The FRC & Risk: 25 years of learning

Garry Honey Founder of Better Boards writes:

The 1992 Cadbury report was produced as the UK government response to high profile scandals such as BCCI and Polly Peck. It was felt that standards needed to be set and managed by a government agency in order to protect the reputation of the City and the probity of its regulatory regime. The Cadbury report formed the bedrock of the UK Corporate Governance Code (the Code) which is the responsibility of the Financial Reporting Council (FRC).

The Code was revised and updated regularly with guidance on the way financial information should be made available to investors in the interests of transparency and fairness. By 2005 the government was ready to launch the Operating and Financial Review (OFR) but this was scrapped at the last minute and replaced by the 2006 Companies Act in which under clause 417 of the Enhanced Business Review corporations were required to report their principal risks.

The 2008 global crash was a wake-up call to those who might wrongly classify or under-report risk, so consequently the 2010 Code update expanded on what were considered significant risks. The FRC in 2011 conducted its own research into the inadequacies of risk reporting in general and identified three key areas where articulation of risk could be improved. These were approach in terms of culture and collective responsibility, interpretation in terms of appetite, tolerance and exposure levels, and finally information that shows why a risk is significant plus contingent factors that will reduce it.

Not surprisingly the Code was updated again in 2012 going yet further into what good governance should include: commentary on drivers of business value and strategy. In 2013 the government introduced the Strategic Report – an amendment to Companies Act – ‘to provide insight into the entity’s main objectives and strategies, and the principal risks it faces and how they might affect future prospects’. This was not without some controversy as explanation of a business model was seen as superfluous, some felt was self-evident and others confidential.

In 2013 the Department of Business Innovation & Skills (BIS) was driving the agenda. It felt that companies spent too much time reporting past success and not enough on forecasting future returns, so consequently introduced the requirement for an explanation of business model including strategy and risk. This caused some complications for dual-listed corporations who had also to comply with the US regulator who took a different view. While the UK was encouraging corporations to talk openly and honestly about future risks, the US was much more wary of reporting any risk without some prior legal protection for the disclosing party. Jurisdiction alignment was a barrier to better reporting.

This dilemma highlights the confusion surrounding the word risk itself. The economist Frank Knight wrote on the distinction between risk and uncertainty in 1921 where he postulated that the two terms had not been adequately separated. To him risk was measurable and uncertainty immeasurable, however today we accept risk as a control function thanks largely to the way risk is seen as a threat to business continuity which demands some contingency planning. Risk as opportunity or gain tends to be eclipsed by the understanding of risk as threat. Uncertainty is a word that needs more exposure.

The dilemma also posed the uncomfortable question of the ability of auditors - whose skill lies in forensic examination of performance - to police future forecasts of strategy and risk both of which being speculative defy any comparison with ‘the right answer’. Back in 2013 the European Financial Reporting Advisory Group (EFRAG) took the view that future forecasts should have no place in accountancy practice, which must by definition be evidence based.

This brings me to the two remaining questions: what is the purpose of risk reporting and who determines what is a principal risk? Let’s tackle the purpose first as this is marginally the easier of the two. This is the warning to investors that they may lose as well as gain; it is the government’s ‘caveat emptor’ requirement. The purpose of risk reporting is to aid the decision process. It is not to list every possible known eventuality, history shows that crises were always absent from risk registers, catastrophes are always termed ‘unimaginable’ or ‘exceptional’. The FRC encourages risk reporting that articulates future uncertainty with clarity and candour.

Reporting risk to a regulator is not the same as reporting risk to an investor, their appetites are different, what is attractive to one is repellent to the other. This becomes a challenge like a juicy bone thrown to Corporate Communications, or passed between Investor Relations and Compliance. In a stakeholder aware corporation messages need to be adjusted to suit audience expectations, but risk is a topic that comes with baggage. This of course is if it ever leaves the board room with a consensus in the first place. Every director will bring their own perspective to the table about what constitutes a risk and whether it is acceptable or not.

This leads me neatly on to the second question, who defines and determines a risk? Is it the Chief Risk Officer (CRO), Head of Risk & Audit Committee or some other ‘expert authority’ within the organisation? Given that the board should take collective responsibility for risk, there are still a large number of organisations where the board relies on a single individual or a department as the risk authority. Anyone around a board table can identify a risk and should argue for time to debate it, but how often does this really happen?

Risk is a topic that needs to be properly rehabilitated within boardrooms, especially in times of economic and political uncertainty. Risk aversion will not produce growth and will stifle innovation so a more positive approach to risk is urgently needed to stimulate the UK economy, especially with the Brexit negotiations breeding further uncertainty. Throughout 2017 the FRC’s Financial Reporting Lab has been looking at risk and viability reporting and a report is due by the end of the year.