External Risk Reporting: Germany and US
Whom do we advise when we uncover new risks? The conventional answer is to tell people inside the organization: operating managers, senior managers and, in certain circumstances, the governing board. Some mention may be made to shareholders and analysts in the annual report. In the US more is required in a corporation’s 10-K filing with the securities & Exchange Commission. In certain countries regulators ask for periodic reports on potential risks created by the use, for example, of toxic chemicals.
Yet many other stakeholders, groups that are also “investors” in the organization and its future, are parties to risks and their management. They too should be part of the risk communications network. This conclusion is being embodied in new standards and guidelines in both Germany and the US.
Last year (in RMR May 2001), I summarized several new Practice Advisories from the Institute of Internal Auditors, one of which, PA 2100-5, stressed the communication of risk information to “all stakeholders.” The suggested information spanned the identification of major risks, the level of acceptable risk, the risk mitigation activities put into action, monitoring methods and periodic reports. Unfortunately, nothing was said about how to communicate, especially with groups other than senior managers, the board and shareholders.
This past summer, a researcher at Ernst & Young, in Geneva, Hermine Mauvernay, contacted me about her studies on global external risk reporting and shared a copy of the German Accounting Standard No. 5, entitled “Risk Reporting.” Adopted by the German Accounting Standards Board (GASB) in April 2001, it includes two subsections, one (GAS 5-10) directed at financial institutions and financial service institutions, and the other (GAS 5-20) for insurance enterprises.
Common threads run through these three documents:
Unfortunately this Standard views risk solely in its negative face: “the possibility of a future negative impact on the economic position of a group.” It contrasts “risk” with “opportunity,” the possibility of a future positive effect. GAS 5 mandates that “risks may not be set off against opportunities,” which I find completely misleading. We make decisions only in the belief that upside results will more than compensate for any downside events. To separate risk from opportunity (using the German definitions) is wrong. External stakeholders must know both sides of the risk equation.
In the basic Standard, risks are categorized as (1) general business environment and industry specific, (2) business strategy, (3) performance and profitability, (4) personnel, (5) information technology, (6) financial, and (7) other. The Financial Institution Standard is more definitive, grouping risks as credit, liquidity, market, and operational, terms in active use in many organizations today.
GAS 5 and its sisters suffer from the same malady as last year’s IIA Practice Advisory. It makes no mention of how, how often and with whom we are to go about this “reporting” other than in annual reports, a one-way affair. It overlooks the need for a continuing two-way risk dialogue with stakeholders. Simple disclosure is not enough: we need thoughtful input from other “investors” to make better risk management decisions. Their perceptions on an organization’s risks constitute the basis of their confidence in its future.
Perhaps Hermine Mauvernay will complete her summary of global guidelines and suggest some new and innovative steps. I look forward to her report. We have much work to do in this critical area of risk communication.
Copyright H. Felix Kloman and Seawrack Press, Inc.