Risk disclosure is very important. Increasingly, stakeholders are expecting companies to test and disclose the effectiveness of not only financial risk management but also other business risks, including market, operational, safety, legal etc.
When disclosing information about risks to external stakeholders, it is recommended to include at least:
- A brief statement about the company’s overall commitment to risk-based planning, budgeting, project management, investment and decision-making. This information may be disclosed in the annual report and on the company’s website in the section entitled “Corporate Governance”.
- A more detailed statement in the annual report, including:
- overview of the current risk-based processes,
- the progress that has been made in integrating risks and building risk culture since last year,
- the management structure, which contributes to the risk-based management of the company and any other significant achievements.
In the true spirit of risk management integration, it may be a good idea to spread the information about risk management throughout the annual report instead of creating a separate section titled “Risk Management”. For example, risks associated with strategic objectives may be described in the Company Strategy sections, risks associated with liquidity, foreign exchange and interest rates may be described in the Financial report (most organisations already do this part), risk associated with social and environmental activities covered in the Social responsibility section etc.
The disclosure of the following information is optional: information about key risks associated with the business plan or the achievement of the strategic objectives and any information about the past incidents or losses. Keep in mind, that risk management disclosure should not include any sensitive information or trade secrets.
It is important to remember however that there may be some risks which are required to be disclosed by law.
Other external reports where risk management information may need to be disclosed:
- any fundraising activities;
- security issuer quarterly reports;
- other documents, required by stock exchanges, regulators or investors.
Finally, we would like to encourage risk managers to present at conferences and related events to talk about risk management and to raise awareness about ISO31000:2018.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
| ☐ | Get involved in the preparation of external company reports. Update internal policies and procedures to take ownership over preparation of all sections related to risk management |
| ☐ | Review guidance published by central banks, stock exchanges or other legal requirements related on disclosing risk information |
| ☐ | Develop a calendar of external reports throughout the year to keep track of all obligations |
| ☐ | Present at risk management conferences and talk about risk management and raise awareness about ISO31000:2018 |
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
2 thoughts on “Practical ideas: Include risk information in the company’s external communication”