Its time to replace Risk Factor reporting with comprehensive reporting on governance, risk and compliance (GRC).
Call it ERM or whatever you please.
Beginning in 2005, the SEC required filers to include qualitative disclosures of risk factors in item 1A of their annual 10-K forms. Item 1A Risk Status disclosures have consistently failed to predict critical risks.
Over the years, here is a short list of risks that have been missed.
Fraudulent financial reporting, cyber risks, supply chain failures, climate change, earthquakes, hurricanes, technological obsolescence, shifting consumer tastes not to mention pandemics.
For that matter most lesser operational risks have been “surprises”. Yet they were either known or knowable.
We need to understand not just what bad things can happen. We need to understand our ability to predict and manage them and to make personal and business that allow us to achieve objectives.
Here is a headline from one company’s recent Item 1A Risk Factor filing.
“Future operating results depend upon the Company’s ability to obtain components in sufficient quantities on commercially reasonable terms”.
Profound? Hardly. Is this useful information? Can you make a buy/sell decision based on this disclosure? You be the judge.
If your company is listed on an exchange other than the SEC, you probably have another, but similar risk reporting requirement. Its probably not much better.
Today corporate lawyers and others condense information about business risks into dense, boilerplate, impenetrable prose, based largely on what was reported last year and what competitors are reporting. It is essentially a legal document designed to protect the corporation from liability. It is not intended to provide insights for to help investors price the business risks. Its purpose is to say “I told you so”.
Isn’t bad risk information is worse than none at all.
The concept of integrated GRC exists. But its largely an unfulfilled fantasy. Few of the various professions and practitioners share the vision of an integrated report. Professional standards requiring, let alone guiding integration don’t exist. OCEG alone provides comprehensive criteria for principled performance.
All GRC professions and practitioners profess they value. Value doesn’t just mean feeling good about what you do. There is no better way to demonstrate value than to guide the decisions made by executives and investors and demonstrate the impact on performance and economic value of the enterprise.
The chief arguments against expanding Item 1A reporting is that it would expose companies to liability and advantage competitors. That argument can be made for any mandated disclosures today, including financial statements.
Its not enough for an accounting department to produce journal entries. They must produce financial statements.
Its not enough for GRC professionals to produce “findings”. They must produce knowledge that explains, predicts performance and informs decisions.
There is no chance that integrated GRC reporting will evolve spontaneously. It must be driven from above. Mandated public reporting of GRC status and business objectives will drive integration.
What Would Consolidated GRC Reporting Look Like?
Instances of consolidated GRC reporting are rare, but they do exist. One of my favorites was developed by Saret Van Loggerenberg, now Group Company Secretary and Legal at Exxaro Resources. She demonstrated that the 1st line of defense is willing, if not eager and able to engage in risk management activities if they helped achieve objectives and enhanced performance. Her initiative was begun around 2012 and the results of that initiative are reported in a recent annual report.
During my time at SAP, my colleague Thomas Frenehard demonstrated the power of technology to pull GRC data into a digital board room environment. As powerful as it was for me, it tapped into no more than 25% of the potential it holds for business. The potential is huge.
My colleague Tim Leech has worked for years to challenge conventional thinking and develop technology, tools and capabilities to advance and transform professional practices. Here is an example of a simple dashboard which has potential for use in reporting. Corporate objectives can be listed along with the certainty of achieving them. Underlying the certainty rating is extensive documentation of GRC information.
Never in history have so many resources, people, technology and tools been dedicated to. the examination of GRC. Never has so much activity produced so little knowledge.
What innovation exists has come from will come from the edges of the profession, not the center. Transformation has never been more necessary.
Should we consider our failure to offer integrated GRC reporting as the leading Risk Factor in Item 1A Risk Factor Reporting?
Maybe we should look forward to the future and hope that the concept of fraudulent GRC reporting emerges. That would be a sign of progress. In order for fraudulent GRC reporting to exist there must be a correct way. Today there is none.
What do you think? Are you ready to begin this journey?