Risk managing transparency

Today, all sorts of stakeholders, clients, employees, NGOs, public bodies and business partners want to know more about the way companies operate. European risk managers believe that bringing requirements for corporate transparency within the enterprise risk management process will help identify the risks and opportunities they create.

Since the 2008 economic crisis unleashed a wave of anti-globalisation sentiment, companies have faced demands to be more open about the way they conduct business, from tax planning to their employment and environmental practices. Company reports are no longer limited to financial and economic information for shareholders.

Reputation and brand appear regularly among the top 10 risks featured in FERMA’s European Risk and Insurance Report, which contains the results of a biannual survey of risk and insurance managers across Europe. This concern about reputation extends to corporate transparency. When a company puts figures and data into the public domain, it can be vulnerable and exposed. Information reduced to a standardised format, out of the context of the company’s whole value chain, may be open to misunderstanding.

USE OF DISCLOSURES

In March this year, the NGO Oxfam and Fair Finance Guide stated that their report on the use of tax havens by European banks, Opening The Vaults, was only possible because EU rules now require banks to publish a country-by-country breakdown of their profits and tax payments.

At present, EU country-by-country reporting requirements are only mandatory for extractive industries and banks, but they are likely to be extended much further. The initial proposal from the European Commission was for them to apply to companies with an annual turnover of at least €750 million, but MEPs have called for a much lower limit: as little as €40 million annual turnover. Even at the higher threshold, about 6000 more companies will be obliged to publish their profits and tax payments in every country.

EU legislation on country-by-country reporting is still under discussion, but in many European countries these larger companies now have to provide the information to their tax authorities under national legislation adopted to follow the OECD Base Erosion and Profit Shifting (BEPS) Measures.

The BEPS project began in 2013 because of public concern about the perceived inadequacies in the global international tax system for multinational companies. Its aim is to build stronger connections between taxable profits and the business functions that contribute to value creation – and give tax authorities greater insight into the companies’ total operations.

As the BEPS measures do not require public disclosure, they are less likely to have the same immediate reputational impact as the EU proposed country-by-country reporting. Any impact in changes to corporate taxation could, however, be picked up from published accounts.

There is concern how the tax authorities could regard some special purpose vehicles and captive insurance companies. If the management is outsourced, for example, such entities may show an apparently disproportionate revenue compared to the number, if any, of employees. The risk manager needs to make sure the report describes the real purpose and risk management value of such arrangements.

We also know from the 2014 FERMA European Risk and Insurance Report that half the responding risk managers were concerned that disclosure of profits and paid taxes on a country by country basis would pose a confidentiality issue regarding strategy.

NON-FINANCIAL REPORTING

A second aspect of transparency is non-financial reporting. Under the EU Non-Financial Reporting Directive, which comes into effect from this financial year, large European companies must provide a statement of the company’s principal non-financial risks and how it is dealing with them. These nonfinancial elements are mainly environmental, social and employee matters, what are often called corporate social responsibility (CSR), and diversity issues.

Risk reporting is a key element of the risk manager’s role, and because of the cross-functional nature of the risk manager’s role they are well placed to provide assurance that such risks have been identified and managed. Based on the responses to the 2016 European Risk and Insurance Report, we believe some risk managers may find it worthwhile to strengthen their interaction with corporate social responsibility and sustainable development in the context of non-financial reporting. These departments may be less familiar with risk management processes than operational roles.

Compiling an annual report for a large company, especially one that is listed on at least one major stock exchange, is a multi-handed operation. At some stage in the process, the content of the report should be assessed using risk management methods to anticipate possible reputational issues when it is released.

Non-compliance with legal and regulatory requirements accelerates the reputational risk exposure of a company significantly. Companies are absolutely aware of the new requirements and very keen to assure full compliance. The difficulty is a partly unclear and globally inconsistent landscape of rules, according to some risk managers.

Many risk managers already contribute to the annual report and should be among the strategic advisors that the board uses when talking about transparency, because they have extensive knowledge of what could damage the company’s reputation. They already produce internal risk reporting for the management and the board and work with a risk database which contains much useful information.

In the production of the reports, the risk manager should work closely with the company’s communications experts and investor relations. In comparatively small enterprises, there is already likely to be a good personal relationship with these functions, but in very large, widely dispersed groups, more formal procedures are likely to be useful.

They should all be aware of sensitive areas of disclosure, especially those that come under the risk manager’s area of expertise, and ensure they are clearly explained. Between them, they can also identify positive aspects of the report and use them to position the company as a good corporate citizen.

Risk managers believe that the value of reporting risks also goes beyond concern for reputation management. The thorough risk knowledge necessary to comply with these new requirements will strengthen enterprise risk management as a global decision-making tool.

FERMA board member Helle Friberg and Lene Ritz, a member of the Danish risk management association, contributed to this content.