Financial Reporting Council - documenting 'principal risks' in Strategic Reports

I had recently spotted that the UK's Financial Reporting Council had issued draft guidance on the compilation of the Strategic Report for listed entities. This segment of a company's Annual Report and Accounts (currently called the 'Business Review') has been a rather ubiquitous and clunky affair regardless of industry, delivering little information to prospective and existing shareholders about how the company's risk profile, appetite, preferences etc. are catered for when executing its strategy.

Strategic reporting for UK companies 
- elimination of flannel?

Insurers have been prominent in efforts to improve this, though driven more by the need to pacify the FSA/PRA than by Parliament - see "risk appetite" break out from its box in  Aviva's AR&A between 2007 and 2012 for example - but the fact that a substantial piece of statutory reporting generally in the hands of executive management can potentially stray from the lexicon and structure of their increasingly professionalised Control Functions (and for banks and insurers, potentially their Internal Models), is clearly one that warrants some focus.

The Strategic Report will be compulsory content for Annual Reports and Accounts from October (Companies Act 2006 414C). The FRC's (non-mandatory) guidance regarding the incorporation of risk-related material into this section is to address the requirement on p2 that the Strategic Report;

...should include a description of the principal risks and uncertainties facing the company

The FRC's specific definition of Principal Risk is found on p35 of the draft guidance as;

A risk or combination of risks that can seriously affect the performance, future prospects or reputation of the entity. These should include those risks that affect the viability of an entity.

The draft guidance (p23) aims to tack on a few definitional aspects of how "risks and uncertainties" are reported in the context of strategy, most pointedly;

• [The risks] should be limited to those considered by the entity’s management to be the most important to the future development, performance or position of the entity. They will generally be matters that the directors regularly monitor and discuss because of their likelihood, the magnitude of their potential effect on the entity, or a combination of the two
• Principal risks or uncertainties with potential effects of such a magnitude that they may threaten the entity’s viability (ie its solvency and/or liquidity) should be explained fully and given due prominence
• Directors should consider the full range of business risks including commercial, operational and financial risks
• The descriptions...should be 
  sufficiently specific that a shareholder can understand why they are important to the 
  entity. This might include a description of the likelihood of the risk, an indication of when 
  the risk might be most relevant to the entity and its possible effects. Significant changes...

  such as a change in likelihood or possible effect, or the inclusion of new 

  risks, should be highlighted and explained. An explanation of how the principal risks and 
  uncertainties are managed or mitigated should also be included.
• 
  

  Where the risk or uncertainty is more generic, the description should make 

  clear how it might affect the entity specifically.

Prudential provide a good example here (from p72) of how this is currently done by an insurer - the fact that it is buried in 75 pages of 'Business Review' underlines why the streamlining of this work has become of statutory interest!

Interestingly, the FRC note that definition for "principal risks" has been developed/derived from previous FRC work, supplemented by work from the Sharman Inquiry - all of that therefore feels well divorced from anything produced by the IRM/Actuarial Profession/EIOPA around risk categorisation, and leads to the same bridging work I have been involved in previously; namely, reconciling how one manages and monitors risk within the business against what one reports externally. Might we have expected to see some kind of compulsory categorisation of "principal risks" in here that favours the financial services industry who arguably carry the largest set? 

Much of the other compulsory material in the Strategic Report (with exemptions) touches on other topical or sensitive matters such as;

• Inclusion of key performance indicators in the report ("...where possible, they should be accepted and widely used")
• Information on environmental matters, staff and social/community/human rights issues
• Information on gender splits at Board, Senior Management and All-company level

I may throw some feedback in to the FRC on this paper- comments welcome until late November. Externally, the main change for insurers will be trimming down some of the fluff and flannel already produced in the space. Internally, aligning the concept of "principal risks" with existing ERM programme/Internal Model lexicon may be a bigger job for anyone operating on a shoestring.