Professional Documents
Culture Documents
S T R AT E G Y
MEASUREMENT
M A N AG E M E N T AC C O U N T I N G G U I D E L I N E
The Reporting of
Organizational
Risks for Internal
and External
Decision-Making
By
Marc J. Epstein
and
Adriana Rejc Buhovac
Published by:
N OT I C E TO R E A D E R S
The material contained in the Management Accounting Guideline Reporting of Organizational Risks for Internal and External Decision-
Making is designed to provide illustrative information with respect to the subject matter covered. It does not establish standards
or preferred practices. This material has not been considered or acted upon by any senior technical committees or the board of
directors of either the AICPA or the Society of Management Accountants of Canada and does not represent an official opinion
or position of either the AICPA or the Society of Management Accountants of Canada.
MANAGEMENT
S T R AT E G Y
MEASUREMENT
M A N AG E M E N T AC C O U N T I N G G U I D E L I N E
The Reporting of
Organizational
Risks for Internal
and External
Decision-Making
By
Marc J. Epstein
Rice University
and
Adriana Rejc Buhovac
University of Ljubljana
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L
RISKS FOR INTERNAL AND EXTERNAL
DECISION-MAKING
5
MANAGEMENT
S T R AT E G Y about the expected gains without carefully This Guideline addresses these important issues
considering all potential risks, including their and provides guidance on reporting risks to aid
MEASUREMENT assessed magnitude and probability of occurrence? both internal and external decision-making.The
Decision-makers need to understand the various Guidelines specific objectives are:
organizational risks, to minimize mistaken
To discuss the role and importance of risk
investments that can cause significant
management and reporting for improved
organizational costs. Managers need good risk
strategic and operational decision-making by
reporting systems to integrate risk evaluation into
senior management and other managers (The
(a) their operational and capital investment
Risk Reporting Contribution Scheme).This
decisions, (b) review of performance, and (c)
Guideline focuses first on internal risk
compensation decisions. Improved organizational
reporting, then on external risk reporting.
risk assessment and internal risk reporting is
critical also for senior management and boards of To address specific risk reporting questions,
directors, who are responsible for carefully including the content of risk reports, their
establishing and reviewing corporate processes format, placement, distribution, and
for identifying, assessing and managing risk. communication, and the intended impact of
risk reporting (The Risk Reporting Model).
The demand for disclosing risk externally is also Again, these questions will be addressed firstly
growing. Investors, financial analysts, and other to internal audiences needs and requirements,
external stakeholders are increasingly aware of then to those of external audiences.
the critical role of proper risk management.
To provide templates for real-time and
They want better information on the various
periodic internal and external risk reports;
risks organizations confront, and how to
address them, and are interested in To discuss the challenges in risk reporting,
organizational risks far beyond the traditional including the potential for inappropriate
scope of financial risks.They want concrete decision-making or dysfunctional behavior of
assurance that a sound system and process is in internal and external audiences.
place to identify, assess, and manage risks, so that To discuss the importance of balancing the
they can better evaluate corporate performance desire for a complete and fair presentation of
and make more informed decisions. organizational risks with avoidance of
overreaction that could reduce appropriate
Increased measurement and reporting of this
risk-taking that is necessary for business
broader set of risks is necessary, not only to
success; and
meet the new regulatory requirements but also
to improve managerial performance and To provide guidance on organizational
stakeholder confidence. Senior corporate structure and responsibilities related to
managers need to develop ways to effectively risk reporting.
communicate organizational risks and risk The target audience of this Guideline is (a)
management processes both internally and CEOs and CFOs, (b) senior management
externally.They face decisions on what to teams, (c) boards of directors, (d) members of
report to each audience, and the form of risk audit committees, and (e) accounting, internal
reports, including how much detail to include. audit, and finance professionals, all of whom
Senior management therefore needs to clearly confront challenges of risk assessment, risk
understand the risks and promote disclosure to analysis, risk control, and risk reporting.The
both internal and external decision-makers Guideline may also be useful for external
without causing unnecessary alarm or auditors, in particular those who attest to
increasing reporting and compliance risks. A and report on managements assessment of
more effective organizational risk reporting the effectiveness of internal control over
system can provide internal and external financial reporting.
stakeholders with information they need to (a)
craft strategy, (b) make investment and other
RISK MANAGEMENT
business and personal decisions and, at the
same time, (c) inspire confidence in the In a recent Management Accounting Guideline,
organizations financial reporting and disclosure. Identifying, Measuring, and Managing
This increased focus on risk can turn risk Organizational Risks for Improved Performance,
management and risk reporting into an Marc J. Epstein and Adriana Rejc developed a
opportunity and reward. model (the Risk Management Payoff Model) and
6
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
measures for improving the identification, process (see Exhibit 1), specifically highlighting the
measurement, and management of various role of risk identification and measurement (steps
organizational risks to improve management 1 and 2 in Exhibit 1). Risk identification and
decisions. It built on newly created risk measurement represent the focus of that
assessment requirements of the Sarbanes-Oxley guideline, as indicated in Exhibit 1.
Act of 2002 in the U.S., and similar new Risk management starts with Event Identification.
regulations in other countries. It also built on The Guideline suggested that, to minimize risk
work by the Committee of Sponsoring exposure, organizations should first make a
Organizations of the Treadway Commission comprehensive list of potential organization-wide
(COSO) and the recently issued Enterprise Risk risks.Within this step, Exhibit 2 presents a
Management Framework, by further specifying the broader framework for identifying risk and listing
necessary tools for identifying and measuring a potential risks organizations often face (see
broad set of organizational risks. Exhibit 2).
In that guideline, Epstein and Rejc provided a Listing potential organizational risks could
comprehensive overview of the risk management increase the attention managers and employees
2 Risk Assessment
Is Risk/Reward
3 Acceptable?
R Yes No
i
s
k
6 Monitoring
S T R AT E G Y pay to events that might indicate risk. Each Exhibit 3 describes the key elements of a
organization can develop a combination of measurement model (Risk Management Payoff
MEASUREMENT techniques and supporting tools to identify risks, Model) that includes factors for organizational
such as (a) internal analysis, (b) process flow success in dealing with risks, strategically and
analysis, (c) discovery of leading event indicators, operationally.The model includes the critical
and (d) facilitated, interactive group workshops inputs and processes that lead to risk-related
and interviews, brainstorming sessions, etc. outputs and, ultimately, to overall organizational
Developing these techniques and tools will likely success (outcomes). It also includes specific
ensure that all relevant risks are identified and drivers related to risk-related inputs, processes,
their sources determined. outputs, and outcomes. By identifying the causal
relationships between these drivers, managers
Within the Risk Assessment step, all risks
can better understand how risk management
identified as potentially important should be
strategies, structures, and systems affect
assessed for magnitude and probability of
organizational performance.The Risk
occurrence.Various quantitative techniques are
Management Payoff Model demonstrates how
available. In addition to assessing the potential
improved risk measurement and management
cost of a risk materializing, benefits accruing
provides benefits throughout the organization.
from an appropriate response to the risk should
Benefits extend to (a) enhanced working
also be assessed. Quantification of both costs
environment, (b) improved allocation of
and benefits then makes it possible to determine
resources to the risks that really matter,
the payoff of a risk management initiative.This
(c) sustained or improved corporate reputation,
Guideline argues that organizations need a
and (d) other gains, all of which lead to
framework of key factors (antecedents and
prevention of loss, better performance and
consequences) that can enable decision-makers
profitability, and increased shareholder value.
to assess (a) the impacts of risks on costs, but
also and more importantly, (b) the benefits In addition to the Risk Management Payoff Model,
offered by successful risk management initiatives. step 2 in Exhibit 1 includes specific performance
Risks
8
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
measures for inputs, processes, outputs, and businesses, and then communicating the risks to
outcomes. Such metrics will of course vary from the appropriate parties, managers can improve
one organization to the next.This Management organizational operating efficiency and overall
Accounting Guideline offers many measures from organizational success.
which managers can select or adapt metrics that
are more closely aligned with their organizations THE IMPORTANCE OF
risk management strategy. Finally, step 2 in Exhibit
ORGANIZATIONAL RISK
1 includes a formula to calculate the ROI of risk
REPORTING
management initiatives, so that managers can
better (a) monitor and manage risks, (b) evaluate The focus of this Guideline, The Reporting of
the profitability of risk management initiatives, Organizational Risks for Internal and External
and (c) evaluate the tradeoffs between different Decision-Making, is on risk information and
risk responses. communication (step 5 in Exhibit 1). Along with
more rigorous identification and measurement of
Having identified the various risks and measured
broad organizational risks, improved reporting
their potential impact, the organization must
(disclosure) of organizational risks is needed so
decide how to respond.This Guideline suggests
that managers and other stakeholders can more
various approaches and techniques for preventing,
effectively consider those risks and make more
mitigating, transferring, and sharing organizational
informed decisions.
risks. Using the quantification process outlined in
the Risk Management Payoff Model, management Improved internal decision-making is facilitated
can more knowledgeably determine an when managers apply various analytical approaches
appropriate risk response, as well as assess the to their decisions, and also incorporate numerous
effectiveness of existing risk management variables into capital investment and operating
processes and controls. By creating formal internal decisions. ROI is calculated, using projections of
control systems, detailing how they will identify, revenues and costs based on the best available
measure, and respond to significant risks to their data. Unfortunately, the decision models of many
9
MANAGEMENT
S T R AT E G Y organizations are incomplete, since they do not increase, and fair and favorable media publicity
explicitly incorporate evaluations of potential may result.
MEASUREMENT risks, which has often led to poor decision- Exhibit 4 represents a framework for monitoring
making. Organizations can improve decision- the contribution of risk reporting.The Risk
making by attempting to formally integrate Reporting Contribution Scheme describes the key
estimates of a broader set of organizational risk- factors (inputs, processes, outputs, and outcomes)
related costs and benefits into their decisions. for organizational success in risk reporting.
These risks include the risks of (a) technological
obsolescence of product assembly (or the As Exhibit 4 shows, the quality and success of
product or service itself), (b) financial risks, (c) risk reporting is dependent on various factors; of
potential breakdowns in the supply chain, (d) these, inputs and processes are most critical.
risks inherent in new product or service Inputs relate to the stakeholder risk reporting
development (and in R&D investments generally), requirements and expectations, such as regulatory
and (e) other risks. As a reliable and timely risk requirements, investors and customers
reporting process provides credible information expectations, etc.These requirements and
on organizational risks, employees also can make expectations, along with the various risks the
better decisions and accelerate continuous and organization is facing, such as strategic,
breakthrough organizational improvements. operational, reporting, and compliance risks,
represent the most important inputs to the risk
Appropriate external disclosure of organizational reporting process. Other inputs include the
risks and risk management initiatives allows organizations existing risk management strategy,
shareholders and financial analysts to more and governance and risk management structures
properly value company shares. Improved and systems that provide the context for
disclosures make capital allocation more establishing risk reporting processes. Existing
efficient, and reduce the average cost of capital. systems, including incentive pressures, may either
Voluntary disclosure also decreases price instill risk awareness in the organizational
volatility and narrows bid-ask spreads, enhancing culture, or inhibit risk management and risk
securities liquidity. Customer loyalty may also reporting efforts.Therefore, to establish a proper
Risk Management
Process: Feedback Loop
Steps 1-4
10
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
basis for effective risk management and reporting, value from a complex, expensive, and mandatory
an organization must continuously examine the process. Risk reporting will shift from compliance-
various internal and external audiences based to strategy-based, and then further to
(stakeholder) requirements, and establish business-based organizational risk disclosure.This
appropriate risk management structures, systems, Guideline builds on this, and discusses the critical
strategies, and risk culture. Critical inputs to risk risk reporting questions in the light of risk
reporting also include available organizational reportings strategic and business role.
resources, such as individuals with the necessary
skills and experience, financial resources, and The Risk Reporting Contribution Scheme can be
access to required information. adapted into any management system. It is
compatible with strategic measurement and
Smooth processes require committed corporate management frameworks, such as the balanced
leaders and focused efforts of risk management scorecard and shareholder value analysis, which
leaders. Processes include (a) examining the critical focus on a better understanding of the causal
success factors and risks that may endanger achieving relationships and linkages within organizations, and
business objectives, (b) evaluating the costs and the actions managers can take to improve
benefits of informed voluntary disclosure to both customer and corporate profitability and drive
internal and external audiences, and (c) determining increased value. It is also consistent with other
the target audiences for risk reports, the reports proposed business reporting models, such as the
content and format, and their appropriate Model of Business Reporting (AICPA, 2004).
placement, distribution, and communication.
These processes will ensure various risk reporting CURRENT REGULATIONS AND
outputs, starting with the internal and external GUIDANCE ON REPORTING OF
reports themselves. High quality and timely risk ORGANIZATIONAL RISKS
reports provided to selected internal and external
audiences should have specific stakeholder effects, Reporting regulations vary greatly around the
such as (a) improved internal decision-making world. However, there is a clear trend toward
(managers), (b) full regulatory compliance requiring greater transparency in financial
(government and regulatory institutions), (c) reporting and more accountability to investors
increased investor confidence in capital markets that comes from various sources, including the
(shareholders), and (d) more general improved Sarbanes-Oxley Act in the U.S., the European
external decision-making (customers, suppliers, Unions Company Law Directives, and comparable
other business partners, employees, etc.). Effective initiatives in other jurisdictions (for example, the
risk reporting should then ultimately lead to Canadian Securities Administrators rules (2002) or
greater overall organizational success and the Companies (Auditing & Accounting) Bill 2003
increased shareholder value (outcomes). in Irelandsee Appendix 1 for more detail).
Providing a cause-and-effect format of the CEOs, CFOs, directors, and especially audit
various risk reporting activities helps managers committee members of listed companies are being
understand the value they are receiving from the held more accountable for the integrity of their
organizations risk reporting efforts. financial statements and the effectiveness of
internal controls. Directors and audit committee
Risk reporting also provides critical feedback to members are also taking on greater responsibility
the risk management process and constitutes an for oversight of corporate management and the
important element in strategic planning. Although organizations relationship with the external
risk management continues throughout the year auditor. Investors around the world are thus
to accomplish strategic and tactical objectives and receiving new reports from management and
allow modification of plans as factors change, auditors on the adequacy of internal control over
strategic planning uses risk reports to develop financial reporting.
strategic objectives and strategies. As critical inputs
to strategic planning, risk management in general, Although reports on internal control over financial
and risk reporting in particular, reach beyond reporting may be instrumental in restoring
compliance with increasing regulation. High- confidence in the integrity of financial reporting,
performing organizations will leverage their the reporting of organizational risks must satisfy
investments in compliance efforts (such as those needs for improved internal and external decision-
imposed by the Sarbanes-Oxley Act or other making. Reports on internal control over financial
requirements) to build a comprehensive risk reporting issued by management and the
management and reporting system that will drive independent auditor do not provide any assurance
11
MANAGEMENT
S T R AT E G Y on the viability of, for example, an organizations management, its process and reporting, for
businesses, or its ability to achieve financial goals. improved corporate governance and
MEASUREMENT Internal and external audiences need more decision-making.
complete information on the risks organizations
Exhibit 5 provides The Risk Reporting Model
face and how they intend to manage those risks.
that is developed to help organizations decide
Yet, reporting regulation in highly regulated
on critical questions related to reporting
countries tends to focus on a narrow set of
organizational risks to internal and external
risks, primarily market and credit risks, and risks
audiences, and to carry out risk reporting.These
connected with the use of financial instruments.
questions relate to (a) the target audience for
Currently, regulatory bodies do not explicitly
risk reports, internal or external, each with its
require any integrated framework for broader
various subgroups of stakeholders, (b) the
corporate risk disclosure.
frequency of a risk report, which can be both
In the absence of specific regulations, managers real-time and periodic, and (c) its content,
considering broader disclosure of risk format, and finally its placement, distribution,
information externally can refer to the and communication.
guidance on effective voluntary disclosure
As seen in Exhibit 5, some information about
provided by company experiences, professional
organizational risks comes directly from the Risk
associations, and academia.The term voluntary
Identification and Risk Assessment steps, while
disclosure describes disclosures, primarily
other information comes from the Risk
outside the financial statements, that are not
explicitly required by generally accepted Responses step.They typically differ in
accounting principles or regulation.The following informational accuracy and completeness.
frameworks propose to enrich financial Information from risk identification is important
reporting by including a section devoted to for on-time risk reporting and completeness of
communicating forward-looking information and risk reports, while information arising from risk
describing the risk profile of the company (for assessment and risk response add more accuracy
more detail on the frameworks see Appendix 2): to the disclosure on risk management. Both types
of risk information are important for credible
A framework for voluntary disclosure and on-time reporting of organizational risks.
proposed by The American Institute of Certified
Public Accountants (AICPA, 1994, 2004). Organizations must decide on each of the risks
A reporting framework published by The identified, assessed, or responded to, whether
Canadian Institute of Chartered Accountants they should be reported to any of the audiences,
reporting guidelines (CICA, 2001). and if so, what level of detail to provide.
Determining the target audience, an important
The COSO Enterprise Risk Management starting point, affects other risk reporting
Integrated Framework (2004a, 2004b). decisions.Whenever a disclosure is required by a
A specific model to calculate a risk regulatory requirement, as may be the case in
management initiative ROI proposed by external risk reporting, the organization must
Epstein and Rejc (2005). comply and provide appropriate disclosure. On
Finally, the SECs encouragement of disclosure the other hand, voluntary disclosures should be
by companies of forward-looking information in subject to careful cost-benefit analysis of
their annual reports. audiences needs and the disclosure.
Organizations should compare (a) the benefits of
Generally, though, an integrated approach to a
a specific disclosure (type and detail of risk) to
broader voluntary disclosure of organizational
improved internal and external stakeholder
risk and internal reporting of risks is still lacking.
decision-making and the organizations
businesses with (b) the costs of disclosing.
THE RISK REPORTING MODEL
The next section describes in detail the first step
The focus on risk reporting for regulatory in the Risk Reporting Model, profiling the risk
compliance is likely to continue. In addition, report audience. Discussion on the audiences for
improved voluntary disclosure will remain a risk reports will include who they are and their
prominent element of greater accountability. specific organizational risk-related interests.The
Nevertheless, organizations should leverage the remaining critical risk reporting issues
knowledge gained by the regulatory-driven frequency, content, format, and placementwill
compliance efforts to improve overall risk be addressed separately under the Guidance on
12
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Risk Response
No Yes Yes No
P
L
A Choosing the Frequency
N 2 of a Risk Report 2
N
I
N Determining the Content
G of a Risk Report
3 3
Placement, Distribution,
5 and Communication 5
Internal External
Risk Risk
E
X
Reports Reports
E
C
U Internal Risk Report External Risk Report
T
Placement, Placement,
I
O Distribution, and Distribution, and
N Communication Communication
Risk Response Monitoring
13
MANAGEMENT
S T R AT E G Y the Reporting of Organizational Risks for management among internal audiences, and
Internal Decision-Making and the Guidance on registered auditors, regulators, shareholders, and
MEASUREMENT the Reporting of Organizational Risks for creditors among external audiences) must or
External Decision-Making, respectively.The should be informed about the organizational
section numbers correlate with Exhibit 5. risks and risk management processes because of
regulation or recommendations in standard-
setter guidance.Voluntary disclosure to other
Profiling the Risk Report internal audiences (managers, employees, and
1 Audience 1
integrated business partners), and external
stakeholders (financial analysts, customers,
Profiling The Risk Report Audience suppliers, community, and media), is
recommended because of anticipated benefits
Reporting organizational risks should operate to improved decision-making.
on multiple levels to address the needs of
diverse audiences, each with their own specific Responsibilities of some within the internal
needs, requirements, expectations, agendas, and audiences are listed below:
levels of expertise. Exhibit 6 presents the most The board of directors has the primary
important internal and external audiences for oversight responsibility for developing and
internal and external risk reports. implementing the organizations mission,
values, and strategy, and must carefully review
Although internal risk reports aim exclusively at
corporate processes of risk identification,
internal audiences, from a broader perspective
monitoring, and management.The board also
external risk reporting, including corporate
originates risk philosophy, risk appetite, and
annual reports, may include both external users
risk tolerances. Specific reviews of financial
and interested internal groups (see the two
objectives, plans, major capital expenditures,
dashed arrows in Exhibit 6).
and other significant material transactions
As Exhibit 6 shows, both internal and external also typically fall within a boards
audiences can be further divided into two responsibility.These responsibilities require
subgroups. On one hand, some audiences (audit broad and transparent reporting on the
committees, internal control steering various organizational risksstrategic,
committees, boards of directors, and senior operational, reporting, and compliance risks.
Board of Registered
Directors Auditor
S T R AT E G Y example, contaminated properties.They may the scientific community, and the general
be interested in strategic risks as well. public).This extended external audience
MEASUREMENT With increased regulation of internal has wide-ranging interests in the risks
control over financial reporting, organization face, and how it manages risks
representatives of regulators and registered and turns them into business opportunities.
auditors are interested in both external and
internal risk reporting. Primarily, however, Exhibit 7 lists the major risk areas of interest to
they are interested in (a) compliance risks, identified internal and external audiences.
such as risks of unreliable and incomplete Exhibit 7 will not universally apply, and the
financial information for internal decision- identified stakeholders interests should not be
making and for external reporting, and
considered exclusive.Those audiences that have
(b) reporting risks, such as risks of data
become particularly important with the new
accuracy and reliability. In addition, they
may also be interested in operations risks, internal control regulations are primarily
such as risks related to product quality interested in reporting and compliance risks,
and product safety, environmental while other audiences interests span strategic
compliance, etc. and operational risks as well.
The list of external audiences for risk The appropriateness of risk report frequency,
reporting also includes customers, suppliers, content, format, and placement can now be
and communities (interest groups, media, discussed in the light of known audiences.
Compliance Risks
Legal and regulatory
Board of Directors Control Registered
Professional Auditors
16
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
As shown in the previous section, internal When deciding on what risks to disclose on a
audiences for risk reporting include the board of real-time basis, organizations need to compare
directors, the audit and internal control steering the costs and benefits of disclosure. As seen in
committees, senior management, other managers, Exhibit 8, the cost-benefit analysis of risk
employees, and integrated supply chain partners. disclosure must be made throughout the risk
The interests of these various internal management process.The completeness and
constituents vary both in scope and the detail of accuracy of risk information will increase in
required risk information. From the strategic and moving from risk identification to risk assessment,
business perspective, i.e. for improved strategic and then to the risk management (risk response)
planning and execution as well as for more phase. Consequently, the cost-benefit analysis may
informed and improved operational decision- provide different results.
making, the primary internal audiences for risk For identified but not yet assessed risks, a brief
reports are boards of directors, senior cost-benefit analysis must first take place to
management, and other managers.These decision- determine if they should be reported on a
makers must receive comprehensive risk reports real-time basis. Senior management needs are
covering strategic, operational, reporting, and considered, along with the benefits of improved
compliance risks, detailed when reported on a decision-making, and the potential reduction in
real-time basis, and aggregated when reported appropriate risk-taking by managers.The cost-
periodically. Other internal audiences benefit analysis must specifically consider
requirements or needs are narrower, focused on reporting of risks that endanger the critical
specific risks that are not necessarily detailed. For success factors, i.e. those aspects of an
this reason, the subsequent sections provide organizations business that are especially
guidance on internal risk reporting specifically important to its success. Critical success
oriented to boards of directors, senior factors include a handful of activities or
management, and other managers. unique capabilities of overriding importance
to the strategic and operational success of a
Choosing the Frequency particular organization. More generally, to
2 of a Risk Report determine which risks to disclose internally,
organizations must consider whether disclosure
of a specific organizational risk would adversely
The Frequency of Internal Risk Reports affect the organization by stimulating managers
to make inappropriate strategic or operational
How to decide which risks to report, and in what
decisions. Even though definitive quantification
detail, must be discussed in the light of risk
of all costs and benefits of risk reporting is
reporting frequency. Internal risk reports can be
complex and difficult, often requiring judgment,
either real-time or periodic. Reporting frequency
organizations must attempt to assess both.
therefore importantly influences the content,
Whenever the benefits of a real-time risk
format, placement, distribution, and
disclosure exceed its potential costs, real-time
communication of risk reports.
risk reporting is appropriate.
Internal real-time risk reporting is specifically
Some identified risks not disclosed in the first
important for operational decision-making. Senior
phase because of the unfavorable output of the
management, for example, needs timely
preliminary cost-benefit analysis may be
information on risks to make informed
disclosed when they are fully assessed.With new
investment decisions. Other managers responsible
and more reliable data on the actual dimensions
for resource allocations also need real-time
of a specific risk, the cost-benefit analysis may
information on the risks an organization faces.
show that the previously undisclosed risks
Such risk reports are provided when specific
should now be disclosed to internal audiences
circumstances require it, such as the occurrence
on a real-time basis.
of a risk event.The time available to receive data
on a specific risk, process it, and respond to the Finally, some risks thatalthough assessedstill
external process is dictated by the time have not been disclosed to senior management,
constraints imposed by the organizations risk for example, may pass the test of the cost-benefit
17
MANAGEMENT
R
I Requirements Needs
S Cost-benefit
K Analysis
S
A
S Real-time
S Risk
Real-time Yes Report
E Risk Report?
S Content
S R
E E
D A
S No
S
E
S
S Needs
R M
I E Cost-benefit
S N Analysis
K T
S Improper
Decision-Making
M
A
N Real-time
A Risk
No Real-time Yes Report
G Risk Report?
E Content
D
analysis when they are managed. As shown in including event identification, risk assessment,
Exhibit 8, different phases of risk management risk management, and risk response.
influence which risks to report on a real-time
basis.The more information an organization has A template for more detailed calculation of the
about a specific risk, the higher is the reliability cost-benefit analysis of real-time risk reporting is
of the decision on reporting, and the content of provided in Exhibit 9. It describes the necessary
the risk report if it is issued, and the less the steps in a typical cost-benefit analysis, regardless
concern over making a real-time risk disclosure. of the phase where the cost-benefit analysis of
An effective system of real-time risk reporting real-time risk reporting is taking place. In the
calls for a good risk management process, first step of the cost-benefit analysis, the benefits
18
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Exhibit 9: Calculating the Costs and Benefits of Internal Real-Time Risk Disclosure
Costs Value
Real costs of risk reporting Cost of gathering data, analysis, reporting etc. $...................
Potential costs of Cost of lost business opportunities $...................
managerial risk aversion
Potential costs related to Bargaining disadvantage with employees $...................
employees
Total Costs $...................
Total Benefits
COST-BENEFIT ANALYSIS = ----------------------------
Total Costs
of a real-time risk disclosure must be expressed in On the other hand, Internal periodic risk
monetary terms.The key potential benefits of reporting, provided on a monthly, quarterly, or
internal risk reporting include, for example, yearly basis, allows more precise cost-benefit
improved internal decision-making that leads to calculations of risk disclosure, if deemed
cost savings or increased revenues. An enhanced necessary. In Exhibit 8, two reassessment loops
working environment may also be a benefit of risk are presented, indicating the need for
disclosure to employees, leading to increased subsequent cost-benefit analyses to confirm the
employee trust, commitment, creativity, and results of the preceding judgments or analytical
productivity. Potential costs of internal risk results.The primary purpose of periodic
reporting relate to dysfunctional behavior of internal risk reports is to provide boards of
different internal audiences, such as a reduction in directors, senior management, and other
appropriate risk-taking of managers that is managers with well-processed and aggregate
necessary for business success. information about various relevant
Expressing benefits of internal real-time risk organizational risks, with trend indicators and
disclosure in monetary terms is illustrated through periodic comparisons, to improve their
short examples in Exhibit 10. Specific risk decision-making.The results of reassessment
disclosure outputs that result in benefits are loops during the real-time risk reporting
presented, followed by the relevant calculations to process contribute to decisions on what
capture the monetary value of realized benefits. information to include in periodic risk reports.
19
MANAGEMENT
S T R AT E G Y
Exhibit 10: Calculating Monetary Benefits from Internal
Real-Time Risk Disclosure
MEASUREMENT
DISCLOSURE CALCULATION OF
OUTPUTS BENEFIT MONETARY BENEFIT
Compliance with Reduced costs of prosecution Monetary benefit equals the reduced
Regulation and penalties costs of prosecution and penalties;
estimates of the costs should be based
on historical evidence
Improved Labor hours saved Benefits equal to the number of
Operational hours saved, multiplied by the
Decision-Making standard labor wage, and adjusted
with a benefits factor
Machine hours saved Benefits arise out of optimal use of
existing resources and are equal to
the costs of amortization that relate
to machine hours saved
Increased on-time deliveries If the result is reduction in grievances,
reducing cost of grievances the average cost per grievance
provides a basis for estimating the
benefits
Enhanced Increase in output (units Benefits can be calculated as additional
Working produced, services offered) sales minus marginal sales expense
Environment
Improved Savings in costs based on Benefits can be traced to reduced
Resource efficient capital allocations debt financing or lower weighted
Allocation average cost of capital
Improved Revenues generated from new Benefits are equal to the generated
Strategic strategic initiatives new sales or the discounted cash flow
Decision-Making from new strategic initiatives
Periodic internal risk reporting contributes to requirements related to compliance and reporting
strategic oversight and decision-making, and risks are an example. Organizations must disclose
improved operational business decisions.This risks to internal audiences that are required by
type of risk reporting provides general regulation. Otherwise, detrimental costs of non-
information to interested audiences on the risk compliance may result. An organization should
management processes, without unnecessary then consider other internal audiences needs,
detail. Exhibit 11 summarizes the process of and compare them to the costs of disclosure.
selecting risks for periodic risk reporting to Organizations will decide on periodic risk
internal audiences. disclosure based on a cost-benefit analysis (which
is similar to the cost-benefit analysis provided in
Determining the content of an internal periodic Exhibit 9).
risk report starts with listing risks in the specific
phases of risk management process (risks
identified, risks assessed, and risks managed), Determining the Content
including those identified in real-time risk reports. of a Risk Report
A listing of those risks that have already been 3
assessed and appropriately managed would
typically be accompanied with a detailed
The Content of Internal Risk Reports
description of their characteristics and potential
effects.The consideration of risk disclosure will The most important content issue relates to
start with the primary internal audiences what risk information to provide for optimal
requirements. Audit committee risk reporting internal-decision-making, without causing
20
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Internal
Audiences Needs Cost-benefit
Analysis Periodic Risk No
Report?
Appropriate
Decision-Making
Dysfunctional
Behavior Yes
unnecessary alarm that would inhibit In determining risks to be reported internally, the
appropriate risk-taking. More specifically, how cost-benefit analysis will provide a general answer,
detailed should the reports be in specific but not identify the level of risk detail to disclose.
circumstances? Generally, risks can be classified What detail to include will vary with the frequency
into one of the following four broad of risk reporting, and with the phases of the risk
categoriesstrategic, operational, reporting, and management process. Internal real-time risk
compliance (see also Exhibit 2). Strategic risks reports for senior management and other
relate to an organizations choice of strategies to managers responsible for resource allocations and
achieve its objectives. By their nature, these risks other strategic and operational decision-making
can endanger the organizations achievement of may often include very little information on the
high-level goals that are aligned with and support risk event.This may be because specific
its mission.To assess strategic risk calls for circumstances may have required quick reaction to
questioning whether management has misread a risk, allowing insufficient time to gather all
its environment. Operational risks, on the other necessary information. Internal periodic risk
hand, relate to (a) threats from ineffective or reports allow and require more careful
inefficient business processes for developing, consideration of included details. Reliability of risk
acquiring, financing, transforming, and marketing information, on the other hand, should increase
goods and services, and (b) threats of loss of with each subsequent phase of risk management.
firm assets, including its reputation. Reporting To achieve this, the risk information detail should
risks relate to the reliability, accuracy, and increase with each phase as well.
timeliness of information systems, and to Exhibit 12 details the risk information that should
reliability or completeness of information used be disclosed at different risk management levels
for either internal or external decision-making. at the risk identification, the risk assessment, and
Finally, compliance risks address the inadequate the risk response levels respectively.
communication of laws and regulations, internal
behavior codes and contract requirements, and As presented in Exhibit 12, a risk report may
include the following sections, depending on the
inadequate information about failure of
phase of the risk management process where a
management, employees, or trading partners to
specific risk occurs:
comply with applicable laws, regulations,
contracts, and expected behaviors (Epstein and 1. Risk description. It can be general (the risk
Rejc, 2005). identification level) or detailed (required at the
21
MANAGEMENT
S T R AT E G Y
Exhibit 12: Details of Risk Information Disclosed at Various
MEASUREMENT Phases of the Risk Management Process
INFORMATION RISK IDENTIFICATION RISK ASSESSMENT RISK RESPONSE
LEVEL LEVEL LEVEL
Effects of a NO NO Potential/
Risk Response Actual
risk assessment and risk response level). In are responsible for decision-making.The role of
real-time risk reports, risks will often be this type of information is important in all
reported when they occur at the event phases of the risk management process, as it
identification level; periodic risk reports, on relates to actions taken and those responsible
the other hand, will typically include risk for them.
information from all three levels. 5. Recommendations. Risk reports must also
2. Impact. Internal audiences must be provided include recommendations for the intended
with enough clear and sufficient information internal audiences. Risk reports cannot
to allow them to understand the potential or determine how the CEO, CFO, and other
existing operational and financial impact of the senior managers should respond to individual
reported risk. In addition, an explanation of findings. However, the recommendations should
the impact of combined risks on the be precise, business-focused, and pragmatic, so
organization as a whole may be provided. Risk that the recipients of reports feel sufficiently
managers need to explain the link between informed to act. For example, an organization
high risk events and risk response activities, may face a human resource-related risk within
and their financial consequences. a process that is found to be dependent upon
Understanding these links and the financial the skills of one individual.The risk report
impact is critical for improved decision- recommendations might suggest an additional
making.The internal risk reports ability to hire, cross-training, or alternatively improving
report across the organization will allow documentation so that a non-specialist could
internal users to identify risks in the operate the process.
aggregate, and determine gaps in the risk
management strategy. 6. Effects of a risk response. Internal risk
3. Previous plans and goals. These should be reports to the board of directors, senior
disclosed with the risks, to permit management, and other managers should also
comparisons between actual achievements include details on the potential or actual
and planned results.This content item is effects of a risk response.This information can
relevant at the risk assessment and risk only be disclosed at the risk response level.
response level.
To determine the content of a risk report, the
4. Controls put in place. These may be following questions also need to be answered:
specifically important for boards of directors,
audit committees, and steering committees, all 1. Type of data. The type of data must be
of whom have responsibility for oversight, and selected. Different details of risk reporting call
senior management and other managers who for different types of dataqualitative or
22
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
quantitative, different metrics, and other tools level of understanding must assure that risk
(such as graphs, exhibits, or scenarios). Graphs and reports are stated in business terms, and with
exhibits are specifically useful. However, the report sufficient detail. In many cases, organizations may
must include sufficient relevant technical detail supplement risk reports with graphical
needed by those responsible for taking action. representations of the causal relationships
2. Metrics. More detailed risk reports should between various drivers of risk management, and
explain presented metrics. In periodic reports, the impacts of these on organizational success.
metrics must be disclosed consistently from Such representations can be very useful in
period to period, to the extent they still are describing the potential operational and financial
relevant. However, a decision to report on a impact of risks, or their impact on other risks to
specific risk with a specific metric in one period which the organization is exposed.They are also
does not require continuing disclosure if it is no useful to present the expected consequences of
longer relevant, or if a more relevant metric an appropriate risk response, thus providing
becomes available. managers with a better understanding of controls
3. Context. The context of reported risks must put in place and expected results. Exhibit 14
be appropriately explained. Managers seeing provides an example that describes the potential
only facts without context in risky situations effect of an appropriate risk response to a
may react inappropriately. In addition, reporting business continuity risk.
of specific risks must include sufficient evidence Exhibit 14 shows numerous drivers of success in
to influence proper decisions. For example, the risk management process. At the bottom of
some managers may require overwhelming Exhibit 14, the critical drivers include ongoing
evidence before they accept a problems monitoring of various risks and increased risk
existence; others may simply need sufficient awareness (inputs).These are expected to lead to
evidence to understand the nature of the improved event identification and assessment, and
problem. Risk managers may therefore decide the response of appropriate risk management
to include information on strategy, actions, and spending. In this specific example, the appropriate
performance in addition to information level of risk management spending relates to
specifically focused on risk.This broader increased investments in flexibility, which will lead
description should be narrative, and accompany to the desired outputbusiness process
a quantitative presentation of the risks. continuity. Consequently, productivity will increase
Alternatively, the risk report should clearly and organizational reputation will improve, both of
describe the status of the organizations which generate greater sales.These beneficial
processes and activities related to risk outputs will lead to increased revenues, while
management initiatives. business process continuity will also help contain
Exhibit 13 provides an example of how the overall costs. Finally, the increased revenues and
content of a risk report can be structured when sustained costs will lead to increased
providing real-time information on an assessed organizational success (outcome).
risk.The structure of this report follows the Internal audiences will be interested not only in
information details outlined in Exhibit 12. It does disclosure of specific risks, but also in the risk
not provide all relevant details, but it does provide management process. A well established and
guidance on what to report on a real-time basis properly managed process will assure internal
when there is available data.The first section audiences about the reliability of risk reports.
provides a detailed risk description of two risk Organizations must therefore include information
events resulting in understaffing; both are assessed. on the quality of their risk management process,
Subsequent sections include details on the current particularly in their periodic risk reports.
operational and financial impact, impact on other
risks, and future financial impact and its probability. TELUS Corporation, Canadas second largest
Further, previous plans and goals are revealed, as telecommunications company, developed a risk
are the controls put in place and reporting approach that is based on annual risk
recommendations to managers. assessment, quarterly risk assessment review, and
engagement/project specific risk assessments.The
The real-time risk reports on the risk identified annual risk assessment, reported to the CEO,
or responded to should be prepared using a CFO, and Audit Committee and updated quarterly
similar structure. throughout the year, is a key input to strategic
As outlined earlier, risk managers striving to planning.The engagement/project specific risk
provide the internal audience with the desired assessment process performs detailed real-time
23
MANAGEMENT
S T R AT E G Y
Exhibit 13: Example of a Real-Time Risk Report Content
Disclosing an Assessed Risk
MEASUREMENT
REAL-TIME RISK REPORT ON A HUMAN RESOURCE RISK:
UNDERSTAFFING
Unexpected trend in higher compensation and expanding job
opportunities in the job market caused fewer offers being accepted,
resulting in too few staff
Inadequate needs/specifications description resulted in hiring
unqualified staff
Detailed risk Risk assessment
description 10% reduction in hiring due to Likelihood: 100%
fewer offerings
18 unfilled positions
5% reduction in hiring due to Likelihood: 100%
poor candidate screening
9 unfilled positions
Current operational Breakdown in business process continuity in manufacturing divisions
impact resulting in a downturn of on-time deliveries from 85% to 75%
Two customers canceled their contracts
Current financial $ 5,000,000 of lost revenues
impact
Impact on The lack of staff in the manufacturing division imposes additional
other risks productivity burdens on existing employees, which may endanger their
safety in the workplace (health and safety risks) and/or cause lower
product quality (commercial risks)
Future financial $3,000,000 of lost revenues Likelihood 18%
impact
Previous plans Organization decided to hire 180 Tolerance:
and goals new qualified staff across all 165-200 new qualified staff;
manufacturing divisions to meet staff cost between 20% and
customer demand without 23% per dollar order
overstaffing and to maintain 22%
staff cost per dollar order
Controls put Strengthened quality control in manufacturing divisions
in place
Ensuring proper fit and suitability of employees personal
protective equipment
Regular reviews of staff competencies
Recommendations High quality supervision and leadership
Change in compensation schemes to additionally reward productivity
and quality of manufacturing staff
This draws on an example from Committee of Sponsoring Organizations of the Treadway Commission, 2004b.
risk assessments, and provides updated and new relating to critical risk areas, such as security,
risk and control exposure information to the business operations, technology, information,
annual and quarterly reports. In an internal financial, strategic initiatives, people, and others,
quarterly risk report, for example, a bubble include most relevant risk items that change
chart indicates the key risk profile of the with circumstances, as do critical risk areas.The
company (Exhibit 15 provides a modified Security bubble may include the following risk
example of a TELUS bubble chart). Bubbles items: IT security, physical security, and network
24
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
OUTCOMES
Greater Improved
sales reputation
OUTPUTS Increased Improved cost
productivity control
Business continuity
Investment in
flexibility
PROCESSES
Risk management spending Event assessment
Event identification
Ongoing
INPUTS Risk awareness
monitoring of risk
drivers
security.The People bubble may include security Internal real-time risk reports for senior
awareness, employee skills, retention and management and other managers responsible for
recognition, vandalism, and legal and ethical resource allocations, investment decisions, and
compliance. Each of these specific risk items is other strategic and tactical decision-making
colored with yellow, orange, or red (see the should allow users to drill down to examine the
shading legend under Exhibit 15), indicating the underlying data. Exhibit 17 provides an example
severity of threat (TELUS, 2006). of a real-time risk report for senior management
that is presented in a dashboard-style.
In addition to the bubble chart, historical
(quarterly) risk ratings present the risk areas and Organizations use dashboard-style reports to
their specific risk items (see Exhibit 16 for an enable management to quickly determine the
example). Again, colors yellow, orange, and red degree of alignment of the entitys risk profile with
(see the shading legend under Exhibit 16) indicate risk tolerances.Where misalignment occurs, and
the risk rating status. In addition, management any existing risk responses or controls are not
owner, management actions, and internal audit performing as expected, management can take
actions are indicated (TELUS, 2006). corrective actions.
As Exhibit 17 shows, the first reporting level
Designing the Format of provides key risk categories (operations,
a Risk Report strategic, compliance, and reporting) with risk
4 sub-categories (such as environmental, financial,
and innovation risks). Each relevant risk sub-
category, previously identified as appropriate for
The Format of Internal Risk Reports
real-time risk disclosure, is marked according to
Risk information must be presented in an the phases of the risk management process: risk
appropriate structure. If the format of the risk identified, risk assessed, or risk responded to.
report obscures risk information, time and As senior management drills down to examine
additional resources may be required for the risks in more detail, the next reporting level
clarification, and users of risk reports may make identifies whether the risks are safely within,
less informed decisions that could adversely near, or beyond risk tolerances. Colors green,
affect the organizations success. yellow, or red (see the shading legend) may be
25
MANAGEMENT
S T R AT E G Y Exhibit 15: An Example of a Bubble Chart with Key Risk Profile for the
Internal Quarterly Risk Report
MEASUREMENT
orange =
red =
used for this purpose. Correlated risks (two risks, indicating trends or changes in risks. Risk
or more independent risks that, if they occur, information may be organized around specific
cause far greater loss than the sum of individual key risk categories rather than around phases
losses), must be marked specifically, for example of the risk management process. Dashboard-
with a black color. Further drilling down the style reports may be very useful for periodic
information source provides specific risk reporting as well. Arrow directions indicate
information on that risk. a periodic trend in expected loss from the
underlying risks, with a down arrow indicating a
To the extent possible, the risk-related
decline in expected loss trend, and an up arrow
information should always be supplemented with
indicating an increase. In addition, arrow color
charts, graphs, and exhibits to improve and
indicates residual risk in relation to tolerances,
expedite the users comprehension.An example
where green indicates expected loss safely
of such an exhibit has already been shown in
within risk tolerance, yellow indicates expected
Exhibit 14, which graphically shows the causality
loss near or at risk tolerance, and red indicates
of risk management drivers.
that tolerance is exceeded (see the shading
Internal periodic risk reports (see Exhibit 18) legend). Periodic risk reports can also be
will include more general information on the designed for drill-down operations, but their
26
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Security Awareness D
People
Employee Skills,
Retention & A
Recognition
Manmade and Natural
B
Disasters
Changing Laws and Monitor planned Include question
External Risks
F,E,&A
Regulations changes in risk survey
Supplier Viability &
D
Reliability
Market Negativity F&E
orange =
red =
primary purpose is to provide general of the level and nature of risks, in business terms,
information on the risks of interest. to the discussions of risk reports
To avoid misunderstandings, those responsible for
risk reporting must establish a common language Placement, Distribution,
on the risks and risk management process. 5 and Communication
Otherwise, the reports may be misinterpreted,
resulting in wasted time, the need for clarification,
and lack of business buy-in.Thus, narrative The Placement, Distribution, and
explanations must accompany charts and graphs Communication of Internal Risk Reports
explaining (a) trends and changes in operating data Real-time internal risk reports are best
and performance measures, (b) comparison of communicated through dashboard reporting.
performance to previously disclosed risk
information, (c) plans and goals for risk assessment Draft internal periodic reports should be provided
and risk management, and (d) potential impact on to the audit committee for review and comment
future operations and financial performance. In before distribution.
addition, a description of the assessment For the board and committees, risk reporting
techniques used for evaluations may be provided. should be made at least quarterly. For senior
This should contribute a common understanding managers and other relevant managers, real-time
27
MANAGEMENT
1 Operations Risks:
1.1 Environmental
risks
1.2 Financial risks
2 Strategic Risks
3 Compliance Risks
Liquidity risk
Drill down
28
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Exhibit 18: A Dashboard for Internal Periodic Risk Reporting for Senior Management
1 OPERATIONS RISKS
60
Liquidity risk curre nt ye ar
40 ne xt ye ar
20 tole rance
0
1s t 2nd 3rd 4th
Qtr Qtr Qtr Qtr
40
35 r is k re late d
30 s ucce s s rate
25
20 r is k
15 r e s pons e
10 s ucce s s rate
5
tole rance
0
Ye ar Ye ar Ye ar Ye ar
1 2 3 4
2 STRATEGIC RISKS
3 COMPLIANCE RISKS
4 REPORTING RISKS
29
MANAGEMENT
R Needs Regulatory
Requirements Compliance
I Cost-benefit -based
S Analysis Real-time
K
Risk
S
Improper Report
A Decision-Making
S
S
E Voluntary
S Real-time Yes Real-time
S Risk Report? Risk
E Disclosure
D R
E
A
S No
S
E
S
S Needs
M
R E Cost-benefit
I N Analysis
S T
K Improper
S Decision-Making
M
A Voluntary
N Real-time
Real-time Yes Risk
A Risk Report?
G Disclosure
E
D
No
and magnitude of effect has not yet been assessed analysts, for example, are the reduced likelihood
(risks identified). that they will misallocate their capital. As a
consequence, organizations can benefit from (a) a
As shown in Exhibit 19, disclosure of risk for
lower average cost of capital, (b) enhanced
regulatory purposes would not typically include a
credibility and improved investor relations, (c)
cost-benefit analysis.To determine which risks
access to more liquid markets with narrower price
should be disclosed externally voluntarily,
changes between transactions, (d) the likelihood
organizations must consider whether disclosure
that investors will make better investment
of a specific organizational risk would adversely
decisions, (e) reduced danger of litigation alleging
affect the organizationby aiding its competitors,
inadequate informative disclosure, and (f)
by creating a bargaining disadvantage with
improved defense of such suits.The key potential
suppliers, customers, or employees, or by
costs of external risk reporting relate to
implicitly encouraging investors to withdraw their
competitive disadvantage from informative
capital. Real-time risk reporting is appropriate disclosure, bargaining disadvantage because of
whenever the benefits of a real-time external risk disclosure to suppliers, customers, and employees,
disclosure exceed its potential costs. and litigation without merit that is attributable to
A more detailed cost-benefit analysis of external disclosures.The greater the level of detail about a
real-time risk reporting is provided in Exhibit 20. In specific risk, the greater the likelihood of
the first step, the benefits of a real-time risk competitive disadvantage. Asymmetric risk
disclosure are converted to monetary terms.The reporting, when not all competitors in an industry
primary potential benefits of external risk adopt new guidelines, could also be important and
reporting to investors, creditors, and financial a cost. Again, it is generally assumed that a specific
31
MANAGEMENT
S T R AT E G Y
Exhibit 20: Calculating the Costs and Benefits of External Real-Time
Risk Disclosure
MEASUREMENT
CALCULATE THE BENEFITS OF EXTERNAL REAL-TIME RISK DISCLOSURE
Costs Value
Real costs of risk reporting Cost of gathering data, analysis, reporting etc. $...................
Potential costs related to Provided risk information aids competitors to $...................
competitors improve their competitive position
Potential costs related to Bargaining disadvantage with suppliers $...................
suppliers
Potential costs related to Bargaining disadvantage with customers $...................
customers
Potential costs related to Potential withdrawal of their capital, absence of $...................
investors investments, etc.
Total Costs $...................
Total Benefits
COST-BENEFIT ANALYSIS = ----------------------------
Total Costs
risk should be disclosed when the benefits of calculations that capture the monetary value of
disclosure exceed the potential costs. realized benefits.
Conversely, organizations will decide not to External periodic risk reporting is also required
make some voluntary risk disclosures when the by SEC regulation via the annual 10-K. Again,
risks of harm outweigh the expected benefit. organizations may decide to provide broader and
Still, some risks may need to be disclosed even at more frequent periodic risk reports, on a
a high short-term cost, such as risks of product quarterly basis for example.The purpose of
malfunctioning. Good corporate governance periodic external risk reports is to provide
practice may, in some instances, promote general external audiences with reliable,
disclosure despite a negative cost-benefit aggregated information about various relevant
analysis. Bad news cannot simply be withheld organizational risks, with trend indicators and
because it would hurt the organization. Such a periodic comparisons, to improve their decision-
disclosure, however, depends on the probability making. Exhibit 11, indicating the selection of risks
that the risk could occur. for periodic risk reporting to internal audiences,
The conversion of benefits of external real-time can also be used for external periodic risk
risk disclosure to monetary terms is illustrated reporting. Using the cost-benefit analysis of
in Exhibit 21. Similar to Exhibit 10, specific risk external periodic risk disclosure (which is similar
disclosure outputs that result in benefits are to the cost-benefit analysis provided in Exhibit 20),
presented, and followed by the relevant organizations will decide which risks to disclose.
32
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
Compliance with Reduced costs of prosecution and Monetary benefit equals the reduced
Regulation penalties costs of prosecution and penalties;
estimates of the costs should be based
on historical evidence
Corporate Increased sales from existing and Benefits can be calculated as additional
Reputation new customers sales from existing and new customers
minus marginal sales expense
Staff retention Benefits equal to monetary savings
arising from decreased employee
turnover (decrease in the cost of
recruitment, orientation, and training)
Improved recruitment Benefits arise from lower cost of
employee orientation and training
Reduced Earnings Increase in shareholder value Benefits relate to the increase in the
Volatility share market prices
Reduced Cost of Savings in costs of equity financing Benefits equal the reduced costs of
Capital equity financing
33
MANAGEMENT
S T R AT E G Y disclose less.The principles of good corporate with risk response initiatives, put in a business
communication, as well as regulation, require it context, may help external users to better
MEASUREMENT to be consistent, honest, and forthright. understand the importance of this information
for decision-making. Such reports may
An example of an external periodic risk report is
accompany a more descriptive section on
provided by K-Bro Linen Income Fund in its
forward-looking information or prospective
Managements Discussion and Analysis of
financial and non-financial information in an
Financial Condition and Results of Operation.
annual report, or in the management discussion
The Fund was created for the purpose of
and analysis section.
acquiring, directly and indirectly, all of the issued
and outstanding securities of K-Bro Linen External real-time risk reporting, on the other
Systems Inc., the largest owner and operator of hand, relates to risk information placed on the
laundry and linen processing facilities in Canada. organizations web site, or disseminated in
In the Risks Related to K-Bro and the Laundry another real-time manner, such as in the form 8-
and Linen Services Industry section of the K. Similar to periodic external risk reports,
MD&A, the risk report covers several topics, information should be general and aggregate, but
including a risk-related description of the related to recent risk-related analytical findings.
competitive environment, acquisitions and
integration of acquired businesses, industry risk, In broadening reporting, many organizations have
the Funds ability to maintain profitability and issued special reports, on the environment for
manage growth, cost of linens, utility and energy example, or for equal employment opportunity,
costs, relocation of plants, workers philanthropy, or other issues. Many of these
compensation costs, employee relations and reports are issued to display a good corporate
collective agreements, changes in laws, reliance citizen reputation and appeal to special interest
on key personnel, dependence on long-term groups.There is no need to segregate these
contracts, credit facility, availability of future reports from mainstream financial reporting.
financing, and environmental matters. The Because of the rise of the Internet and the related
content of the risk report, primarily narrative, is trend toward electronic dissemination of financial
also supported with financial numbers. For and other information on the websites, concerns
example, when disclosing the K-Bros business about the organization of information may
decision to relocate from its Calgary plant upon become obsolete. Users of corporate websites
the expiration of its current lease in 2008, have greater control over which portions of the
management included an estimate of the costs of report to review and which to disregard. As
such relocation ($2 million, assuming a new these technologies develop, the sequence of
facility of comparable size and the relocation and information in a traditional paper annual report
installation of existing equipment).The disclosure might become increasingly less important.
further says that Although management expects
to finance any relocation through its cash
reserves and/or credit facilities, , difficulties in Placement, Distribution,
financing or inability to finance this relocation and Communication 5
may have a material adverse effect on K-Bros
and the Funds business, financial condition,
liquidity, and operating results (K-Bro Linen The Placement, Distribution, and
Income Fund, 2005). Communication of External Risk Reports
Websites are particularly useful for external
real-time risk reporting.This allows
Designing the Format of organizations to provide aggregate information.
a Risk Report 4 Serious users can then delve into the on-line risk
reports for detail.The 8-K form should also be
The Format of External Risk Reports considered an important placement tool.
External periodic risk reports may follow the With respect to external periodic risk
10-K form. However, when placed on websites reporting, MD&A, other parts of annual
or disclosed in annual reports, graphical reports, or quarterly reports, are generally
disclosures are particularly appropriate to viewed as the main channels for risk reporting
convey the results of risk response initiatives. to external stakeholders. As noted earlier, a
Narrative descriptions of potential risks along model of risk reporting should first integrate,
34
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
35
MANAGEMENT
36
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
37
MANAGEMENT
S T R AT E G Y standards on internal auditing charge internal developing and implementing the risk
audit with the responsibility for monitoring and disclosure policy;
MEASUREMENT evaluating the effectiveness of the organizations monitoring its effectiveness and compliance;
risk management system.This responsibility
educating directors, senior management,
requires internal audit to maintain its
other managers, and employees about
independence and objectivity.
disclosure issues and the risk disclosure
To establish the right organizational risk policy;
management and risk reporting structures and reviewing and authorizing disclosure (including
systems, organizations should start with a written electronic, written and oral disclosure) in
corporate risk disclosure policy.That policy advance of its public release; and
gives organizations a process for disclosure, and
monitoring the organizations web site.
promotes an understanding of legal requirements
among directors, senior management, other The risk disclosure policy should be reviewed
managers, and employees. It will focus on periodically, updated as necessary, approved by
promoting consistent disclosure aimed at the board of directors, and widely distributed to
informative, timely, and broadly disseminated senior management, other managers, and
disclosure of risk-related information to employees. Directors, senior management, other
interested audiences. Every disclosure policy managers, and employees should be trained, so
should generally include the following (Canadian that they understand and can apply the
Securities Administrators, 2002): disclosure policy.
how to decide what risk information is In addition, the organization should authorize
material and should be reported, spokespersons, limiting the number of people
policy on reviewing analysts reports; authorized to speak on behalf of the
organization to analysts, the media, and investors.
how to release earnings announcements and
Ideally, spokespersons should be members of
conduct related analyst calls and meetings;
senior management.They should be
how to conduct meetings with investors and knowledgeable about the risk disclosure record
the media; and aware of analysts reports relating to the
what to say or not to say at industry organization. Everyone in the organization must
conferences; know who the organizations spokespersons are,
how to use electronic media and the and be directed to refer all inquiries from
corporate web site; analysts, investors and the media to them. Having
spokespersons helps to reduce unauthorized
policy on the use of forecasts and other
disclosures, inconsistent statements by different
forward-looking information (including a
people in the organization, and statements that
policy regarding issuing updating);
are inconsistent with the public disclosure
procedures for reviewing briefings and record of the organization.
discussions with analysts, institutional
investors and other market professionals; The unit responsible for risk reporting, which
directly reports to the risk management
how to deal with unintentional selective
committee or CRO, should be elevated to the
disclosures;
strategic level and organized as a separate entity.
how to respond to market rumors; Its tasks include continuous gathering of data on
policy on trading restrictions; and risk events, providing risk assessments, and cost-
policy on quiet periods. benefit analyses. In addition, this unit prepares
the risk reports to internal and external
The process of creating such a policy is itself a audiences.The risk management committee or
benefit, because it forces a critical examination of CRO is responsible for supervising these
current disclosure practices. Although CFOs activities and approving the analyses. On the
often assume responsibility for risk functions other hand, the board of directors must approve
because of the broad perspective they have of the release of risk reports.
their organizations, organizations should
consider establishing a committee of company A firm commitment from the highest levels of
personnel (Risk Management Committee) or management is clearly necessary to make risk
assign a senior officer (Chief Risk Officer) to be management an organization-wide process.This
responsible for: is the only way to create a mindset in managers
38
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
and employees that builds risk into everyday process continuity may lead to improved
decision-making.Without designated responsibility, processes, which may also reassure customers and
proper training or even clear definition and business partners externally. Organizations with
communication of risks, various line managers may poor external disclosure complicate informed
implement their personal risk approach, with decision-making by financial analysts, shareholders,
varying tolerances for risk.This could lead to customers, suppliers, and others with whom
inconsistent risk management (The 2005 organizations interact.
Oversight Systems Financial Executive Report on
This Guideline starts with a Risk Reporting
Risk Management, 2005).
Contribution Scheme, a framework for monitoring
the outputs of risk reporting and financial
CONCLUSION outcomes from broader reporting of
organizational risks, such as investors and
Although internal control over financial reporting
creditors making more informed investment
can be considered one of the most significant
decisions, or managers making better strategic and
requirements resulting from the Sarbanes-Oxley
tactical decisions.The Risk Reporting Contribution
Act of 2002, the internal control legislation and
Scheme shows the benefits of a broad and well-
regulation also triggered a different and broader
managed risk reporting process, and provides the
understanding of the risks organizations face, and
background to the Risk Reporting Model presented
the risk management process they implement.
in this Guideline.The Risk Reporting Model provides
Managers increasingly understand the importance
useful guidance for senior managers on reporting
of effective risk reporting, internally and
of organizational risks internally and externally
externally, and the value of delivering relevant and
the frequency of risk reports, what risks to report
credible risk reports to internal and external
and in what detail, in what format, and where.This
audience that are articulated in business terms
Guideline, therefore, helps senior management go
and supported by evidence.With the right
beyond regulatory compliance regarding risk
information, internal and external audiences can
reporting, and seize the opportunity to improve
make better decisions.
reporting practices to drive better performance. In
Broader real-time and periodic internal risk addition, this Guideline recommends a preliminary
reporting provides senior management and other step, that all organizations establish appropriate
managers with on-time, detailed, and aggregate organizational structures and responsibilities for
information on the various risks and the risk management and risk reporting.
organizations risk management processes, thus
In the future, successful businesses will be those
contributing to more informed decision-making.
best able to balance coping strategies, which are
Dashboard reporting systems allow managers to
defensive and focused on avoiding downside
drill down for more detailed information on risks
risks, with an increasing mix of exploitation and
and relationships between them, and to include
exploration strategies, which embrace risk and
these in their ROI calculations. Improved resource
make the most of the opportunities it presents.
allocations may result.
This will require more than just an improvement
Broader external reporting should not hurt the in traditional risk management toolsit will
organizations competitiveness. If specific risk- involve a shift in mindset and focus, where
related information helps the organization make reliable, relevant, and sufficient risk management
improved decisions and better track value and reporting is considered a value-added
creation, the information may also help attract activity. Organizations should leverage the
new capital. Or, if information on employee Sarbanes-Oxley Act compliance efforts and
satisfaction and well-being helps managers prevent investments to build a comprehensive risk
the increase in personnel risks and cultivate a management and risk reporting system and
committed workforce, it may also help attract drive significant new business value from a
committed talent from outside. Data on business complex and mandatory process.
39
MANAGEMENT
S T R A T E G Y BIBLIOGRAPHY
American Institute of Certified Public Accountants. Institute of Chartered Accountants in England and
MEASUREMENT 1994. Improving Business ReportingA Customer Wales. 1998b. Financial Reporting of Risk: Proposal for
Focus (Comprehensive Report of the Special Committee a Statement of Business Risk. London: Financial
on Financial Reporting). New York: AICPA. Reporting CommitteeInstitute of Chartered
Accountants in England and Wales.
American Institute of Certified Public Accountants.
2004. Improving Business ReportingA Customer Institute of Chartered Accountants in England and
Focus: Meeting the Information Needs of Investors and Wales. 1999a. Inside Out: Reporting on Shareholder
Creditors. New York: AICPA. Value. London: Institute of Chartered Accountants
in England and Wales.
Accounting Standards Board. 2005. Reporting
Statement of Best Practice on the Operating and Institute of Chartered Accountants in England and
Financial Review. London: ASB Publications. Wales. 1999b. Internal Control: Guidance for Directors
on the Combined Code. London: Internal Control
Canadian Institute of Chartered Accountants. 2001.
Working PartyInstitute of Chartered
Managements Discussion and Analysis: Guidance on
Accountants in England and Wales.
Preparation and Disclosure. Review Draft.
Institute of Chartered Accountants in England
Canadian Securities Administrators. 2002. National
and Wales. 2000a. No Surprises:The Case for
Policy 51-201 Disclosure Standards.
Better Risk Reporting. London: Institute of
Committee of Sponsoring Organizations of the Chartered Accountants in England and Wales.
Treadway Commission. 2004a. Enterprise Risk
Institute of Chartered Accountants in England and
ManagementIntegrated Framework: Executive
Wales. 2000b. Prospective Financial Information:
Summary Framework. New York: AICPA.
Guidance for UK Directors. London: Institute of
Committee of Sponsoring Organizations of the Chartered Accountants in England and Wales.
Treadway Commission. 2004b. Enterprise Risk
Institute of Chartered Accountants in England
ManagementIntegrated Framework: Application
and Wales. 2003. Preparing an Operating and
Techniques. New York: AICPA.
Financial Review: Interim Process Guidance for UK
Companies (Auditing and Accounting) Bill 2003. Directors. London: Financial Reporting
Houses of Oireachtas, Ireland. CommitteeInstitute of Chartered
Accountants in England and Wales.
Epstein, Marc J. 2004. The Drivers of Success in Post-
Merger Integration. Organizational Dynamics,Vol. 33, International Federation of Accountants. 2002.
No. 2: 174-189. Managing Risk to Enhance Shareholder Value. New
Epstein, Marc J., and Rejc,Adriana. 2005. Identifying, York: International Federation of Accountants
Measuring, and Managing Organizational Risks for Financial and Management Committee.
Improved Performance. Management Accounting K-Bro Linen Income Fund. 2005. Managements
Guideline. Hamilton:The Society of Management Discussion and Analysis and Interim Consolidated
Accountants of Canada, New York: AICPA. Financial Statements for the Period from February 3,
Ernst & Young. 2005. Corporate Governance Web 2005 to June 30, 2005.
Survey: Key Findings and Valuable Insights. Lang, Mark H., and Lundholm, Russel J. 1996.
Financial Accounting Standards Board. 2001. Corporate Disclosure Policy and Analyst Behaviour.
Improving Business Reporting: Insights into Enhancing Accounting Review,Vol. 71, No. 4.
Voluntary Disclosures. Steering Committee Report, Lev, Baruch. 1992. Information Disclosure Strategy.
Business Reporting Research Project. California Management Review,Vol. 34, No 4.
Institute of Chartered Accountants in England and
TELUS. 2006. Enterprise Risk Management and
Wales. 1993. Guidance on the Operating and Financial
Internal Audit at TELUS: Engagement, Discussion, Shared
Review. London: Financial Reporting Committee
Ownership and Governance.
Institute of Chartered Accountants in England
and Wales. The 2005 Oversight Systems Financial Executive Report
on Risk Management, Oversight Systems, Inc.
Institute of Chartered Accountants in England and
May, 2005.
Wales. 1998a (revised in 2003). The Combined Code:
Principles of Good Governance and Code of Best Willis, Jim, and Adelowo Okunade,Albert. 1997.
Practice. London: Institute of Chartered Reporting on Risks:The Practice and Ethics of Health
Accountants in England and Wales. and Safety Communication.Westport: Preager.
40
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
S T R AT E G Y also need to confirm that they need to comply with The COSO Enterprise Risk Management
the provision or where they do not, to provide an Integrated Framework (COSO, 2004a,
MEASUREMENT explanation. Additional guidance was developed to 2004b) addresses risk management processes
assist listed companies to implement the code in general. It proposes that information is
requirements relating to internal control. This is needed at all levels of an organization to
now commonly known as the Turnbull Guidance respond to risks, and to otherwise run the
and is based on a risk-based approach to internal entity and achieve its strategic, operational,
control. It emphasises the need to incorporate this reporting, or compliance objectives. Financial
approach into normal management processes and and non-financial information would include
is designed to enable companies to adapt the (a) external events, for example, market- or
guidance to its own circumstances. industry-specific economic data that signals
Under current provisions, corporate risk changes in demand for an organizations
disclosure is still generally at the discretion of products or services, (b) market intelligence
the board of directors of individual companies, on evolving customer preferences or
and a matter of voluntary disclosure rather than demands, (c) information on competitors
regulatory compliance. product development activities, and (d)
legislative or regulatory initiatives.
Organizations should provide a risk map that
displays significant residual risks that exceed
APPENDIX 2: EXISTING the organizations risk appetite, or report on
the target risk tolerances for specific
GUIDANCE ON VOLUNTARY
performance measures and actual results.The
DISCLOSURE AND FRAMEWORKS
framework also provides exhibits and
FOR ORGANIZATIONAL application techniques, both qualitative and
RISK REPORTING quantitative, that can be used in managerial
The American Institute of Certified Public reports on organizational risks. Qualitative
Accountants (AICPA, 1994, 2004) proposed techniques include likelihood risk rankings,
a framework for voluntary disclosure aimed impact risk rankings, or descriptive risk
at improving the quality and effectiveness of assessments. Quantitative techniques include
financial reporting.To provide information for probabilistic techniques (value at risk, cash
investors, companies should consider flow at risk, earnings at risk, assessment of loss
disclosing five different types of data and events, and back-testing) and non-probabilistic
information: financial and non-financial data, techniques such as sensitivity analysis, scenario
managements analysis of financial and non- analysis, and stress testing.The framework is
financial data, forward-looking information, very useful for overall risk management, but
information about managers and shareholders, provides only limited specificity on the
and company background.The framework content, format, and frequency of the (internal
explicitly addresses external reporting, and is and external) risk reports.
therefore primarily relevant to capital Epstein and Rejc (2005) provide a specific
providers and financial analysts. It provides no model, Risk Management Payoff Model:
specific guidance on the format, frequency of Calculating a Risk Management Initiative
the report, or communication channels. ROI, to calculate a risk management initiative
The Canadian Institute of Chartered ROI so that managers can integrate risks in
Accountants reporting guidelines (CICA, their investment decisions. First, the monetary
2001) suggested a reporting framework that value of a risk management initiative benefit
includes information concerning company is calculated.Then, the total cost of a risk
vision (core business and long-term business management initiative is summed, including
strategy), critical success factors, capabilities front-end direct cost, disruption costs related
(resources) to achieve desired results, expected to human and organizational factors, and
results, and connected risks and opportunities. operating costs of the risk management
Again, the framework provides general initiative. Finally, the risk management initiative
instructions along with the content of an ROI is calculated. Such a formula can be used
external risk report, without specifying the to evaluate the payoffs of specific risk
format, frequency, design, and management initiatives and, as organizations
communication channels. make new capital project decisions, to
42
T H E R E P O RT I N G O F O R G A N I Z AT I O N A L R I S K
explicitly acknowledge the potential risks and report structure and format, or what
costs of those risks on organizational quantitative evidence is required. It is focused
profitability. This model is therefore primarily primarily on investors risk reporting interests.
focused on internal risk reporting.
Guidance on general principles of risk disclosure is
The SEC encourages companies to disclose also offered by:
forward-looking information in their annual
reports so that investors can better understand Papers issued by professional bodies and
a companys future prospects and make research institutes (Institute of Chartered
informed investment decisions. In a typical Accountants in England and Wales, 1998b,
annual report, MD&A would be preceded by a 1999a, 2000a, 2000b, International Federation
section on the Risks and Uncertainties That of Accountants, 2002).All share the common
May Affect the Organizations Future Results, goal of proposing principles and structures for
where the nature of forward-looking approaching forward-looking disclosure and
information would be explained and risk and communication of a fair and integrated view of
uncertainties revealed. Here, words such as the company risk profile.
anticipate,project,intend, and believe, which The FASB Framework for Providing Voluntary
describe future operating or financial Disclosure (Financial Accounting Standards
performance, identify these forward-looking Board, 2001). It includes identification of
statements.Typical risks and uncertainties might critical success factors, managements
include research and product development, strategies and plans for managing those
financial risk management, international critical success factors, and metrics to
operations and foreign markets, patents and measure and manage the implementation of
intellectual property rights, competition, strategies and plans. It also includes
government regulation and price constraints, consideration of whether voluntary disclosure
litigation, tax legislation, and environmental law would adversely affect the organizations
compliance.The SEC provides no specific competitive position, and, if disclosure is
directions on how risk and uncertainties deemed appropriate, a definition of how best
information should be disclosed as to risk to voluntarily present that information.
43
MANAGEMENT
S T R A T E G Y THE AUTHORS:
Marc J. Epstein is Distinguished Research Adriana Rejc Buhovac is presently Assistant
MEASUREMENT Professor of Management at Jones Graduate Professor at the Faculty of Economics at the
School of Management at Rice University in University of Ljubljana. An expert in the design
Houston,Texas. He recently was Visiting and implementation of performance
Professor and Wyss Visiting Scholar at Harvard measurement and evaluation systems, Dr. Rejc
Business School. Prior to joining Rice, Dr. Epstein Buhovac is the author of numerous papers
was a professor at Stanford Business School, including Determinants of Performance
Harvard Business School, and INSEAD Measurement System Design and Corporate
(European Institute of Business Administration), Financial Performance,Toward Contingency
Dr. Epstein has written previous MAGS for the Theory of Performance Measurement,How
AICPA and CMA Canada including co-authoring to Measure and Improve the Value of IT, and
Applying the Balanced Scorecard and What's in IT for You (and Your Company). In
Measuring and Improving the Performance of addition to her research on the topic, Dr. Rejc
Corporate Boards Using the Balanced Buhovac has worked with numerous companies
Scorecard,Evaluating Performance in on the evaluation of performance of the human
Information Technology and Identifying, resources function, and on the implementation
Measuring, and Managing Organizational Risk of strategic performance measurement
for Improved Performance. He has also written systems. She is a member of the Editorial Board
other articles on strategic management systems
of the Advances in Management Accounting
and performance measurement, and over 100
(AIMA).With Marc Epstein, Dr. Rejc Buhovac
articles and 15 books. In 1999, he wrote the
coauthored two recent Management
award winning Counting What Counts:
Accounting Guidelines for CMA Canada and
Turning Corporate Accountability to
the AICPA: Evaluating Performance in
Competitive Advantage.
Information Technology and Identifying,
Measuring, and Managing Organizational Risk
for Improved Performance.
44
This Management Accounting Guideline was prepared with the advice and counsel of:
Barry Baptie, MBA, CMA, FCMA Melanie Woodard McGee, MS, CPA, CFE
Board of Directors Director of MBA Programs
VCom Inc The University of Texas at Arlington
Richard Benn, MBA, CMA, FCMA David L.Tousley, MBA, CPA
Vice President Knowledge and Program Chief Financial Officer
Development airPharma, LLC
CMA Canada
Robert Torok, MBA, CA
Ken Biggs, CMA, FCMA, FCA Executive Consultant
Board Director and Business Consultant IBM Global Business Services
Dennis C. Daly, CMA Kenneth W.Witt, CPA
Professor of Accounting Technical Manager,The New Finance
Metropolitan State University American Institute of Certified Public Accountants
William Langdon, MBA, CMA, FCMA
Knowledge Management Consultant
The views expressed in this Management Accounting Guideline do not necessarily reflect those of the
individuals listed above or the organizations with which they are affiliated.
For additional copies or for more information on other products available contact:
In the U.S.A.: American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775 USA
Tel (888) 777-7077, FAX (800) 362-5066
www.aicpa.org
Visit the AICPA store at www.cpa2biz.com