Executive Summary - The Reporting of Organizational Risks for Internal and External Decision Making 

    Published January 11, 2007

    Download Full Text (Members Only)

    The regulatory pressures for improved risk assessment and reporting on internal control have increased around the world. The reason—corporate accounting failures, frauds, internal control breaches, and governance failures have been seen in companies and countries that thought they were immune to these events. In  response, the requirements of the Sarbanes Oxley Act of 2002 in the U.S. and similar new regulations in other countries are among the many prominent forces driving improved corporate governance and transparency. Risks that organizations face are larger and more varied, and have more global effect. These risks relate not only to reporting and compliance; they also include strategic and operations risks. Increased corporate strategic alliances and business partnerships also create growing risk interdependencies.

    Although risk assessment processes generally have improved, inadequate risk reporting in some organizations has led to a failure to fully integrate identified risks into strategic and operational decisions. When planning a merger or an acquisition, for example, how confident can one be about the expected gains without carefully considering all potential risks, including their assessed magnitude and probability of occurrence? Decision-makers need to understand the various organizational risks, to minimize mistaken investments that can cause significant organizational costs. Managers need good risk reporting systems to integrate risk evaluation into (a) their operational and capital investment decisions, (b) review of performance, and (c) compensation decisions. Improved organizational risk assessment and internal risk reporting is critical also for senior management and boards of directors, who are responsible for carefully establishing and reviewing corporate processes for identifying, assessing and managing risk.

    The demand for disclosing risk externally is also growing. Investors, financial analysts, and other external stakeholders are increasingly aware of the critical role of proper risk management. They want better information on the various risks organizations confront, and how to address them, and are interested in organizational risks far beyond the traditional scope of financial risks. They want concrete assurance that a sound system and process is in place to identify, assess, and manage risks, so that they can better evaluate corporate performance and make more informed decisions.

    Increased measurement and reporting of this broader set of risks is necessary, not only to meet the new regulatory requirements but also to improve managerial performance and stakeholder confidence. Senior corporate managers need to develop ways to effectively communicate organizational risks and risk management processes both internally and externally. They face decisions on what to report to each audience, and the form of risk reports, including how much detail to include. Senior management therefore needs to clearly understand the risks and promote disclosure to both internal and external decision-makers without causing unnecessary alarm or increasing reporting and compliance risks. A more effective organizational risk reporting system can provide internal and external stakeholders with information they need to (a) craft strategy, (b) make investment and other business and personal decisions and, at the same time, (c) inspire confidence in the organization’s financial reporting and disclosure. This increased focus on risk can turn risk management and risk reporting into an opportunity and reward.

    This guideline addresses these important issues and provides guidance on reporting risks to aid both internal and external decision-making. The Guideline’s specific objectives are:

    • To discuss the role and importance of risk management and reporting for improved strategic and operational decision-making by senior management and other managers (The Risk Reporting Contribution Scheme).This Guideline focuses first on internal risk reporting, then on external risk reporting.
    • To address specific risk reporting questions, including the content of risk reports, their format, placement, distribution, and communication, and the intended impact of risk reporting (The Risk Reporting Model). Again, these questions will be addressed firstly to internal audiences’ needs and requirements, then to those of external audiences.
    • To provide templates for real-time and periodic internal and external risk reports.
    • To discuss the challenges in risk reporting, including the potential for inappropriate decision-making or dysfunctional behavior of internal and external audiences.
    • To discuss the importance of balancing the desire for a complete and fair   presentation of organizational risks with avoidance of overreaction that could reduce appropriate risk-taking that is necessary for business success; and
    • To provide guidance on organizational structure and responsibilities related to risk reporting.

    The target audience of this Guideline is (a) CEOs and CFOs, (b) senior management teams, (c) boards of directors, (d) members of audit committees, and (e) accounting, internal audit, and finance professionals, all of whom confront challenges of risk assessment, risk analysis, risk control, and risk reporting. The Guideline may also be useful for external auditors, in particular those who attest to and report on management's assessment of the effectiveness of internal control over financial reporting.

    Download Full Text (Members Only)

    A A A

    Copyright © 2006-2015 American Institute of CPAs.