We need far better public reporting of risk factors. The tools and technology are available. Practices must improve.
Like many of the posts on GRC and COVID 19 these days, this one is another case of closing the barn door after the horse has escaped. But its sometimes worth looking back, not to assign blame but to learn for the future.
For years I have worked with internal auditors and risk managers. In the case of internal auditors building a risk rated audit universe is critical. Internal auditors need to prioritize their resources to the most critical risks. For risk managers identifying and managing the right enterprise risks was usually the topic. In either case assigning resources to the right risks seemed worthwhile.
One rich source of information, usually regarded with indifference, if not contempt by GRC professionals, is Section 1A Risk Factor reporting in corporate 10k filings and in similar filings in other jurisdictions. I can’t think of a single audit or risk management client who regarded this as useful information that could inform their work. Indeed, risk factor reporting is very broad and general. There is no formal risk assessment and no ranking of risks and little if any graphical information is provided.
But risk factor reporting is usually quite comprehensive in terms of categories of risks and their impacts even if lacks an analytical perspective or an objective focus. I think of it as raw data that could drive knowledge and action.
With this thought in mind I thought I’d download and search a few annual reports and filings from several global pharmaceutical companies, global insurance companies and global manufacturers. It seemed to me the first two of these industry groups at least would be very susceptible to losses as well as opportunities from pandemics. Other global companies would potentially suffer business interruption as a minimum. All would have some stake in managing the risk.
So far, I’ve looked at only a handful of company annual reports. Pandemic was disclosed as a risk factor in about 40% of cases in my small sample. Interestingly companies in the same industry failed to disclose it consistently. (One would think if pandemic was a risk for one financial institution, others would see it too. They didn’t.) But where pandemic was listed as a risk factor, the description of impacts was as grim as we are experiencing.
Where should internal auditors and risk managers spend their time if not on critical risks with catastrophic consequences or opportunities?
Research, corroborated by my many years of experience shows they spend most of their time, some studies suggests in excess of 90%, on tactical operational risks in mature business processes. That is managing known risks and known responses to known risks. Who needs that?
I suggest GRC professionals review and assess their corporate Risk Factor reporting.
– Is your business affected by the current pandemic?
– Was it disclosed in your filings?
-What other risks are described and how are you taking them into account in your professional activities?
-How is your organization responding to risk factors?
-How are your GRC resources responding to risk factor reporting?
How can stakeholders benefit from the information?
How can risk factors be incorporated into business objectives and how can they drive business performance?
In short, how can we make public risk reporting better? We may not be able to prevent pandemics. But we can do a far better job of rating, prioritizing, assessing and reporting risks. Pandemics are not a Black Swan event. They occur regularly.
The methodology, technology and skills necessary to dramatically tranform risk management and tie risk management to objectives and performance exist today. Implementation must reach a far higher standard.