Print this post
My colleague, Garry Honey, observed in a recent FutureValue Briefing paper that: “The Strategic Report [ … ] marks a significant change in the way risk is to be reported”. As he points out it links risk and strategy explicitly in corporate reporting for the first time. This in turn demands the reporting of strategic and not just operational risk, as is typical of some many of the UK’s major quoted companies. Thirdly, this new regulatory requirement puts a premium on risk governance as opposed to mere risk management. “Risk governance”, as Garry observes, “is a board responsibility as distinct from risk management which is a functional activity. Governance requires the setting of culture, appetite and tolerance as well as the oversight of a risk management function.”
Reflecting on this, the more one examines how risk is to be reported going forward the more one becomes aware of not only how few companies truly understand what strategic risk is, but also that the regulatory specifications for the Strategic Report simply don’t go far enough. Let me explain. By way of example consider what constitutes the only declared “business strategy risk” for Tesco. It lists as a principal risk in its 2013 Annual Report : “If our strategy follows the wrong direction or is not effectively communicated or implemented, the business may suffer”. Tesco is inferring in proclaiming this risk as principal that its Board may not be setting the Company’s strategic agenda correctly, or that the Board may not oversee the implementation of that strategy satisfactorily. Tesco is not alone in this. Other companies take a parallel tack with similar wording. The two questions this poses are: ‘Is this truly a strategic risk?’; and, ‘Should there not be more reported information in the current Business Review to explain how the full Board, non-executive and executive, engages in setting the strategic agenda of the business and the outcomes of their deliberations’? In Tesco’s case the only mention in the Annual Report of its Board’s strategy-related governance role is in the Corporate Governance chapter, and there is no requirement for that to change with the new Strategic Report.
There are companies that do try to report strategy-related governance processes effectively. Tullow Oil, BAE Systems and ARM Holdings are just three of them. But for those such as Tesco that seems to think a potential failure of strategy-related governance is a ‘principal risk’, investors could surmise that the only comprehensive mitigation of this risk would be to replace the Board – lock, stock and barrel. Perhaps it is time for everyone to understand what strategic risk truly is, Boards and regulators alike?