David Phillips and David Bishop say that risk managers could have a pivotal role in developing the Operating and Financial Review

Are your company's objectives, strategy, business plans and management information clearly aligned? Do you feel comfortable in communicating this information externally? If not, it is unlikely that your company will be able to deliver effectively on the new Operating and Financial Review (OFR) regulations.

The OFR regulations ask companies to provide investors with information that will assist them in assessing the strategies adopted by a company and the potential for those strategies to succeed. This information should be balanced and comprehensive, and should include non-financial and forward-looking information. This is no small challenge.

Risk managers might be tempted to look upon the OFR as simply another reporting concern, taking note of the regulatory pitfalls of not complying, and expecting to provide some input from the traditional areas of market, financial and liquidity risk. But this would be to miss the point of the OFR and its potential to place the risk manager in a pivotal role. Risk managers have an opportunity to use their unique position to help the board clearly understand the interrelationship of strategy, risk and performance, the information needed to monitor it, and how it might be reported inside and outside the company. By playing a key role in developing the OFR, risk managers may find themselves having a direct impact on the public perception and market value of their company.

Seeing the bigger picture

The downside risks associated with the OFR should not be underestimated (see panel). The main internal risk is that the company fails to plan adequately for the new regulations, the danger being that information gaps are identified too late in the process to be addressed, or that the information available is inadequate, or too unreliable for use in the OFR. Failure to meet the requirements of the OFR regulations could expose the company to legal challenges: the Financial Reporting Review Panel has been given authority to review OFRs for compliance, and can, in certain circumstances, seek an order requiring directors to revise their report.

Externally, evidence suggests that first mover advantage applies: those that produce the first, high-quality OFRs will be able to shape the information demanded by investors and other groups. Other companies will then be encouraged, if not forced, to provide similar information, regardless of whether it is appropriate to their business model. The OFR will also open up new areas of corporate reputation to scrutiny and debate. Failure to paint a convincing picture will expose companies to unjustified comparisons and difficult questions from investors and other groups.

Upside opportunity

However, unlike some other aspects of governance reform, the OFR has the potential to offer real value to investors and directors alike.

Within the organisation, embracing the spirit of the regulations rather than the letter of the law should encourage enhanced business understanding, improved governance and board effectiveness. For example, the OFR process can provide an opportunity for boards to question the depth and breadth of the information they use to manage the business, and to assess whether they are using their limited time most effectively.

In the outside world, the OFR offers the potential for enhanced investor understanding. In the long run, a company that improves the scope, clarity and transparency of its reporting, as envisaged by the OFR regulations, can expect improved market valuations. Where an OFR demonstrates a clear understanding of the linkage between strategy, risk and performance, research suggests the result should be a higher share price and lower cost of capital.

Relationships with key stakeholders may also be improved.

The risk manager's pivotal role

Risk managers can play a pivotal role in helping directors to shape the OFR. They can also use the OFR process to corroborate, and possibly enhance, the established risk framework of the business. Four principal elements of the risk manager's role can be identified:


At the most senior level, the risks and potential rewards from going beyond a compliance-based approach to the OFR need to be understood and conveyed to board directors. By its very nature the OFR embraces all the most critical aspects of business activity.


During the process of identifying and compiling information for inclusion in the OFR, the risk manager is well placed to work alongside the individual responsible for the OFR by bringing together the various information owners who may be required to contribute. Some of these individuals may have alternative agendas; some may not have contributed to the OFR, or worked together before. The risk manager, however, is likely to have a working relationship with each of them.


The risk manager is perhaps uniquely placed to look across the company, and at all its functions and operations, to ensure that the OFR provides a clear and coherent picture of the link between strategy, risks, resources, relationships and performance. For example, does the board's espoused strategy for attracting the highest quality personnel fit with the recruitment and training policy adopted in the human resources department?


As the process of compiling the OFR develops, risk managers can ensure that the management team has fully considered whether the company has the capabilities needed to produce the OFR - for example, whether there are robust systems, controls and governance procedures in place around the new sources of information being reported.

Understanding good practice

Having highlighted these key roles, exactly what type of information and insight can the risk manager contribute to good corporate reporting in the context of the OFR? Moreover, what might OFR good practice look like?

PricewaterhouseCoopers' recent publication, Trends 2005: Good Practices in Corporate Reporting, provides a useful reference source. Trends 2005 highlights 42 companies from a wide range of geographical areas and industry sectors, all demonstrating a good practice in external reporting that goes beyond the traditional financial reporting model. The publication focuses on contextual and non-financial reporting and the linkage of strategy to performance - precisely the outcome envisaged by the OFR regulations.

In preparing Trends 2005, companies' external communications (primarily annual and corporate responsibility reports, but also websites and analyst presentations) were evaluated against the PricewaterhouseCoopers ValueReporting Framework - the codification of nearly ten years' research into the information needs of management and investors. This framework shares a common goal with the mandatory OFR - the need to explain a company's past and potential performance in sufficient context. It emphasises the linkage between the external marketplace, the strategies a company adopts in the light of that market, the way that the company manages its risks, resources and relationships to deliver on its strategies, and the resulting operational performance outcomes.

While some companies identified in Trends 2005 use strategic priorities or value drivers as the central theme of their communication, others use risk. A few examples of companies that go further than the traditional risk disclosure are highlighted below.

Risks, resources and relationships

UK food group Geest is one of the 42 companies included in Trends 2005.

Geest is impressive for the way that it clearly sets out its key risks, resources and relationships as seen through the eyes of company management and directors. It describes five areas that it considers fundamental to the company's success - food safety, its customers, consumers, employees and investment (while also informing readers that the board has identified over 30 subsidiary risks which fall into one or more of these main categories).

The company gives illustrative examples of how 'these five big risks' are managed, and explains how they are monitored.

Linking risk to strategy execution

Indian company Infosys also provides an excellent example of reporting, which clearly links risk identification and management with business objectives.

It offers a high-level explanation of its process for risk identification, assessment and control and the importance of managing risk within the context of its strategy. It summarises its overall business objectives alongside the external and internal risk factors it faces, and, for each risk factor, clearly explains why it constitutes a risk and how the company mitigates and manages it. Each explanation is supported by data that quantifies the extent of each risk factor. For example, Infosys has identified the concentration of revenues as an external risk factor, a risk it manages by choosing to limit the revenue from any one client to a maximum of 10% of total income. The reasoning behind this risk, and the policy for managing it, is clearly explained. Data is then given to illustrate the policy in action, including for example, numbers of clients added during the year, the percentage of revenues from the largest client, and from the top five and ten clients.

The drivers of sustainable value

Another company noted for the quality of its reporting in Trends 2005 is rail operator MTR from Hong Kong. MTR outlines its approach to risk management clearly. It explains the reason for embedding sustainability into the company's risk management practices and describes the company's four-stage approach to managing risk, starting with identification, and ending with monitoring and reporting. MTR also summarises the company's priority business risks under clear headings in tabular format, with corresponding performance indicators. For example, one of the priority business risks in the social responsibility category is 'Maintaining passenger numbers', for which a number of performance indicators are given. MTR then goes on to summarise its performance against quantitative safety targets for the financial year.

Leadership and the right mindset

These three examples demonstrate how the reporting of risk under the new OFR can go beyond the traditional market and liquidity risk disclosures that most companies are accustomed to. They also illustrate the high degree of transparency to which leading companies aspire in their corporate reporting.

Delivering the transparency envisaged in the OFR cannot be achieved by adopting a compliance mindset. Taking an overly legalistic approach to OFR preparation is likely to lead to a document that falls short of achieving the greater transparency that the OFR regulations envisage. Achieving the right mindset is a leadership issue. Risk managers need to help boards understand the potential impact of the new regulations, as well as the opportunities that may exist. It is important that risk managers decide early on what role they have to play in preparing the mandatory OFR. The potential exists for them to make a major impact on the process.

David Phillips is head of ValueReporting and David Bishop is head of Risk Assurance Services, PricewaterhouseCoopers, Tel: 020 7804 6814.