult, often requiring judgment,organizations must attempt to assess both.Whenever the benefits of a real-time riskdisclosure exceed its potential costs, real-timerisk reporting is appropriate.

Some identified risks not disclosed in the firstphase because of the unfavorable output of thepreliminary cost-benefit analysis may bedisclosed when they are fully assessed.With newand more reliable data on the actual dimensionsof a specific risk, the cost-benefit analysis mayshow that the previously undisclosed risksshould now be disclosed to internal audienceson a real-time basis.

Finally, some risks that—although assessed—stillhave not been disclosed to senior management,for example, may pass the test of the cost-benefit


17


of a Risk Report 2

18

M A N A G E M E N T

S T R A T E G Y


Exhibit 8: Determining Risks to Be Reported on a Real-timeBasis to Internal Audiences

Yes

Yes

Cost-benefit

Analysis

R

I

S

K

S

I

D

E

N

T

I

F

I

E

D

Improper

Decision-Making

Real-time

Risk Report?

Risk Aversion

Requirements

Internal Audiences

Needs

No

R

I

S

K

S

M

A

N

A

G

E

D

Cost-benefit

Analysis

Improper

Decision-Making

No

Improper

Decision-Making

Needs

Cost-benefit

Analysis

Yes No

R

I

S

K

S

A

S

S

E

S

S

E

D

Needs Requirements

Risk Aversion

Real-time

Risk

Report

Content

Real-time

Risk

Report

Content

Real-time

Risk

Report

Content

R

E

A

S

S

E

S

S

M

E

N

T

R

E

A

S

S

E

S

S

M

E

N

T

Real-time

Risk Report?

Real-time

Risk Report?

analysis when they are managed. As shown inExhibit 8, different phases of risk managementinfluence which risks to report on a real-timebasis.The more information an organization hasabout a specific risk, the higher is the reliabilityof the decision on reporting, and the content ofthe risk report if it is issued, and the less theconcern over making a real-time risk disclosure.An effective system of real-time risk reportingcalls for a good risk management process,

including event identification, risk assessment,risk management, and risk response.

A template for more detailed calculation of thecost-benefit analysis of real-time risk reporting isprovided in Exhibit 9. It describes the necessarysteps in a typical cost-benefit analysis, regardlessof the phase where the cost-benefit analysis ofreal-time risk reporting is taking place. In thefirst step of the cost-benefit analysis, the benefits

of a real-time risk disclosure must be expressed inmonetary terms.The key potential benefits ofinternal risk reporting include, for example,improved internal decision-making that leads tocost savings or increased revenues. An enhancedworking environment may also be a benefit of riskdisclosure to employees, leading to increasedemployee trust, commitment, creativity, andproductivity. Potential costs of internal riskreporting relate to dysfunctional behavior ofdifferent internal audiences, such as a reduction inappropriate risk-taking of managers that isnecessary for business success.

Expressing benefits of internal real-time riskdisclosure in monetary terms is illustrated throughshort examples in Exhibit 10. Specific riskdisclosure outputs that result in benefits arepresented, followed by the relevant calculations tocapture the monetary value of realized benefits.

On the other hand, Internal periodic riskreporting, provided on a monthly, quarterly, oryearly basis, allows more precise cost-benefitcalculations of risk disclosure, if deemednecessary. In Exhibit 8, two reassessment loopsare presented, indicating the need forsubsequent cost-benefit analyses to confirm theresults of the preceding judgments or analyticalresults.The primary purpose of periodicinternal risk reports is to provide boards ofdirectors, senior management, and othermanagers with well-processed and aggregateinformation about various relevantorganizational risks, with trend indicators andperiodic comparisons, to improve theirdecision-making.The results of reassessmentloops during the real-time risk reportingprocess contribute to decisions on whatinformation to include in periodic risk reports.


19

CALCULATE THE BENEFITS OF INTERNAL REAL-TIME RISK DISCLOSURE

Outputs Benefits Monetary Value

Compliance with

Regulation

Reduced costs of prosecution and penalties $...................

Improved Operational

Decision-Making Labor hours saved, machine hours saved,

increased on-time deliveries reducing cost of

grievances etc.

$...................

Enhanced Working

Environment Increase in output (units produced, services

offered) $...................

Improved Resource

Allocation Savings in costs based on efficient capital

allocations $...................

Improved Strategic

Decision-Making

Revenues generated from new strategic

initiatives $...................

Total Benefits $...................

CALCULATE THE TOTAL COSTS OF INTERNAL REAL-TIME RISK DISCLOSURE

Costs Value

Real costs of risk reporting Cost of gathering data, analysis, reporting etc. $...................

Potential costs of

managerial risk aversion

Cost of lost business opportunities $...................

Potential costs related to

employees

Bargaining disadvantage with employees $...................

Total Costs $...................

COMPARE THE BENEFITS AND COSTS OF INTERNAL REAL-TIME DISCLOSURE

Total Benefits

COST-BENEFIT ANALYSIS = ----------------------------

Total Costs

Exhibit 9: Calculating the Costs and Benefits of Internal Real-Time Risk Disclosure

20

M A N A G E M E N T

S T R A T E G Y


Periodic internal risk reporting contributes tostrategic oversight and decision-making, andimproved operational business decisions.Thistype of risk reporting provides generalinformation to interested audiences on the riskmanagement processes, without unnecessarydetail. Exhibit 11 summarizes the process ofselecting risks for periodic risk reporting tointernal audiences.

Determining the content of an internal periodicrisk report starts with listing risks in the specificphases of risk management process (risksidentified, risks assessed, and risks managed),including those identified in real-time risk reports.A listing of those risks that have already beenassessed and appropriately managed wouldtypically be accompanied with a detaileddescription of their characteristics and potentialeffects.The consideration of risk disclosure willstart with the primary internal audiences’requirements. Audit committee risk reporting

requirements related to compliance and reportingrisks are an example. Organizations must discloserisks to internal audiences that are required byregulation. Otherwise, detrimental costs of non-compliance may result. An organization shouldthen consider other internal audiences’ needs,and compare them to the costs of disclosure.Organizations will decide on periodic riskdisclosure based on a cost-benefit analysis (whichis similar to the cost-benefit analysis provided inExhibit 9).

The Content of Internal Risk Reports

The most important content issue relates towhat risk information to provide for optimalinternal-decision-making, without causing

Compliance withRegulation

ImprovedOperationalDecision-Making

EnhancedWorkingEnvironment

ImprovedResourceAllocation

ImprovedStrategicDecision-Making

Reduced costs of prosecutionand penalties

Labor hours saved

Machine hours saved

Increased on-time deliveriesreducing cost of grievances

Increase in output (unitsproduced, services offered)

Savings in costs based onefficient capital allocations

Revenues generated from newstrategic initiatives

Monetary benefit equals the reducedcosts of prosecution and penalties;estimates of the costs should be basedon historical evidence

Benefits equal to the number of hours saved, multiplied by the standard labor wage, and adjusted with a benefits factor

Benefits arise out of optimal use ofexisting resources and are equal to the costs of amortization that relateto machine hours saved

If the result is reduction in grievances,the average cost per grievanceprovides a basis for estimating thebenefits

Benefits can be calculated as additionalsales minus marginal sales expense

Benefits can be traced to reduceddebt financing or lower weightedaverage cost of capital

Benefits are equal to the generatednew sales or the discounted cash flowfrom new strategic initiatives

DISCLOSURE CALCULATION OF

OUTPUTS BENEFIT MONETARY BENEFIT


of a Risk Report 3

Exhibit 10: Calculating Monetary Benefits from Internal Real-Time Risk Disclosure

unnecessary alarm that would inhibitappropriate risk-taking. More specifically, howdetailed should the reports be in specificcircumstances? Generally, risks can be classifiedinto one of the following four broadcategories—strategic, operational, reporting, andcompliance (see also Exhibit 2). Strategic risksrelate to an organization’s choice of strategies toachieve its objectives. By their nature, these riskscan endanger the organization’s achievement ofhigh-level goals that are aligned with and supportits mission.To assess strategic risk calls forquestioning whether management has misreadits environment. Operational risks, on the otherhand, relate to (a) threats from ineffective orinefficient business processes for developing,acquiring, financing, transforming, and marketinggoods and services, and (b) threats of loss offirm assets, including its reputation. Reportingrisks relate to the reliability, accuracy, andtimeliness of information systems, and toreliability or completeness of information usedfor either internal or external decision-making.Finally, compliance risks address the inadequatecommunication of laws and regulations, internalbehavior codes and contract requirements, andinadequate information about failure ofmanagement, employees, or trading partners tocomply with applicable laws, regulations,contracts, and expected behaviors (Epstein andRejc, 2005).

In determining risks to be reported internally, thecost-benefit analysis will provide a general answer,but not identify the level of risk detail to disclose.What detail to include will vary with the frequencyof risk reporting, and with the phases of the riskmanagement process. Internal real-time riskreports for senior management and othermanagers responsible for resource allocations andother strategic and operational decision-makingmay often include very little information on therisk event.This may be because specificcircumstances may have required quick reaction toa risk, allowing insufficient time to gather allnecessary information. Internal periodic riskreports allow and require more carefulconsideration of included details. Reliability of riskinformation, on the other hand, should increasewith each subsequent phase of risk management.To achieve this, the risk information detail shouldincrease with each phase as well.

Exhibit 12 details the risk information that shouldbe disclosed at different risk management levels—at the risk identification, the risk assessment, andthe risk response levels respectively.

As presented in Exhibit 12, a risk report mayinclude the following sections, depending on thephase of the risk management process where aspecific risk occurs:

1. Risk description. It can be general (the riskidentification level) or detailed (required at the


21

Exhibit 11: Determining Risks to Be Reported Periodically to Internal Audiences

Periodic Risk Report Content

Cost-benefit

Analysis

Real-time

Risk

Reports

No

Appropriate

Decision-Making

Periodic Risk

Report?

Yes

Internal

Audiences’

Requirements

Internal

Audiences’ Needs

Dysfunctional

Behavior

Other sources of Information on

Risks Identified, Assessed, and

Managed

22

M A N A G E M E N T

S T R A T E G Y


risk assessment and risk response level). Inreal-time risk reports, risks will often bereported when they occur at the eventidentification level; periodic risk reports, onthe other hand,will typically include riskinformation from all three levels.

2. Impact. Internal audiences must be providedwith enough clear and sufficient informationto allow them to understand the potential orexisting operational and financial impact of thereported risk. In addition, an explanation ofthe impact of combined risks on theorganization as a whole may be provided. Riskmanagers need to explain the link betweenhigh risk events and risk response activities,and their financial consequences.Understanding these links and the financialimpact is critical for improved decision-making.The internal risk report’s ability toreport across the organization will allowinternal users to identify risks in theaggregate, and determine gaps in the riskmanagement strategy.

3. Previous plans and goals.These should bedisclosed with the risks, to permitcomparisons between actual achievementsand planned results.This content item isrelevant at the risk assessment and riskresponse level.

4. Controls put in place.These may bespecifically important for boards of directors,audit committees, and steering committees, allof whom have responsibility for oversight, andsenior management and other managers who

are responsible for decision-making.The role ofthis type of information is important in allphases of the risk management process, as itrelates to actions taken and those responsiblefor them.

5. Recommendations.Risk reports must alsoinclude recommendations for the intendedinternal audiences. Risk reports cannotdetermine how the CEO,CFO, and othersenior managers should respond to individualfindings.However, the recommendations shouldbe precise, business-focused, and pragmatic, sothat the recipients of reports feel sufficientlyinformed to act. For example, an organizationmay face a human resource-related risk withina process that is found to be dependent uponthe skills of one individual.The risk reportrecommendations might suggest an additionalhire, cross-training, or alternatively improvingdocumentation so that a non-specialist couldoperate the process.

6. Effects of a risk response. Internal riskreports to the board of directors, seniormanagement, and other managers should alsoinclude details on the potential or actualeffects of a risk response.This information canonly be disclosed at the risk response level.

To determine the content of a risk report, thefollowing questions also need to be answered:

1. Type of data.The type of data must beselected.Different details of risk reporting callfor different types of data—qualitative or

Risk General Detailed DetailedDescription

Impact • Potential operational • Current operational • Current operational • Potential financial • Current financial • Current financial• Potential impact on • Impact on other risks • Impact on other risks

other risks • Future financial • Future financial

Prevention NO YES YESPlans and Goals

Controls Put YES YES YESin Place

Recommendations YES YES YES

Effects of a NO NO Potential/Risk Response Actual

INFORMATION RISK IDENTIFICATION RISK ASSESSMENT RISK RESPONSELEVEL LEVEL LEVEL

Exhibit 12: Details of Risk Information Disclosed at Various Phases of the Risk Management Process

quantitative, different metrics, and other tools(such as graphs, exhibits, or scenarios). Graphs andexhibits are specifically useful. However, the reportmust include sufficient relevant technical detailneeded by those responsible for taking action.

2. Metrics.More detailed risk reports shouldexplain presented metrics. In periodic reports,metrics must be disclosed consistently fromperiod to period, to the extent they still arerelevant. However, a decision to report on aspecific risk with a specific metric in one perioddoes not require continuing disclosure if it is nolonger relevant, or if a more relevant metricbecomes available.

3. Context.The context of reported risks mustbe appropriately explained.Managers seeingonly facts without context in risky situationsmay react inappropriately. In addition, reportingof specific risks must include sufficient evidenceto influence proper decisions. For example,some managers may require overwhelmingevidence before they accept a problem’sexistence; others may simply need sufficientevidence to understand the nature of theproblem. Risk managers may therefore decideto include information on strategy, actions, andperformance in addition to informationspecifically focused on risk.This broaderdescription should be narrative, and accompanya quantitative presentation of the risks.Alternatively, the risk report should clearlydescribe the status of the organization’sprocesses and activities related to riskmanagement initiatives.

Exhibit 13 provides an example of how thecontent of a risk report can be structured whenproviding real-time information on an assessedrisk.The structure of this report follows theinformation details outlined in Exhibit 12. It doesnot provide all relevant details, but it does provideguidance on what to report on a real-time basiswhen there is available data.The first sectionprovides a detailed risk description of two riskevents resulting in understaffing; both are assessed.Subsequent sections include details on the currentoperational and financial impact, impact on otherrisks, and future financial impact and its probability.Further, previous plans and goals are revealed, asare the controls put in place andrecommendations to managers.

The real-time risk reports on the risk identified or responded to should be prepared using asimilar structure.

As outlined earlier, risk managers striving toprovide the internal audience with the desired

level of understanding must assure that riskreports are stated in business terms, and withsufficient detail. In many cases, organizations maysupplement risk reports with graphicalrepresentations of the causal relationshipsbetween various drivers of risk management, andthe impacts of these on organizational success.Such representations can be very useful indescribing the potential operational and financialimpact of risks, or their impact on other risks towhich the organization is exposed.They are alsouseful to present the expected consequences ofan appropriate risk response, thus providingmanagers with a better understanding of controlsput in place and expected results. Exhibit 14provides an example that describes the potentialeffect of an appropriate risk response to abusiness continuity risk.

Exhibit 14 shows numerous drivers of success inthe risk management process. At the bottom ofExhibit 14, the critical drivers include ongoingmonitoring of various risks and increased riskawareness (inputs).These are expected to lead toimproved event identification and assessment, andthe response of appropriate risk managementspending. In this specific example, the appropriatelevel of risk management spending relates toincreased investments in flexibility,which will leadto the desired output—business processcontinuity. Consequently, productivity will increaseand organizational reputation will improve, both ofwhich generate greater sales.These beneficialoutputs will lead to increased revenues,whilebusiness process continuity will also help containoverall costs. Finally, the increased revenues andsustained costs will lead to increasedorganizational success (outcome).

Internal audiences will be interested not only indisclosure of specific risks, but also in the riskmanagement process. A well established andproperly managed process will assure internalaudiences about the reliability of risk reports.Organizations must therefore include informationon the quality of their risk management process,particularly in their periodic risk reports.

TELUS Corporation, Canada’s second largesttelecommunications company, developed a riskreporting approach that is based on annual riskassessment, quarterly risk assessment review, andengagement/project specific risk assessments.Theannual risk assessment, reported to the CEO,CFO, and Audit Committee and updated quarterlythroughout the year, is a key input to strategicplanning.The engagement/project specific riskassessment process performs detailed real-time


23

24

M A N A G E M E N T

S T R A T E G Y


risk assessments, and provides updated and newrisk and control exposure information to theannual and quarterly reports. In an internalquarterly risk report, for example, a bubblechart indicates the key risk profile of thecompany (Exhibit 15 provides a modifiedexample of a TELUS bubble chart). Bubbles

relating to critical risk areas, such as security,business operations, technology, information,financial, strategic initiatives, people, and others,include most relevant risk items that changewith circumstances, as do critical risk areas.The‘Security’ bubble may include the following riskitems: IT security, physical security, and network

Detailed riskdescription

• Unexpected trend in higher compensation and expanding jobopportunities in the job market caused fewer offers being accepted,resulting in too few staff

• Inadequate needs/specifications description resulted in hiring unqualified staff

Risk assessment10% reduction in hiring due to Likelihood: 100%fewer offerings—18 unfilled positions

5% reduction in hiring due to Likelihood: 100%poor candidate screening—

9 unfilled positions

Current operationalimpact

• Breakdown in business process continuity in manufacturing divisionsresulting in a downturn of on-time deliveries from 85% to 75%

• Two customers canceled their contracts

Current financialimpact

$ 5,000,000 of lost revenues

Impact on other risks

The lack of staff in the manufacturing division imposes additionalproductivity burdens on existing employees, which may endanger theirsafety in the workplace (health and safety risks) and/or cause lowerproduct quality (commercial risks)

Future financialimpact

$3,000,000 of lost revenues Likelihood 18%

Previous plans and goals

Organization decided to hire 180 Tolerance:new qualified staff across all • 165-200 new qualified staff;manufacturing divisions to meet • staff cost between 20% and customer demand without 23% per dollar orderoverstaffing and to maintain 22% staff cost per dollar order

Controls put in place

• Strengthened quality control in manufacturing divisions

• Ensuring proper fit and suitability of employees’ personal protective equipment

• Regular reviews of staff competencies

Recommendations • High quality supervision and leadership

• Change in compensation schemes to additionally reward productivityand quality of manufacturing staff

REAL-TIME RISK REPORT ON A HUMAN RESOURCE RISK:UNDERSTAFFING

This draws on an example from Committee of Sponsoring Organizations of the Treadway Commission, 2004b.

Exhibit 13: Example of a Real-Time Risk Report Content Disclosing an Assessed Risk

security.The ‘People’ bubble may include securityawareness, employee skills, retention andrecognition, vandalism, and legal and ethicalcompliance. Each of these specific risk items iscolored with yellow, orange, or red (see theshading legend under Exhibit 15), indicating theseverity of threat (TELUS, 2006).

In addition to the bubble chart, historical(quarterly) risk ratings present the risk areas andtheir specific risk items (see Exhibit 16 for anexample). Again, colors yellow, orange, and red(see the shading legend under Exhibit 16) indicatethe risk rating status. In addition, managementowner, management actions, and internal auditactions are indicated (TELUS, 2006).

The Format of Internal Risk Reports

Risk information must be presented in anappropriate structure. If the format of the riskreport obscures risk information, time andadditional resources may be required forclarification, and users of risk reports may makeless informed decisions that could adversely affect the organization’s success.

Internal real-time risk reports for seniormanagement and other managers responsible forresource allocations, investment decisions, andother strategic and tactical decision-makingshould allow users to drill down to examine theunderlying data. Exhibit 17 provides an exampleof a real-time risk report for senior managementthat is presented in a ‘dashboard’-style.

Organizations use dashboard-style reports toenable management to quickly determine thedegree of alignment of the entity’s risk profile withrisk tolerances.Where misalignment occurs, andany existing risk responses or controls are notperforming as expected, management can takecorrective actions.

As Exhibit 17 shows, the first reporting levelprovides key risk categories (operations,strategic, compliance, and reporting) with risksub-categories (such as environmental, financial,and innovation risks). Each relevant risk sub-category, previously identified as appropriate forreal-time risk disclosure, is marked according tothe phases of the risk management process: riskidentified, risk assessed, or risk responded to.As senior management drills down to examinethe risks in more detail, the next reporting levelidentifies whether the risks are safely within,near, or beyond risk tolerances. Colors green,yellow, or red (see the shading legend) may be


25

Exhibit 14: Causality of Risk Management Drivers to Describe Potential Effects of a Risk Response

IInnccrreeaasseedd rreevveennuueess SSuussttaaiinneedd ccoossttss

Risk awareness

Investment in

flexibility

Improved

reputation

Ongoing

monitoring of risk

drivers

Increased

productivity

Greater

sales

Event identification

Business continuity

Risk management spending

Improved cost

control

Event assessment

INPUTS

PROCESSES

OUTPUTS

OUTCOMES

4


a Risk Report

IInnccrreeaasseedd oorrggaanniizzaattiioonnaall ssuucccceessss aanndd

sshhaarreehhoollddeerr vvaalluuee

External

Risks

Competition

Regulatory &

Legal Decisions

Fraud

Identity Theft

External Threat

(Manmade or

Natural)

Corporate

Social

Responsibility

Security

Physical

Security Network

Security

Business

Operations

Sales &

Bid

Process

Customer

Service Management

Info

Availability

IT

Security

¡

Project

Management

/ Delivery

People

Security

Awareness Employee

skills,

Retention &

RecognitionLegal &

Ethical

Compliance Vandalism

¡

Technology

Disruptive

Technology

¡

Information

Strategic Initiatives

Project

X

Global

Expansion Financial

Funding

of

Pensions

Sarbanes

Oxley

Act

Legacy

System

Support

Product

Recall

Data

Accuracy

Supplier

Management

Project

Y

26

M A N A G E M E N T

S T R A T E G Y


used for this purpose. Correlated risks (two or more independent risks that, if they occur,cause far greater loss than the sum of individuallosses),must be marked specifically, for examplewith a black color. Further drilling down theinformation source provides specificinformation on that risk.

To the extent possible, the risk-relatedinformation should always be supplemented withcharts, graphs, and exhibits to improve andexpedite the user’s comprehension.An exampleof such an exhibit has already been shown inExhibit 14,which graphically shows the causalityof risk management drivers.

Internal periodic risk reports (see Exhibit 18)will include more general information on the

risks, indicating trends or changes in risks. Riskinformation may be organized around specifickey risk categories rather than around phasesof the risk management process. Dashboard-style reports may be very useful for periodicrisk reporting as well. Arrow directions indicatea periodic trend in expected loss from theunderlying risks, with a down arrow indicating adecline in expected loss trend, and an up arrowindicating an increase. In addition, arrow colorindicates residual risk in relation to tolerances,where green indicates expected loss safely within risk tolerance, yellow indicates expectedloss near or at risk tolerance, and red indicatesthat tolerance is exceeded (see the shadinglegend). Periodic risk reports can also bedesigned for drill-down operations, but their

Exhibit 15: An Example of a Bubble Chart with Key Risk Profile for the Internal Quarterly Risk Report

Adapted from TELUS, 2006.

Shading legend: yellow =

orange =

red =

-

�

�

�

�

primary purpose is to provide generalinformation on the risks of interest.

To avoid misunderstandings, those responsible forrisk reporting must establish a common languageon the risks and risk management process.Otherwise, the reports may be misinterpreted,resulting in wasted time, the need for clarification,and lack of business buy-in.Thus, narrativeexplanations must accompany charts and graphsexplaining (a) trends and changes in operating dataand performance measures, (b) comparison ofperformance to previously disclosed riskinformation, (c) plans and goals for risk assessmentand risk management, and (d) potential impact onfuture operations and financial performance. Inaddition, a description of the assessmenttechniques used for evaluations may be provided.This should contribute a common understanding

of the level and nature of risks, in business terms,to the discussions of risk reports

The Placement, Distribution, andCommunication of Internal Risk Reports

Real-time internal risk reports are bestcommunicated through dashboard reporting.

Draft internal periodic reports should be providedto the audit committee for review and commentbefore distribution.

For the board and committees, risk reportingshould be made at least quarterly. For seniormanagers and other relevant managers, real-time


27

Adapted from TELUS, 2006.

Shading legend: yellow =

orange =

red =

EXHIBIT 16: Key Risk Profile—Trending & Tracking

Key Risks Risk RatingQ1 Q2 Q3

ManagementOwner

ManagementActions

Internal AuditActions

Bus

ines

sO

pera

tion

s

Supplier Management A

Sales & Bid Process BUpdate plansquarterly

Audit planned forQ4

Customer Service C&D

Peop

le

Security Awareness D

Employee Skills,Retention &Recognition

A

Ext

erna

l Ris

ks

Manmade and NaturalDisasters

B

Changing Laws andRegulations

F,E,&AMonitor plannedchanges

Include questionin risk survey

Supplier Viability &Reliability

D

Market Negativity F&E

Economic Downturn F,E,&A

Placement, Distribution,

and Communication 5

28

M A N A G E M E N T

S T R A T E G Y


Exhibit 17: A Dashboard for Internal Real-Time Risk Reporting for Senior Management

COMPANY WIDE RISKS

Risks Identified Risks Assessed Risks Responded Key Risk Categories

1 Operations Risks:

1.1 Environmental

risks

1.2 Financial risks

1.3 Innovation risks

2 Strategic Risks

3 Compliance Risks

4 Reporting Risks

��

��

��

��

1.2 Financial Risks

Drill down

Credit risk

1.3 Innovation Risks 1.1 Environmental

Risks

Market risk

Liquidity risk

R&D risk Risk of flood

Risk of flood:

1 General risk description

2 Potential operational impact

3 Potential financial impact

4 Potential impact on other

risks

5 Controls put in place

6 Recommendations for

managers

Liquidity risk:

1 Detailed risk description

2 Current operational impact

3 Current financial impact

4 Impact on other risks

5 Future financial impact

6 Previous plans and goals


8 Recommendations

R&D risk:

1 Detailed risk description

2 Current operational impact

3 Current financial impact

4 Impact on other risks

5 Future financial impact

6 Previous plans and goals


8 Effect of risk response

9 Recommendations

Drill down

8 Recommendations:

How to incorporate liquidity

risk in ROI calculations?

8 Effect of risk response:

Causality of risk management

drivers (see Exhibit 13)

3 Potential financial impact:

What are the potential costs of

flood to the business?

Shading legend: green = = risk is within risk tolerance

yellow = = risk is near risk tolerance

red = = risk is beyond risk tolerance

Shading legend: green = = expected loss safely within risk tolerance

yellow = = expected loss near or at risk tolerance

red = = risk tolerance is exceeded


29

Exhibit 18: A Dashboard for Internal Periodic Risk Reporting for Senior Management

COMPANY WIDE RISKS

1 OPERATIONS RISKS

Credit risk

1.3 Innovation

Risks

1.1 Environmental

Risks

Market risk

Liquidity risk

R&D risk

Risk of flood

1.2 Financial Risks

2 STRATEGIC RISKS

Risk of flood likelihood and tolerances:

0

20

40

60

80

100

1st

Qtr

2nd

Qtr

3rd

Qtr

4th

Qtr

current year

next year

tole rance

Risk of new product development and

tolerances:

0

5

10

15

20

25

30

35

40

Year

1

Year

2

Year

3

Year

4

r isk re lated

success rate

r isk

response

success rate

tolerance

Additional narrative explanation:

- Previously disclosed risk information,

- Plans and goals for risk assessment and management,

- Potential impact on future operations and financial performance

- Description of assessment techniques used for evaluations

- Recommendations

3 COMPLIANCE RISKS

4 REPORTING RISKS

30

M A N A G E M E N T

S T R A T E G Y


risk information should be reported within afew days of the transaction or event. As therate of change in business activitiesaccelerates, and information technologyreduces the cost of collecting and providingupdated information, internal real-time riskreporting will likely be even faster. Further, asregulatory frameworks move towards real-time disclosure, management must see theinformation as quickly as possible.

The following communication vehicles may beused for a general communication of risk-basedinformation across business units, processes, orfunctions: broadcast e-mails, broadcast voice mails,corporate newsletters, databases supportingspecific risk issues, letters from the CEO, e-maildiscussion groups, intranet sites capturinginformation regarding enterprise risk managementfor easy access by personnel, messages integratedinto ongoing corporate communications,conference calls, posters or signs reinforcing keyaspects of enterprise risk management, face-to-face meetings of ‘risk champions’, and newslettersfrom the chief risk officer.These broadcast vehiclesgenerally promote awareness rather than guidedecision-making.

GUIDANCE ON THE REPORTINGOF ORGANIZATIONAL RISKS FOREXTERNAL DECISION-MAKING

External constituents want more informationabout corporate activities. In a recent survey,investors identified communication tostakeholders to be one of the most importantcorporate governance aspects they monitorbefore making an investment. Nearly half ofshareholder/investor respondents said that they would be prepared to pay a premium forcompanies that demonstrate a successfulapproach to risk management (Ernst & Young,2005). Potential employees will typically seekorganizations with more predictable workingenvironments and risk management practices.Public interest groups and customers have alsogained senior managers’ attention.Organizations see increasing pressure forgreater transparency, mandated or voluntary,and a better alignment of externally reportedinformation with information reportedinternally to senior management to manage thebusiness. Stakeholders expect and demandincreased corporate risk disclosure to improvetheir various decisions.This requires effectiveexternal reporting of the risks the organizationis facing, and of the management team’s plans to

capitalize on emerging opportunities or tominimize the risk of failures.

In our earlier discussion on risk reporting (see the section on “Importance ofOrganizational Risk Reporting”) we suggestedthat organizations should move along theorganizational risk reporting maturity line from compliance-based to strategy-based, andthen on to business-based organizational riskdisclosure. Organizations that have establishedproper risk management processes beyondcompliance-based risk disclosure may considerdisclosing broader organizational risks toexternal audiences as well.This sequentialapproach may be especially important, becauseexternal constituents expect disclosure of therisks as well as how the organization is preparedfor and manages the risks. In the face ofinappropriate risk management structures andprocesses, organizations cannot enhancecorporate image and win the trust and loyalty ofpeople outside the organization: the customers,shareholders, suppliers, and others they dependon to conduct business.The subsequentdiscussion on the frequency, content and format;and placement, distribution, and communicationof external risk reports will therefore assumethat organizations have established proper riskmanagement processes.

In the light of the known external audiences(registered auditor, regulators, shareholders,creditors, financial analysts, customers, suppliers,community, and media), and their risk interests(see Exhibit 7), the organizations may considerpreparing different risk reports for differentexternal constituents. Organizations can followthe uniform approach for all external audiences.except for the registered auditor and regulators,who may have specific reporting requirements.

The Frequency of External Risk Reports

Both real-time and periodic risk reporting maybe needed for the general external audience.Some external real time risk reporting isrequired by regulation.Determining the risks tobe reported externally on a real-time basis,however,may follow the steps indicated inExhibit 19.Contrary to the internal reports(Exhibit 8), these external reports would notreport risks if their probability of occurrence


of a Risk Report 2

and magnitude of effect has not yet been assessed(risks identified).

As shown in Exhibit 19, disclosure of risk forregulatory purposes would not typically include acost-benefit analysis.To determine which risksshould be disclosed externally voluntarily,organizations must consider whether disclosureof a specific organizational risk would adverselyaffect the organization—by aiding its competitors,by creating a bargaining disadvantage withsuppliers, customers, or employees, or byimplicitly encouraging investors to withdraw theircapital. Real-time risk reporting is appropriatewhenever the benefits of a real-time external riskdisclosure exceed its potential costs.

A more detailed cost-benefit analysis of externalreal-time risk reporting is provided in Exhibit 20. Inthe first step, the benefits of a real-time riskdisclosure are converted to monetary terms.Theprimary potential benefits of external riskreporting to investors, creditors, and financial

analysts, for example, are the reduced likelihoodthat they will misallocate their capital. As aconsequence, organizations can benefit from (a) alower average cost of capital, (b) enhancedcredibility and improved investor relations, (c)access to more liquid markets with narrower pricechanges between transactions, (d) the likelihoodthat investors will make better investmentdecisions, (e) reduced danger of litigation alleginginadequate informative disclosure, and (f)improved defense of such suits.The key potentialcosts of external risk reporting relate tocompetitive disadvantage from informativedisclosure, bargaining disadvantage because ofdisclosure to suppliers, customers, and employees,and litigation without merit that is attributable todisclosures.The greater the level of detail about aspecific risk, the greater the likelihood ofcompetitive disadvantage. Asymmetric riskreporting,when not all competitors in an industryadopt new guidelines, could also be important anda cost. Again, it is generally assumed that a specific


31

Exhibit 19: Determining Risks to Be Reported on a Real-Time Basis to External Audiences

Yes

Yes

Cost-benefit

Analysis

R

I

S

K

S

A

S

S

E

S

S

E

D

Improper

Decision-Making

Real-time

Risk Report?

Regulatory

Requirements

External Audiences

Needs

No

Cost-benefit

Analysis

Improper

Decision-Making

No

R

I

S

K

S

M

A

N

A

G

E

D

Needs

Voluntary

Real-time

Risk

Disclosure

Voluntary

Real-time

Risk

Disclosure

R

E

A

S

S

E

S

S

M

E

N

T

Real-time

Risk Report?

Compliance

-based

Real-time

Risk

Report

32

M A N A G E M E N T

S T R A T E G Y


risk should be disclosed when the benefits ofdisclosure exceed the potential costs.Conversely, organizations will decide not tomake some voluntary risk disclosures when therisks of harm outweigh the expected benefit.Still, some risks may need to be disclosed even ata high short-term cost, such as risks of productmalfunctioning. Good corporate governancepractice may, in some instances, promotedisclosure despite a negative cost-benefitanalysis. Bad news cannot simply be withheldbecause it would hurt the organization. Such adisclosure, however, depends on the probabilitythat the risk could occur.

The conversion of benefits of external real-timerisk disclosure to monetary terms is illustratedin Exhibit 21. Similar to Exhibit 10, specific riskdisclosure outputs that result in benefits arepresented, and followed by the relevant

calculations that capture the monetary value ofrealized benefits.

External periodic risk reporting is also requiredby SEC regulation via the annual 10-K. Again,organizations may decide to provide broader andmore frequent periodic risk reports, on aquarterly basis for example.The purpose ofperiodic external risk reports is to providegeneral external audiences with reliable,aggregated information about various relevantorganizational risks,with trend indicators andperiodic comparisons, to improve their decision-making. Exhibit 11, indicating the selection of risksfor periodic risk reporting to internal audiences,can also be used for external periodic riskreporting.Using the cost-benefit analysis ofexternal periodic risk disclosure (which is similarto the cost-benefit analysis provided in Exhibit 20),organizations will decide which risks to disclose.

CALCULATE THE BENEFITS OF EXTERNAL REAL-TIME RISK DISCLOSURE

Outputs Benefits Monetary Value

Compliance with

Regulation

Reduced costs of prosecution and penalties $...................

Corporate Reputation Increased sales from existing and new customers

Staff retention, improved recruitment $...................

$................... Reduced Earnings

Volatility

Increase in shareholder value $...................

Reduced Cost of Capital Savings in costs of equity financing $................... Total Benefits $...................

CALCULATE THE TOTAL COSTS OF EXTERNAL REAL-TIME RISK DISCLOSURE

Costs Value

Real costs of risk reporting Cost of gathering data, analysis, reporting etc. $...................


competitors

Provided risk information aids competitors to

improve their competitive position

$...................


suppliers

Bargaining disadvantage with suppliers $...................


customers

Bargaining disadvantage with customers $...................


investors

Potential withdrawal of their capital, absence of

investments, etc.

$...................

Total Costs $...................

COMPARE THE BENEFITS AND COSTS OF EXTERNAL REAL-TIME RISK DISCLOSURE

Total Benefits

COST-BENEFIT ANALYSIS = ----------------------------

Total Costs

Exhibit 20: Calculating the Costs and Benefits of External Real-TimeRisk Disclosure

The Content of External Risk Reports

Generally, senior management must assureinvestors (and other stakeholders) thatorganizational risks are well-managed, and thatreports include the actions taken and why they areappropriate.Two sets of information must,therefore, be provided in risk reports: informationon the quality of risk management, andinformation on relevant organizational risks. Thiswill enable external users of risk reports to makemore informed business decisions.

When deciding on the details of real-time orperiodic external risk reports, organizations maychoose information from the template presentedin Exhibit 12. However, the tendency should be toavoid reporting on risks that have not yet beenappropriately assessed. In addition, reports will notbe as detailed as for internal audiences, seniormanagement and managers in particular, andrecommendations may be omitted. Importantadditional guidance as to what risks to discloseexternally can be found in Section 4.3 of the

National Policy 51-201 Disclosure Standards (NP51-201), issued by the Canadian SecuritiesAdministrators.The section contains a list, withexamples, of the types of events or informationthat may be material (Canadian SecuritiesAdministrators, 2002):

• Changes in corporate structure, such aschanges in share ownership that may affectcontrol of the organization;

• Changes in capital structure, such as changes inan organization’s dividend payments or policies;

• Changes in financial results, such as a significantincrease or decrease in near-term earningprospects,

• Changes in business and operations, such as anydevelopment that affects the organization’sresources, technologies, products, or markets;

• Acquisitions and dispositions, and

• Changes in credit arrangements, such as theborrowing or lending of a significant amount ofmoney, or changes in rating agencies’ decisions.

The specific dilemma of how much to reportexternally in bad times must be addressed.Organizations typically want to report more whenthey have something good to say.When they areperforming poorly, some managers may want to


33

Compliance withRegulation

CorporateReputation

Reduced EarningsVolatility

Reduced Cost ofCapital

Reduced costs of prosecution andpenalties

Increased sales from existing andnew customers

Staff retention

Improved recruitment

Increase in shareholder value

Savings in costs of equity financing

Monetary benefit equals the reducedcosts of prosecution and penalties;estimates of the costs should be basedon historical evidence

Benefits can be calculated as additionalsales from existing and new customersminus marginal sales expense

Benefits equal to monetary savingsarising from decreased employeeturnover (decrease in the cost ofrecruitment, orientation, and training)

Benefits arise from lower cost ofemployee orientation and training

Benefits relate to the increase in theshare market prices

Benefits equal the reduced costs ofequity financing

DISCLOSURE CALCULATION OF

OUTPUTS BENEFIT MONETARY BENEFIT


of a Risk Report 3

EXHIBIT 21: Calculating Monetary Benefits from External Real-TimeRisk Disclosure

34

M A N A G E M E N T

S T R A T E G Y


disclose less.The principles of good corporatecommunication, as well as regulation, require itto be consistent, honest, and forthright.

An example of an external periodic risk report isprovided by K-Bro Linen Income Fund in itsManagement’s Discussion and Analysis ofFinancial Condition and Results of Operation.The Fund was created for the purpose ofacquiring, directly and indirectly, all of the issuedand outstanding securities of K-Bro LinenSystems Inc., the largest owner and operator oflaundry and linen processing facilities in Canada.In the ‘Risks Related to K-Bro and the Laundryand Linen Services Industry’ section of theMD&A, the risk report covers several topics,including a risk-related description of thecompetitive environment, acquisitions andintegration of acquired businesses, industry risk,the Fund’s ability to maintain profitability andmanage growth, cost of linens, utility and energycosts, relocation of plants,workers’compensation costs, employee relations andcollective agreements, changes in laws, relianceon key personnel, dependence on long-termcontracts, credit facility, availability of futurefinancing, and environmental matters. Thecontent of the risk report, primarily narrative, isalso supported with financial numbers. Forexample,when disclosing the K-Bro’s businessdecision to relocate from its Calgary plant uponthe expiration of its current lease in 2008,management included an estimate of the costs ofsuch relocation ($2 million, assuming a newfacility of comparable size and the relocation andinstallation of existing equipment).The disclosurefurther says that “Although management expectsto finance any relocation through its cashreserves and/or credit facilities,…,difficulties infinancing or inability to finance this relocationmay have a material adverse effect on K-Bro’sand the Fund’s business, financial condition,liquidity, and operating results” (K-Bro LinenIncome Fund, 2005).

The Format of External Risk Reports

External periodic risk reports may follow the 10-K form.However,when placed on websitesor disclosed in annual reports, graphicaldisclosures are particularly appropriate toconvey the results of risk response initiatives.Narrative descriptions of potential risks along

with risk response initiatives, put in a businesscontext,may help external users to betterunderstand the importance of this informationfor decision-making. Such reports mayaccompany a more descriptive section onforward-looking information or prospectivefinancial and non-financial information in anannual report, or in the management discussionand analysis section.

External real-time risk reporting, on the otherhand, relates to risk information placed on theorganization’s web site, or disseminated inanother real-time manner, such as in the form 8-K. Similar to periodic external risk reports,information should be general and aggregate, butrelated to recent risk-related analytical findings.

In broadening reporting,many organizations haveissued special reports, on the environment forexample, or for equal employment opportunity,philanthropy, or other issues.Many of thesereports are issued to display ‘a good corporatecitizen’ reputation and appeal to special interestgroups.There is no need to segregate thesereports from mainstream financial reporting.

Because of the rise of the Internet and the relatedtrend toward electronic dissemination of financialand other information on the websites, concernsabout the ‘organization of information’ maybecome obsolete. Users of corporate websiteshave greater control over which portions of thereport to review and which to disregard. Asthese technologies develop, the sequence ofinformation in a traditional paper annual reportmight become increasingly less important.

The Placement, Distribution, andCommunication of External Risk Reports

Websites are particularly useful for externalreal-time risk reporting.This allowsorganizations to provide aggregate information.Serious users can then delve into the on-line riskreports for detail.The 8-K form should also beconsidered an important placement tool.

With respect to external periodic riskreporting, MD&A, other parts of annualreports, or quarterly reports, are generallyviewed as the main channels for risk reportingto external stakeholders. As noted earlier, amodel of risk reporting should first integrate,


a Risk Report 4

Placement, Distribution,

and Communication 5

not fragment, the mosaic of risk-relatedinformation that managers use for externaldisclosure.The president’s letter, MD&A, financialstatements, and footnotes, along with othervoluntary disclosures, should offer a holisticreporting that includes organizational risks.Manyorganizations try to fill the risk reportinginformation gap with public relations.The problemwith this approach is that public relations oftenimplies that the organization is hesitant to comeclean with all available facts, or is trying to paint apicture that may not be realistic. By relying onpublic relations alone, senior management riskslosing credibility with their stakeholders.

Generally, the communication strategy may include analyst meetings, press conferences, formaldocuments, and other channels of communication,such as the Internet or websites. Some users willcontinue to want information on paper or orally.Others may access the information in electronicform.Whichever method is practiced, thereporting objective should be to provide a soundbasis for external audiences to makecomprehensive, albeit subjective, assessments ofthe reported data.The challenge for managers isto inform the average member of the externalaudiences, while being fair and balanced in covering all critical perspectives.The draft external periodic reports should be provided tothe audit committee for review and commentbefore distribution.

CHALLENGES IN RISK REPORTING

Risk reporting inevitably confronts severalchallenges, such as controlling the risk report’seffects on individual behavior, monitoring andevaluating these effects, and managing the costs of risk reporting.

The Impact of Risk Reporting on Individual Behavior

Reporting of organizational risks has either a director an indirect effect on the internal and externalaudiences’ behavior concerning the perceivedthreats.Therefore, the managers’ responsibility topresent an accurate picture of the problems is vital.The reporting of organizational risks affectsindividual behavior through a number of phases,such as awareness, a sense of urgency or a demandfor action, a search for solutions, reaction andresistance, wrestling with alternative choices,intellectual assent, resolution at the cognitive level,and full resolution—moral, emotional, andintellectual (Willis and Adelowo Okunade, 1997).

Proper communication and reporting oforganizational risks is important to create riskawareness; but it is even more critical to attemptto influence the sense of urgency or a demand foraction among the relevant audiences. Further, itshould contribute to the difficult process of solvingthe problems.When communicating and reportingorganizational risks, managers should (a) report onthe complexities of the problem (b) define theconflicting values surrounding—and sometimespolarizing—an issue, and (c) define a commonground for effective action.

However, it is extremely difficult to influencethese effects, since so many variables can alterthe way the message is delivered or interpreted.The noise along the communication channelshould be among the major concerns of the riskreporters. Further, how vulnerable do internaland external audiences feel to variousorganizational risks as a result of risk reporting?Relative personal invulnerability is not always areflection of a person’s ignorance of riskwarnings. Rather, it could be an indirect effect ofrisk communication behaviors.When internaland external audiences are threatened by aserious risk, they will look for more informationabout the risk from media and interpersonalchannels.Although these channels, often informalin nature, may increase the individual’s perceivedexpertise about the risk, and enhance his or herperception of controlling it, they may also lead tofalse information, and cause high stress andwrong reactions.Thus, organizations need tocontrol risk reporting channels and ensureaccurate and reliable information.

Monitoring the Contribution of Risk Reporting

There is no way to measure precisely how manyfalse internal and external decisions will beaverted, and how many investment dollars will besaved, because of broader risk reporting.However, improved risk identification,measurement, management, and reportinggenerally is critical for improved internal decision-making and for increased investor confidence inthe reliability of an organization’s financialreporting and the capital markets.

With appropriate external disclosure oforganizational risks and risk management initiatives,shareholders and financial analysts can more properlyvalue company shares.The role of forward-lookinginformation in voluntary disclosure is generallyassociated with more accurate analysts’ earnings


35

36

M A N A G E M E N T

S T R A T E G Y


forecasts and company valuations. Recent researchshows that improving disclosures makes capitalallocation more efficient and reduces the averagecost of capital—lower costs of equity capital andlower debt costs (FASB, 2001).The reason is that anorganization’s cost of capital is believed to include apremium for investors’ uncertainty about theadequacy and accuracy of organizationalinformation.Voluntary disclosure also decreasesprice volatility and narrows bid-ask spreads,enhancing securities liquidity (Lev, 1992).Organizations with more informative risk disclosurehave a wider analyst following, receive moreaccurate earnings forecasts, and have less volatility inforecast revisions (Lang and Lundholm, 1996).

Fair and favorable media publicity may also be abenefit, and customer loyalty may increase. Byexternally disclosing more comprehensive risk-related information, senior management increasestransparency and improves goal alignmentbetween the organization and its broad set ofstakeholders. Strengthening the credibility of anorganization’s performance internally is alsoimportant. Employee morale and support formanagement can strengthen with accuratereporting of relevant risks and responsive riskmanagement initiatives. Increased commitment todelivering results may lead to improvedorganizational success and shareholder value. Fullaccountability is accomplished only when anorganization combines broad public disclosureswith extensive internal performance reporting. Bydoing so, organizations create value for thestakeholders whose support is needed to prosper.

As with most reporting, the benefits ofdisclosure are hard to separate from the benefits of the actions and the process thereports represent.

Coping With Costs of Risk Reporting

Although the Risk Reporting Contribution Scheme(see Exhibit 4) responds to users’ needs, riskreporting should reflect the organization’sconcern about the costs of disclosing, preparing,disseminating competitively sensitiveinformation, and the potential for increasedlitigation.Organizations are typically sensitive tothese costs, and will search for ways to limitthem while still providing more usefulinformation.Generally, if the organizationprepares the right risk-related information tohelp managers make better strategic andoperational decisions internally, the added costof external disclosure should be small.

THE IMPORTANCE OF ACCURACYOF INFORMATION GATHEREDAND PROVIDED TO INTERNALAND EXTERNAL AUDIENCES

An important reporting rule for organizations isnot to disclose any risk information withoutsufficient credible data for accurate reports. It isthe risk reporter’s responsibility to be accurate,but it is also the manager’s responsibility to betruthful and make disclosures that representeconomic reality. Inaccurate data can result inpoor situation assessment and bad managementdecisions, while financial analysts and investorscan draw incorrect conclusions and makeimproper business decisions. In addition,employee dissatisfaction with inaccuratereporting of risks may lead to a decline in trust,employee morale and support for management;customers may decide to switch to otherproviders; organizations may face adversepublicity; and investors and creditors may loseconfidence in the organization’s capability todeliver the required returns. As a consequence,the market value of the corporation may decline.

On the other hand, even accurate information tostakeholders may also cause adverse publicity.When organizations provide accurateinformation, they may not improve theirreputation. Full disclosure may stimulatecustomers to avoid purchase of the organization’sproducts. Organizations thus face various risksrelated to both accuracy and inaccuracy ofinformation, not just compliance risks.

Many risks of providing inaccurate informationare related to the process of gatheringinformation, since control weaknesses and risksare often due to people or process issues.Organizations also rely on others to provideinformation, such as suppliers and businesspartners, and in particular outside serviceproviders.The extent of an organization’sreliance on outside service providers may bothcomplicate management’s internal assessmentof internal control over financial reporting, andmake assuring accurate information moredifficult. Management must obtain informationfrom the service organization that allows it toassess the operational effectiveness of theservice organization’s internal control.

Accurate information may be more easilyassured in a highly integrated enterprise. If theinformation from the three core transactionalsystems (Enterprise Resource Planning, Supply


37

Chain Management, and Customer RelationshipManagement) and other supporting functionalautomation systems is not integrated, financial datamay be inaccurate, and considerable resources willbe required to reconcile the differing, thoughoverlapping, data from various sources.This datamay then remain open to distortion, data loss, andcorruption.There are several available integrationtechnologies, and the CIO should consider theappropriate one based on the specificrequirements and constraints of the organization.

RISK REPORTING RELATED TOMERGERS AND ACQUISITIONS

Reporting on various organizational risks relatedto due diligence is important not only incontinuing operations, but also in acquisitions andmergers. Reports from financial analysts, media,and surveys reveal that poor due diligence is oneof the failure determinants in failed mergers(Epstein, 2004). Risks associated with acquisitionsand mergers include all aspects that relate to theinitial different structures and systems, and theneed for system changes or new systems. Morespecifically, they include legal and regulatory issues(compliance risks), lack of organizational culturealignment, and risks of misaligned managementcontrol systems or sub-optimal organizationalpolicies (organizational systems’ risks).Moreimportantly, they also include other strategic andoperational risks.

In considering acquisition and undertaking duediligence, organizations must:

• Consider the adequacy of the target’s controls and its compliance efforts, if the target is a private or foreign company.Assessments of compliance risks, theirprobability of occurrence and magnitude ofeffect, must be made and reported to theboard of directors and senior management ofthe acquiring organization.

• Carefully assess and report on all potentialstrategic and operational risks. Assessmentsshould be made of preliminary inherent risks(with risk likelihoods and potential impacts), aswell as of residual risks after a proper riskresponse is put in place (again with risklikelihoods and expected impacts).

• Provide the board of directors and seniormanagement with a probability distribution ofvarious outcomes of a merger or acquisition,particularly in relation to expected cost savings.

ORGANIZATIONAL STRUCTUREAND RESPONSIBILITIES FOR RISK REPORTING

With respect to internal control regulation, theboard of directors bears ultimate responsibilityfor the effectiveness of internal controlthroughout the organization. It should also takeresponsibility for overall effective risk managementand risk reporting. Boards of directors also haveresponsibilities related to developing andimplementing the company’s mission, values, andstrategy.This responsibility also includes a carefulreview of corporate processes for identifying,monitoring, and managing risks.The board maydelegate its oversight and reporting duties tocertain committees, but it must receive and reviewrisk reports of those committees and take actionsnecessary to ensure continued effectiveness ofthese corporate processes. Although theresponsibility for risk may, in practice, be migratingfrom the wider board to the audit committee, itshould stay firmly with the board.The auditcommittee is responsible for directing internaloversight and, therefore, for understanding internalcontrol (risk) concepts, approaches, and issues.

The CEO is then responsible for organizing,planning, directing, and controlling the seniormembers of management to achieve riskmanagement and risk reporting objectives.From the CEO’s perspective, the organizationneeds to ensure that these reports clearly explain the critical risks, so that the usersunderstand them and incorporate them in theirdecision-making.The CFO is responsible fordesigning and maintaining such internal controltechniques in financial policies, procedures,processes, systems, functions, and undertakings asare necessary to achieve the company’s financialand risk objectives.These include (a) maintaininga competitive capital structure, (b) providingrelevant and reliable financial information andanalysis to facilitate and support decisions onstrategy, objectives, plans, and other initiatives, aswell as (c) complying with applicable laws andregulations pertaining to financial matters. Inaddition, the CEO is responsible for makingperiodic risk reports in a form and content thatenables management and the board to monitorperformance and achieving risk objectives andbusiness objectives.

The role of the internal audit function withrespect to risk management is two-fold. In additionto identifying and evaluating risk exposures,

38

M A N A G E M E N T

S T R A T E G Y


standards on internal auditing charge internalaudit with the responsibility for monitoring andevaluating the effectiveness of the organization’srisk management system.This responsibilityrequires internal audit to maintain itsindependence and objectivity.

To establish the right organizational riskmanagement and risk reporting structures andsystems, organizations should start with a writtencorporate risk disclosure policy.That policygives organizations a process for disclosure, andpromotes an understanding of legal requirementsamong directors, senior management, othermanagers, and employees. It will focus onpromoting consistent disclosure aimed atinformative, timely, and broadly disseminateddisclosure of risk-related information tointerested audiences. Every disclosure policyshould generally include the following (CanadianSecurities Administrators, 2002):

• how to decide what risk information is‘material’ and should be reported,

• policy on reviewing analysts’ reports;

• how to release earnings announcements andconduct related analyst calls and meetings;

• how to conduct meetings with investors andthe media;

• what to say or not to say at industryconferences;

• how to use electronic media and thecorporate web site;

• policy on the use of forecasts and otherforward-looking information (including apolicy regarding issuing updating);

• procedures for reviewing briefings anddiscussions with analysts, institutionalinvestors and other market professionals;

• how to deal with unintentional selectivedisclosures;

• how to respond to market rumors;

• policy on trading restrictions; and

• policy on ‘quiet’ periods.

The process of creating such a policy is itself abenefit, because it forces a critical examination ofcurrent disclosure practices. Although CFOsoften assume responsibility for risk functionsbecause of the broad perspective they have oftheir organizations, organizations shouldconsider establishing a committee of companypersonnel (Risk Management Committee) orassign a senior officer (Chief Risk Officer) to beresponsible for:

• developing and implementing the riskdisclosure policy;

• monitoring its effectiveness and compliance;

• educating directors, senior management,other managers, and employees aboutdisclosure issues and the risk disclosurepolicy;

• reviewing and authorizing disclosure (includingelectronic, written and oral disclosure) inadvance of its public release; and

• monitoring the organization’s web site.

The risk disclosure policy should be reviewedperiodically, updated as necessary, approved bythe board of directors, and widely distributed tosenior management, other managers, andemployees. Directors, senior management, othermanagers, and employees should be trained, sothat they understand and can apply thedisclosure policy.

In addition, the organization should authorizespokespersons, limiting the number of peopleauthorized to speak on behalf of theorganization to analysts, the media, and investors.Ideally, spokespersons should be members ofsenior management.They should beknowledgeable about the risk disclosure recordand aware of analysts’ reports relating to theorganization. Everyone in the organization mustknow who the organization’s spokespersons are,and be directed to refer all inquiries fromanalysts, investors and the media to them. Havingspokespersons helps to reduce unauthorizeddisclosures, inconsistent statements by differentpeople in the organization, and statements thatare inconsistent with the public disclosurerecord of the organization.

The unit responsible for risk reporting, whichdirectly reports to the risk managementcommittee or CRO, should be elevated to thestrategic level and organized as a separate entity.Its tasks include continuous gathering of data onrisk events, providing risk assessments, and cost-benefit analyses. In addition, this unit preparesthe risk reports to internal and externalaudiences.The risk management committee orCRO is responsible for supervising theseactivities and approving the analyses.On theother hand, the board of directors must approvethe release of risk reports.

A firm commitment from the highest levels ofmanagement is clearly necessary to make riskmanagement an organization-wide process.Thisis the only way to create a mindset in managers

and employees that builds risk into everydaydecision-making.Without designated responsibility,proper training or even clear definition andcommunication of risks, various line managers mayimplement their personal risk approach, withvarying tolerances for risk.This could lead toinconsistent risk management (The 2005Oversight Systems Financial Executive Report onRisk Management, 2005).

CONCLUSION

Although internal control over financial reportingcan be considered one of the most significantrequirements resulting from the Sarbanes-OxleyAct of 2002, the internal control legislation andregulation also triggered a different and broaderunderstanding of the risks organizations face, andthe risk management process they implement.Managers increasingly understand the importanceof effective risk reporting, internally andexternally, and the value of delivering relevant andcredible risk reports to internal and externalaudience that are articulated in business termsand supported by evidence.With the rightinformation, internal and external audiences canmake better decisions.

Broader real-time and periodic internal riskreporting provides senior management and othermanagers with on-time, detailed, and aggregateinformation on the various risks and theorganization’s risk management processes, thuscontributing to more informed decision-making.Dashboard reporting systems allow managers todrill down for more detailed information on risksand relationships between them, and to includethese in their ROI calculations. Improved resourceallocations may result.

Broader external reporting should not hurt theorganization’s competitiveness. If specific risk-related information helps the organization makeimproved decisions and better track valuecreation, the information may also help attractnew capital. Or, if information on employeesatisfaction and well-being helps managers preventthe increase in personnel risks and cultivate acommitted workforce, it may also help attractcommitted talent from outside. Data on business

process continuity may lead to improvedprocesses, which may also reassure customers andbusiness partners externally. Organizations withpoor external disclosure complicate informeddecision-making by financial analysts, shareholders,customers, suppliers, and others with whomorganizations interact.

This Guideline starts with a Risk ReportingContribution Scheme, a framework for monitoringthe outputs of risk reporting and financialoutcomes from broader reporting oforganizational risks, such as investors andcreditors making more informed investmentdecisions, or managers making better strategic andtactical decisions.The Risk Reporting ContributionScheme shows the benefits of a broad and well-managed risk reporting process, and provides thebackground to the Risk Reporting Model presentedin this Guideline.The Risk Reporting Model providesuseful guidance for senior managers on reportingof organizational risks internally and externally—the frequency of risk reports, what risks to reportand in what detail, in what format, and where.ThisGuideline, therefore, helps senior management gobeyond regulatory compliance regarding riskreporting, and seize the opportunity to improvereporting practices to drive better performance. Inaddition, this Guideline recommends a preliminarystep, that all organizations establish appropriateorganizational structures and responsibilities forrisk management and risk reporting.

In the future, successful businesses will be thosebest able to balance coping strategies, which aredefensive and focused on avoiding downsiderisks, with an increasing mix of exploitation andexploration strategies, which embrace risk andmake the most of the opportunities it presents.This will require more than just an improvementin traditional risk management tools—it willinvolve a shift in mindset and focus, wherereliable, relevant, and sufficient risk managementand reporting is considered a value-addedactivity. Organizations should leverage theSarbanes-Oxley Act compliance efforts andinvestments to build a comprehensive riskmanagement and risk reporting system and drive significant new business value from acomplex and mandatory process.


39

40

M A N A G E M E N T

S T R A T E G Y


BIBLIOGRAPHY

American Institute of Certified Public Accountants.1994. Improving Business Reporting—A CustomerFocus (Comprehensive Report of the Special Committeeon Financial Reporting).New York: AICPA.

American Institute of Certified Public Accountants.2004. Improving Business Reporting—A CustomerFocus:Meeting the Information Needs of Investors andCreditors. New York: AICPA.

Accounting Standards Board. 2005. ReportingStatement of Best Practice on the Operating andFinancial Review. London: ASB Publications.

Canadian Institute of Chartered Accountants. 2001.Management’s Discussion and Analysis: Guidance onPreparation and Disclosure. Review Draft.

Canadian Securities Administrators. 2002.NationalPolicy 51-201 Disclosure Standards.

Committee of Sponsoring Organizations of theTreadway Commission. 2004a.Enterprise RiskManagement—Integrated Framework: ExecutiveSummary Framework. New York: AICPA.

Committee of Sponsoring Organizations of theTreadway Commission. 2004b. Enterprise RiskManagement—Integrated Framework: ApplicationTechniques. New York: AICPA.

Companies (Auditing and Accounting) Bill 2003.Houses of Oireachtas, Ireland.

Epstein, Marc J. 2004. The Drivers of Success in Post-Merger Integration. Organizational Dynamics,Vol. 33,No. 2: 174-189.

Epstein, Marc J., and Rejc,Adriana. 2005. Identifying,Measuring, and Managing Organizational Risks forImproved Performance.Management AccountingGuideline. Hamilton:The Society of ManagementAccountants of Canada,New York: AICPA.

Ernst & Young. 2005. Corporate Governance WebSurvey: Key Findings and Valuable Insights.

Financial Accounting Standards Board. 2001.Improving Business Reporting: Insights into EnhancingVoluntary Disclosures. Steering Committee Report,Business Reporting Research Project.

Institute of CharteredAccountants in England andWales. 1993. Guidance on the Operating and FinancialReview. London: Financial Reporting Committee—Institute of Chartered Accountants in England and Wales.

Institute of Chartered Accountants in England andWales. 1998a (revised in 2003). The Combined Code:Principles of Good Governance and Code of BestPractice. London: Institute of CharteredAccountants in England and Wales.

Institute of Chartered Accountants in England andWales. 1998b. Financial Reporting of Risk: Proposal fora Statement of Business Risk. London: FinancialReporting Committee—Institute of CharteredAccountants in England and Wales.

Institute of Chartered Accountants in England andWales. 1999a. Inside Out: Reporting on ShareholderValue. London: Institute of Chartered Accountantsin England and Wales.

Institute of Chartered Accountants in England andWales. 1999b. Internal Control: Guidance for Directorson the Combined Code. London: Internal ControlWorking Party—Institute of CharteredAccountants in England and Wales.

Institute of Chartered Accountants in England and Wales. 2000a.No Surprises:The Case for Better Risk Reporting. London: Institute ofChartered Accountants in England and Wales.

Institute of Chartered Accountants in England andWales. 2000b. Prospective Financial Information:Guidance for UK Directors. London: Institute ofChartered Accountants in England and Wales.

Institute of Chartered Accountants in England and Wales. 2003. Preparing an Operating andFinancial Review: Interim Process Guidance for UKDirectors. London: Financial Reporting Committee—Institute of Chartered Accountants in England and Wales.

International Federation of Accountants. 2002.Managing Risk to Enhance Shareholder Value. NewYork: International Federation of Accountants—Financial and Management Committee.

K-Bro Linen Income Fund. 2005. Management’sDiscussion and Analysis and Interim ConsolidatedFinancial Statements for the Period from February 3,2005 to June 30, 2005.

Lang, Mark H., and Lundholm, Russel J. 1996.Corporate Disclosure Policy and Analyst Behaviour.Accounting Review,Vol. 71, No. 4.

Lev, Baruch. 1992. Information Disclosure Strategy.California Management Review,Vol. 34, No 4.

TELUS. 2006. Enterprise Risk Management andInternal Audit at TELUS: Engagement,Discussion, SharedOwnership and Governance.

The 2005 Oversight Systems Financial Executive Reporton Risk Management, Oversight Systems, Inc.May, 2005.

Willis, Jim, and Adelowo Okunade,Albert. 1997.Reporting on Risks:The Practice and Ethics of Healthand Safety Communication.Westport: Preager.

APPENDIX 1: REGULATIONS ON REPORTING OF ORGANIZATIONAL RISKS

Under the Sarbanes-Oxley Act of 2002, U.S.listed companies are subject to requirements formanagement and independent auditors’ reportingon the effectiveness of internal control overfinancial reporting.This regulation requires acompany’s annual report on a Form 10-K, filedwith the SEC, that includes management’sassessment of internal control over financialreporting and the related auditor’s report on thatinternal control. Management’s report mustidentify the framework it used, and describe itssuccess in evaluating the effectiveness of internalcontrol over financial reporting. Regulators requiremanagement’s report to disclose the nature of anymaterial weakness in sufficient detail to enableinvestors and other financial statement users tounderstand the weakness and evaluate theunderlying circumstances .

The 8th Directive on Company Law introducessimilar regulation in the European Union. LikeSarbanes-Oxley, at the core of the 8th Directive isa commitment to restoring investor confidence inthe markets,which means that directors of U.S.listed companies with a dual European listing mustbe familiar with this directive as well.Directorsand auditors have a particular responsibility torepresent and protect investor interests throughthe quality, depth and breadth of their respectiveoversight activities.More specifically, the 8thDirective has an impact across two broad areas:

• Responsibilities of the audit committee: Publicinterest entities are required to appoint anaudit committee,which will now have greaterfiduciary responsibility for risk management,including oversight of the internal audit functionand internal controls structure.The auditcommittee is required to monitor theeffectiveness of the company’s internal controls,internal audit, and risk management systems.

• The audit committee’s relationship with theauditor:The audit committee now hasresponsibility for the selection of the externalaudit firm and oversight of auditorindependence.The auditor is required toreport to the audit committee on key mattersarising from the statutory audit, includingmaterial weaknesses in internal controls inrelation to the financial reporting process.

Regulatory bodies have made little attempt toprovide an explicit integrated framework forbroader corporate risk disclosure.The status of

current regulation of broader risk reporting isprimarily focused on narrower issues, such asmarket risk associated with the use of derivatives.In the United States, Financial ReportingRelease No.48 (FRR 48), issued by The Securitiesand Exchange Commission (SEC) in 1997, requiresthe SEC registrants to disclose both qualitativeand quantitative information about market risks(potential losses arising from adverse changes ininterest rates, foreign currency rates, commodityprices, and equity prices). In practice, disclosure bylisted companies varies widely in detail and clarity,and is spread throughout the ManagementDiscussion and Analysis (MD&A) and the notes tofinancial statements.This makes it difficult forinvestors to gather information and makeappropriate risk assessments. SEC rules containmany financial disclosure requirements, but theyalso address safe harbor provisions that protectmanagement from liability for financial projectionsand forecasts made in good faith. FRR 48,therefore increases available risk information, butorganizations often subvert the intent of thelegislation by burying or defusing the data.

In the United Kingdom,guidance on theOperating and Financial Review (OFR) (similarto the MD&A), introduced in 1993 and revised in2003 by the Institute of Chartered Accountants inEngland and Wales (ICAEW) for listed companies(and other companies voluntarily), recommendsincluding a review of risks in the annual report,without specifying how detailed the review shouldbe. Further, in 2005, the Accounting StandardsBoard (ASB) issued the Reporting Statement ofBest Practice on the Operating and FinancialReview.The Reporting Statement sets out aframework of the main elements that should bedisclosed in an OFR, leaving it to directors toconsider how best to structure their review, in thelight of the entity’s particular circumstances. Itcontains recommendations on the disclosures thatshould be made in respect of any key performanceindicators included in an OFR, but it does notspecify any particular performance indicators thatentities should disclose, nor how many, on thegrounds that this is a directors’ decision.

The Combined Code on Corporate Governanceis published by the Financial Reporting Council(FRC) and requires listed companies to maintain asound system of internal control to safeguardshareholders’ investment and the company’sassets. The Listing Rules require companies toprovide a statement in their annual report on howthey have applied the Code Principle and CodeProvision relating to internal control. Companies


41

42

M A N A G E M E N T

S T R A T E G Y


also need to confirm that they need to comply withthe provision or where they do not, to provide anexplanation. Additional guidance was developed toassist listed companies to implement the coderequirements relating to internal control. This isnow commonly known as the Turnbull Guidanceand is based on a risk-based approach to internalcontrol. It emphasises the need to incorporate thisapproach into normal management processes andis designed to enable companies to adapt theguidance to its own circumstances.

Under current provisions, corporate riskdisclosure is still generally at the discretion ofthe board of directors of individual companies,and a matter of voluntary disclosure rather thanregulatory compliance.

APPENDIX 2: EXISTING GUIDANCE ON VOLUNTARY DISCLOSURE AND FRAMEWORKSFOR ORGANIZATIONAL RISK REPORTING

• The American Institute of Certified PublicAccountants (AICPA, 1994, 2004) proposeda framework for voluntary disclosure aimedat improving the quality and effectiveness offinancial reporting.To provide information forinvestors, companies should considerdisclosing five different types of data andinformation: financial and non-financial data,management’s analysis of financial and non-financial data, forward-looking information,information about managers and shareholders,and company background.The frameworkexplicitly addresses external reporting, and istherefore primarily relevant to capitalproviders and financial analysts. It provides nospecific guidance on the format, frequency ofthe report, or communication channels.

• The Canadian Institute of CharteredAccountants’ reporting guidelines (CICA,2001) suggested a reporting framework thatincludes information concerning companyvision (core business and long-term businessstrategy), critical success factors, capabilities(resources) to achieve desired results, expectedresults, and connected risks and opportunities.Again, the framework provides generalinstructions along with the content of anexternal risk report, without specifying theformat, frequency, design, andcommunication channels.

• The COSO Enterprise Risk Management—Integrated Framework (COSO, 2004a,2004b) addresses risk management processesin general. It proposes that information isneeded at all levels of an organization torespond to risks, and to otherwise run theentity and achieve its strategic, operational,reporting, or compliance objectives. Financialand non-financial information would include(a) external events, for example,market- orindustry-specific economic data that signalschanges in demand for an organization’sproducts or services, (b) market intelligenceon evolving customer preferences ordemands, (c) information on competitors’product development activities, and (d)legislative or regulatory initiatives.Organizations should provide a risk map thatdisplays significant residual risks that exceedthe organization’s risk appetite, or report onthe target risk tolerances for specificperformance measures and actual results.Theframework also provides exhibits andapplication techniques, both qualitative andquantitative, that can be used in managerialreports on organizational risks.Qualitativetechniques include likelihood risk rankings,impact risk rankings, or descriptive riskassessments.Quantitative techniques includeprobabilistic techniques (value at risk, cashflow at risk, earnings at risk, assessment of lossevents, and back-testing) and non-probabilistictechniques such as sensitivity analysis, scenarioanalysis, and stress testing.The framework isvery useful for overall risk management, butprovides only limited specificity on thecontent, format, and frequency of the (internaland external) risk reports.

• Epstein and Rejc (2005) provide a specificmodel, Risk Management Payoff Model:Calculating a Risk Management InitiativeROI, to calculate a risk management initiativeROI so that managers can integrate risks intheir investment decisions. First, the monetaryvalue of a risk management initiative benefitis calculated.Then, the total cost of a riskmanagement initiative is summed, includingfront-end direct cost, disruption costs relatedto human and organizational factors, andoperating costs of the risk managementinitiative. Finally, the risk management initiativeROI is calculated. Such a formula can be usedto evaluate the payoffs of specific riskmanagement initiatives and, as organizationsmake new capital project decisions, to

explicitly acknowledge the potential risks andcosts of those risks on organizationalprofitability. This model is therefore primarilyfocused on internal risk reporting.

• The SEC encourages companies to discloseforward-looking information in their annualreports so that investors can better understanda company’s future prospects and makeinformed investment decisions. In a typicalannual report, MD&A would be preceded by asection on the ‘Risks and Uncertainties ThatMay Affect the Organization’s Future Results’,where the nature of forward-lookinginformation would be explained and risk anduncertainties revealed. Here, words such as‘anticipate’,‘project’,‘intend’, and ‘believe’, whichdescribe future operating or financialperformance, identify these forward-lookingstatements.Typical risks and uncertainties mightinclude research and product development,financial risk management, internationaloperations and foreign markets, patents andintellectual property rights, competition,government regulation and price constraints,litigation, tax legislation, and environmental lawcompliance.The SEC provides no specificdirections on how risk and uncertaintiesinformation should be disclosed as to risk

report structure and format, or whatquantitative evidence is required. It is focusedprimarily on investors’ risk reporting interests.

Guidance on general principles of risk disclosure isalso offered by:

• Papers issued by professional bodies andresearch institutes (Institute of CharteredAccountants in England and Wales, 1998b,1999a, 2000a, 2000b, International Federationof Accountants, 2002).All share the commongoal of proposing principles and structures forapproaching forward-looking disclosure andcommunication of a fair and integrated view ofthe company risk profile.

• The FASB Framework for Providing VoluntaryDisclosure (Financial Accounting StandardsBoard, 2001). It includes identification ofcritical success factors, management’sstrategies and plans for managing thosecritical success factors, and metrics tomeasure and manage the implementation ofstrategies and plans. It also includesconsideration of whether voluntary disclosurewould adversely affect the organization’scompetitive position, and, if disclosure isdeemed appropriate, a definition of how bestto voluntarily present that information.


43

44

M A N A G E M E N T

S T R A T E G Y


THE AUTHORS:

Marc J. Epstein is Distinguished ResearchProfessor of Management at Jones GraduateSchool of Management at Rice University inHouston,Texas. He recently was VisitingProfessor and Wyss Visiting Scholar at HarvardBusiness School. Prior to joining Rice, Dr. Epsteinwas a professor at Stanford Business School,Harvard Business School, and INSEAD(European Institute of Business Administration),Dr. Epstein has written previous MAGS for theAICPA and CMA Canada including co-authoring“Applying the Balanced Scorecard” and“Measuring and Improving the Performance ofCorporate Boards Using the BalancedScorecard”,“Evaluating Performance inInformation Technology” and “Identifying,Measuring, and Managing Organizational Risk for Improved Performance”. He has also writtenother articles on strategic management systemsand performance measurement, and over 100articles and 15 books. In 1999, he wrote theaward winning “Counting What Counts:Turning Corporate Accountability toCompetitive Advantage”.

Adriana Rejc Buhovac is presently AssistantProfessor at the Faculty of Economics at theUniversity of Ljubljana. An expert in the designand implementation of performancemeasurement and evaluation systems, Dr. RejcBuhovac is the author of numerous papersincluding “Determinants of PerformanceMeasurement System Design and CorporateFinancial Performance”,“Toward ContingencyTheory of Performance Measurement”,“Howto Measure and Improve the Value of IT”, and“What's in IT for You (and Your Company)”. Inaddition to her research on the topic, Dr. RejcBuhovac has worked with numerous companieson the evaluation of performance of the humanresources function, and on the implementationof strategic performance measurementsystems. She is a member of the Editorial Boardof the Advances in Management Accounting(AIMA).With Marc Epstein, Dr. Rejc Buhovaccoauthored two recent ManagementAccounting Guidelines for CMA Canada andthe AICPA: “Evaluating Performance inInformation Technology” and “Identifying,Measuring, and Managing Organizational Riskfor Improved Performance”.

Barry Baptie,MBA,CMA,FCMABoard of DirectorsVCom Inc

Richard Benn,MBA,CMA,FCMAVice President Knowledge and ProgramDevelopmentCMA Canada

Ken Biggs,CMA,FCMA,FCABoard Director and Business Consultant

Dennis C.Daly,CMAProfessor of Accounting Metropolitan State University

William Langdon,MBA,CMA,FCMAKnowledge Management Consultant

Melanie Woodard McGee,MS,CPA,CFEDirector of MBA ProgramsThe University of Texas at Arlington

David L.Tousley,MBA,CPAChief Financial OfficerairPharma, LLC

Robert Torok,MBA,CAExecutive ConsultantIBM Global Business Services

Kenneth W.Witt,CPATechnical Manager,The New Finance American Institute of Certified Public Accountants

This Management Accounting Guideline was prepared with the advice and counsel of:

For additional copies or for more information on other products available contact:

In the U.S.A.: American Institute of Certified Public Accountants1211 Avenue of the AmericasNew York,NY 10036-8775 USATel (888) 777-7077, FAX (800) 362-5066www.aicpa.orgVisit the AICPA store at www.cpa2biz.com

In Canada and elsewhere: The Society of Management Accountants of CanadaMississauga Executive CentreOne Robert Speck Parkway, Suite 1400Mississauga,ON L4Z 3M3 CanadaTel (905) 949-4200FAX (905) 949-0888www.cma-canada.org

The views expressed in this Management Accounting Guideline do not necessarily reflect those of theindividuals listed above or the organizations with which they are affiliated.

030003 ISO Certified

AICPA Member andPublic Information:www.aicpa.org

AICPA Online Store:www.cpa2biz.com

reporting of organisational risks for internal and ... · pdf filestrategy measurement the...

Documents