The Brexit referendum is dominating public debate in the UK, with everyone feeling uncertain about the outcome. It is no surprise then that CFOs in the UK are ranking it the most significant business threat.
Tightening monetary conditions, economic weakness, interest rates and emerging markets also present extremely volatile business conditions. Not to mention the risk associated with the US elections and Mr Donald Trump.
Like everyone else, the Bank of England (BoE) is talking about Brexit. In an interview with Andrew Marr, Mark Carney defended his statement that Brexit ‘could possibly lead to a technical recession’ by explaining that:
‘We (BoE) also have a responsibility to explain risks and then take steps, because by explaining them… what we would do to mitigate them, we reduce them. And that is the key point. Ignoring a risk is not to reduce it’
This is why the clear communication of potential risks is paramount. Risk reporting all too often becomes boilerplate as companies are not willing to disclose information that may hinder their competitive advantage. But companies also have a responsibility to explain to their shareholders risks that may affect future forecasts and financial results.
Risks are constantly changing. In the area of cyber risk, for example, sound risk management and the communication of it contributes in itself to overall corporate governance and it should be treated as an integral company process rather than a compliance activity.
Companies that are risk resilient are able to withstand business disruption by relying on their internal controls and management technique. Those that are agile are able to respond rapidly to changing market dynamics. Companies that are both resilient and agile are expected to see a significant increase in revenue and sustainable growth.
The lesson is don’t ignore, communicate more. The Institute of Internal Auditors recommends that business risks are addressed using the ‘three lines of defence’ model. This is consistent with the UK Corporate Governance Code (and its supporting guidance on internal controls) and provides an effective way to enhance risk management communications to ensure the organisation promotes clarity of risks and internal controls. It mitigates risk at three levels; operational management, risk management and compliance functions and the internal audit increasing the transparency.
Strong risk management requires coherent and succinct internal reporting. There is limited use in identifying business risks without sharing the information internally and externally. That just leaves a company susceptible to a potential failure in operations with possible detrimental financial implications.
Fundamentally, the importance lies in determining the risks that are relevant to your business, and explicitly explaining the impact on your company’s operations, rather than addressing general market risks in a general manner.
This will mitigate the risk and by mitigating the risk, the risk itself is reduced.