Rising to the challenge A review of risk and viability disclosures in September 2015 annual reports January 2016 Contents 1. Introduction 0105 2. Acid test 02 3. Have companies improved their risk disclosures? 03 4. Have boards risen to the viability statement challenge? 07 5. How well do companies explain their monitoring of risk management and internal control systems and the review of their effectiveness? 12 6. Conclusion 15 7. Appendix: companies reviewed 16 8. Contacts 17 1. Introduction Since the Financial Reporting Council (FRC) updated the UK Our sample of 14 ARAs is relatively small as we reviewed only Corporate Governance Code (the ‘2014 Code’) in September 2014, those FTSE 350 companies that had published their ARAs by 6 the new provisions on risk management and viability have been the January 2016.1 We scoped our review in this way in the interests subject of widespread discussion. of providing our observations as quickly as possible, so that they may be of help to premium listed companies with December 2015 In particular, and unsurprisingly, the new viability statement has year-ends as they finalise their processes to comply with the 2014 taken centre stage. With its roots in the findings of the Sharman Code and draft their ARA disclosures. Inquiry, this new requirement represents a shift in the way companies and their boards need to publicly articulate their view Our review focused on the disclosures companies made, but as of the company’s prospects and, for some, in the way they think we have emphasised previously,2 the viability statement is the end about and prepare for the future. product of much internal activity. The processes underpinning the statement are key and these should offer benefits that extend Although a handful of companies chose to adopt some of these beyond simply complying with reporting requirements. Embracing new provisions early, annual reports and accounts (ARAs) of the spirit of the new viability requirements should bring additional premium listed companies with 30 September 2015 year-ends are opportunities through encouraging a better understanding of the first that are officially required to ‘comply or explain’ under the risk appetite, enhanced business resilience and, ultimately, the 2014 Code. We have conducted a review of the risk and viability potential for improved financial performance. disclosures of a sample of these ARAs to assess how companies have risen to these new challenges set by the 2014 Code and to draw out trends and leading practice. 1 In total, there are 22 FTSE 350 companies with 30 September year-ends. 2EY, The viability statement: Finding opportunities in the new regulatory challenge, March 2015. Rising to the challenge: a review of risk and viability disclosures in September 2015 annual reports 1 2. Our ‘acid test’ As we conducted this review, we found that reading risk and Risk management and internal control disclosures: viability disclosures in isolation was difficult. The importance ► How are the principal risks mitigated and controlled of reviewing key related and relevant narrative disclosures by the company’s systems of internal controls and risk e.g., business model and strategy, was brought to the fore. management? In our September 2015 report, ‘Reflections on the past, direction for the future’, we included an ‘acid test’ — a set of ► How does the board monitor material controls on an key questions that preparers or reviewers should be able ongoing basis to gain assurance that principal risks are to answer clearly having drafted the narrative within their being effectively managed and to take corrective action if ARAs. they are not? We include our acid test here again to help preparers and ► What did the board’s review of the effectiveness of these reviewers put all disclosures in context. The questions systems encompass? with the most relevance for risk and viability reporting are ► Has the board identified significant failings or highlighted in grey. We believe that investors too should view weaknesses? the new disclosures with these same questions in mind. ► What was the basis for determining what is ‘significant’? Business model: ► Is it clear what actions have been or will be taken to address significant failings or weaknesses? ► How does the company make its money? ► What are the key inputs, processes and outputs in the value Viability statement: chain, and how are the company’s key assets (including its ► Over what timeframe has the board considered the physical assets, IP, people, technology, etc.) engaged in the viability of the company and why? value chain? ► What process did the board use to assess viability? Strategy: ► Does the board understand which, if any, severe but ► What is the company’s competitive advantage? plausible risks (or combination of risks) would threaten the viability of the company? ► How does the business model help deliver and sustain this over time? ► What assurance did the board obtain over relevant elements (e.g., stress testing)? Key performance indicators (KPIs): What assumptions did the board use in reaching ► What are the key metrics the board uses to measure progress ► against its strategic objectives? their conclusion? ► How has the company performed against these metrics and how are these linked to the remuneration of key executives? Governance: ► What did the board and its committees actually do in the year Risk appetite: to govern the company? ► What levels of risk are the board willing to take in pursuit ► What, if any, changes were made to governance arrangements of its strategy? during the year and why? Principal risks: ► What areas for improvement were identified from the board evaluation and what progress was made against actions from What are the risks to the successful delivery of the ► the previous evaluation? strategy and operation of the business model? ► How is board composition and succession planning being In addition, given the latest changes to the Code, what ► managed, giving due regard to skills, experience and diversity? are the risks that pose the greatest threat to the viability of the company i.e., solvency and liquidity risks? ► How did the board seek to understand the views of shareholders during the year and what, if any, action was taken as a result of feedback? 2 Rising to the challenge: a review of risk and viability disclosures in September 2015 annual reports 3. Have companies improved their risk disclosures? It is also useful to describe the overall context or risk environment 2014 Code Provision in which the company operates before delving into specifics. SHAFTESBURY ANNUAL REPORT 2015 STRATEGIC REPORT 059 Shaftesbury plc’s description illustrates leading practice (page C.2: Risk Management and Internal Control 59) because a reader can then ‘benchmark’ the risk management Main Principle activities, processes and controls against this context: Risk The board is responsible for determining the nature and extent of the principal risks it is willing to take in “ Important factors in the relative low risk of our business achieving its strategic objectives. The board should maintain include: management sound risk management and internal control systems. Management structure ► The Group invests only in London’s West End, where there is (Emphasis added) a long history of resilience, stability and sustained occupier As a foundation to effective day-to-day risk management, we C.2.1 The directors should confirm in the annual report that demand for our principal uses of retail, restaurants and The Board’s encourage an open and honest culture within which staff can leisure operate.they have Our carried management out a robust team, assessment based in one of office, the principal within risks facing the company, including those that would fifteen minutes’ walk of all our holdings, comprises four executive ► With a diverse tenant base, there is limited exposure to any attitude to risk directorsthreaten andits business 21 employees. model, This future stable performance, management solvency team, with single tenant anor average liquidity. tenure The directors of over 15should years, describe has an in-depth those risks knowledge and of ourexplain business how andthey the are West being End. managed or mitigated. ► The nature of our portfolio does not expose us to risks management (Emphasis added) inherent in major speculative development schemes The Board’s attitude to risk is embedded in the business, with senior management having close involvement in all aspects of ► We have a small and stable management team, based in one operations and significant decisions. This involvement extends to location, close to all our holdings is consistent the Non-Executive Directors, who approve all transactions over a specified level. We hold regular portfolio tours for the Board, to ► The Board manages our balance sheet on a conservative basis with moderate leverage, long-term finance, a spread of Theinstil viability a deep statement understanding is underpinned of our business by the strategyboard’s responsibilityand model. loan maturities, good interest cover and with the majority of with its low for risk. Companies must establish their risk appetite, identify the SEE PAGE 33 FOR OUR MANAGEMENT TEAM’S EXPERIENCE interest costs fixed.” principal risks that are specific to their company and explain how theseThe relatesenior to management viability. team below Board level is incentivised in overall appetite the same way as executive directors to achieve the Group’s Our review found that some companies have enhanced their risk Westrategic consider goals it good of deliveringpractice to long-term explain the outperformance. risk assessment processDecisions and arethe made various for roles long-term and responsibilities benefit, rather for than risk short- disclosures, but many could do more to help readers understand for risk managementterm gain. Succession in the company planning as succinctly across the as management possible. See team is the company’s approach to principal risks and their management Shaftesburymonitored plcby the(Figure Board.