Practical ideas: Include risk information in the company’s external communication

Risk disclosure is very important. Increasingly, stakeholders are expecting companies to test and disclose the effectiveness of not only financial risk management but also other business risks, including market, operational, safety, legal etc.

When disclosing information about risks to external stakeholders, it is recommended to include at least:

  • A brief statement about the company’s overall commitment to risk-based planning, budgeting, project management, investment and decision-making. This information may be disclosed in the annual report and on the company’s website in the section entitled “Corporate Governance”.
  • A more detailed statement in the annual report, including:
    • overview of the current risk-based processes,
    • the progress that has been made in integrating risks and building risk culture since last year,
    • the management structure, which contributes to the risk-based management of the company and any other significant achievements.

In the true spirit of risk management integration, it may be a good idea to spread the information about risk management throughout the annual report instead of creating a separate section titled “Risk Management”. For example, risks associated with strategic objectives may be described in the Company Strategy sections, risks associated with liquidity, foreign exchange and interest rates may be described in the Financial report (most organisations already do this part), risk associated with social and environmental activities covered in the Social responsibility section etc.

The disclosure of the following information is optional: information about key risks associated with the business plan or the achievement of the strategic objectives and any information about the past incidents or losses. Keep in mind, that risk management disclosure should not include any sensitive information or trade secrets.

It is important to remember however that there may be some risks which are required to be disclosed by law.

Other external reports where risk management information may need to be disclosed:

  • any fundraising activities;
  • security issuer quarterly reports;
  • other documents, required by stock exchanges, regulators or investors.

Finally, we would like to encourage risk managers to present at conferences and related events to talk about risk management and to raise awareness about ISO31000:2018.



Get involved in the preparation of external company reports. Update internal policies and procedures to take ownership over preparation of all sections related to risk management
Review guidance published by central banks, stock exchanges or other legal requirements related on disclosing risk information
Develop a calendar of external reports throughout the year to keep track of all obligations
Present at risk management conferences and talk about risk management and raise awareness about ISO31000:2018


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


2 thoughts on “Practical ideas: Include risk information in the company’s external communication

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.