I have often wondered what purpose risk statements serve. Are they there to inform investors? Or to protect auditors and managers from litigation? Or maybe they just continue to exist because no one has ever asked the right question.
I have looked at thousands of risk statements and they are almost always useless. Key risks are often omitted and many supposed ‘risks’ are no more than a statement of the obvious.
Companies that are heavily reliant on a high-profile, charismatic CEO don’t usually disclose this as a risk
I used to follow an Italian company that demerged from its parent. Under Italian law, it was liable for several years if its former parent defaulted on a €3bn bond. This was not mentioned in the prospectus. I asked why and was told that it was considered unlikely. This risk then appeared in the next annual report without any explanation of why it was now considered worthy of inclusion. I don’t know whether the initial omission was deliberate or accidental, but I do know that no action was taken against the company or its advisers.
I can think of many other examples where material risks are missing. Companies that are heavily reliant on a high-profile, charismatic CEO don’t usually disclose this as a risk, and potentially fatal health issues are often kept private. Having major investments in a region with rising geopolitical tensions that may lead to conflict is another frequent absentee.
Privately controlled but listed companies sometimes have unusual arrangements covering the ownership of properties or brands, which again fail to make the list.
The answer is, I suspect, twofold. First, the people who write these statements are concerned primarily with posterior concealment. They want to minimise the risk to themselves or their clients of being sued. There is no requirement to quantify these potential risks with probabilities or costs, so it’s safer to include lots of generic waffle, just in case. No one gets promoted because they managed to reduce the scope of the risk statement.
I learned more about the company from the 45 pages of risk statement than in the rest of the report
The second answer is that risks that might be embarrassing are often excluded. Investing in a country with endemic corruption, building a factory on a flood plain, being overly reliant on one or two key people – these are all in effect judgments and classifying them as risks might be embarrassing for senior management or cause a public relations storm.
I remember asking a senior German executive why he was investing billions in one of the most corrupt countries on earth and received a baffled stare in response. Corporate group-think was that the problems in this country could be managed with robust governance. The annual report blandly states that EU relations with this country are a ‘risk’ but fails to provide any colour.
Getting it right
I said above that risk statements are ‘almost always useless’, but there are exceptions. I recently read the 20-F annual report for a Brazilian company whose shares trade in the US. The risk statement ran to 45 pages and was absolutely fascinating. It provided a comprehensive overview of the trading environment and its key suppliers and customers. I learnt more about the company and the country in those 45 pages than in the rest of the report.
In my more cynical moments, I wonder whether we just need one generic risk statement – ‘management may be corrupt or incompetent; the future may be not as we imagine it’ – but there has to be a better way.
Risk statements should be company-specific, detailed where necessary, and illuminating. The gold standard should be the briefing given to an incoming non-executive director who wants to really understand how the company operates. It’s the job of non-execs to worry about the future. Their concerns should be shared, not sanitised.