Reporting in the comfort zone (again)
27 March 2017
In our annual review of FTSE 350 reporting practices, we found that too many companies were reporting within their ‘comfort zone’. We have recently seen more evidence of this when looking at reporting practices around the topical issues of cyber security, climate change and Brexit.
From a reporting point of view the Financial Reporting Council (‘FRC’) set the direction in its letter to Audit Committee Chairs and Finance Directors last October, specifically pointing to these areas for companies to consider when determining their principal risks and uncertainties.
The FRC’s key message was that these issues are of such significance to the economy in general that every company should consider their implications – not that they should necessarily be principal risks in every case.
Our recent global investor survey re-iterates the importance of these issues to investment professionals with, for example, 73% of investors telling us they are concerned about the threat of cyber security to company growth prospects.
A number of other high-profile and important initiatives are relevant to these areas too. From a reporting perspective we would draw out two: the revised regulations on reporting on non-financial information (yes, despite Brexit we are still implementing changes to the Companies Act driven by EU Directives) and the BEIS Green Paper on Corporate Governance Reform.
It would be easy for UK quoted companies to underestimate the potential impact of the non-financial reporting changes. But, even if reporting on areas like environmental, employee and social matters is not new, we think that the significance of our trio of specific issues will create much more focus on them than has typically been the case.
Also, with the focus in the Green Paper on improving the reporting of how boards have considered a wider range of stakeholders, companies will need to look beyond the obvious angles and think in different ways about how cyber security, climate change and Brexit could affect their stakeholders (and hence their shareholders).
Although cyber security, climate change and Brexit are very different issues, they throw up similar reporting challenges – the same ones that we introduced and discussed in our earlier paper Tackling risk reporting > practical suggestions, positive thinking.
Given the spotlight on each of these issues we recently carried out a review of a sample of FTSE 350 2016 September year end reporters1 to get a sense of how companies are reporting on them at the moment, and our Point of View released last week sets out our findings.
Here’s a snapshot of what we saw:
The significance of cyber security is recognised by almost every company. There is some willingness to report on the resources and governance dedicated to it, but the issue itself is too often reported in a way that is too generic - maybe in an effort to avoid creating more risk, or maybe because many companies have not yet sufficiently pinned down the issue or its potential impact.
We acknowledge the statistics above are not reflective of the whole FTSE 350 - given the lack of companies in carbon-intensive sectors in our sample. However, from what we saw, climate change is often still seen as a stakeholder issue that does not yet affect strategy and financial performance today. The extent and timing of the potential future impacts – whether they are direct physical impacts on the business or regulatory changes, or both – is rarely made clear enough.
Brexit - uncertainty is still central to many of these disclosures but companies are starting to be more specific about some of the impacts (or explaining why Brexit is not a risk for them). Governance disclosures are also starting to reflect the issue too.
Clearly scope for improvement then, and we plan to keep working on this with companies over the rest of this year, encouraging them to report on these areas in a way that has real information value for shareholders – whether it’s outside their comfort zone or not.
1. A sample of 19 September 2016 year end annual reports that were released at the time of conducting this research