So what is a ‘principal risk’?
21 October 2016
Risk reporting continues to be high on the corporate reporting agenda. The Financial Reporting Council (FRC) has just issued its annual letter to preparers, indicating where it thinks improvements are needed in annual reports for the upcoming reporting season. It also emphasised again the need to think carefully about a now well-established trio of issues: climate change, cyber security and Brexit.
The FRC’s letter of course recognises that the significance of each of these will vary from company to company, and there’s no suggestion that they must always, for instance, be principal risks. It looks as though this will be another difference between UK principal risk disclosures and US-style ‘risk factors’. The threat of instability in the global markets as a result of Brexit will be enough for it to feature as a risk in many SEC filings in the upcoming season, but UK principal risks should be much more tailored to the specific company’s circumstances. Each of the trio of issues is difficult to address, for different reasons: Brexit is of course surrounded by uncertainty and speculation; whatever a company says about cyber risk can be seen as an invitation to hackers; and although climate change is clearly a global challenge, the impact on a particular company can be hard to pin down.
Stakeholders who are focused on climate change point out that companies in sectors like oil & gas will be impacted, and therefore believe strongly that those companies should be addressing the issue in their annual reports now. I won’t debate the extent to which companies are already doing so, or indeed how the differing impacts should be reflected in each case. What strikes me, and what I wanted to focus on in this post, is how much all of this hinges on the question of what is meant by the term ‘principal risk’.
Defining principal risks
In my experience, companies and directors generally see the principal risks in the annual report as short to medium term disclosures (actually, many see them as having a look-back angle too – some of the ‘movement in risk’ disclosures in principal risk tables relate to the impact in the year being reported on rather than the change in the year that could affect future periods). What’s clear, however, is that many of the stakeholders who are engaged with this area understand the principal risk concept as something more long term, with a particular focus on the sustainability of the business model.
Much of the debate around the viability statement has also come down to the same underlying point: to what extent is the annual report the place to discuss issues that are on (or over) the edge of what directors can quantify or plan for in any detail? It seems that stakeholders increasingly want this kind of information, but companies and directors are extremely reluctant to enter into what they see as the realm of speculation – at least partly because they don’t think ‘the market’ will understand what’s being said, and the extent to which it’s uncertain and subject to change. The worst-case scenario of course is that they might, in years to come, be held to account for what they’ve said.
For the viability statement, we suggested an approach that would allow directors to restrict the period of their formal confirmation (that they have a reasonable expectation that the company will be able to meet its liabilities as they fall due) to a relatively short period, but would still allow the longer-term context to be addressed. This involved thinking about the assessment of the company’s long-term prospects first, with its viability (i.e. the period over which detailed financial information is available to support the formal statement) as a subset of this. It seems to me that a similar approach could be taken to climate change disclosures: this could mean, for instance, dealing with the more short to medium term issues as part of the principal risks, and the longer-term aspects alongside the viability statement (or as part of the business model or strategy disclosures).
Actually, though, as we explained in our recent guide on risk reporting, the real key – for climate change as for any other potential risk – is to be clear about what exactly the issues are for the company, and the relevant timeframe. The ongoing attention from regulators and from stakeholders should leave us all in no doubt that minimalist disclosures are no longer the safest way to manage the reporting risks in these areas.
For more on how we see risk reporting evolving going forward, download Tackling risk reporting > Practical suggestions, positive thinking today.
 For the record, the FRC Guidance on the strategic report [para 7.24] states that “The risks and uncertainties included in the strategic report should be limited to those considered by the entity’s management to be material to the development, performance, position or future prospects of the entity. They will generally be matters that the directors regularly monitor and discuss because of their likelihood, the magnitude of their potential effect on the entity, or a combination of the two”.