FTSE 100 companies are failing to provide shareholders with adequate information on the risks facing their business, or on the effectiveness of measures taken to mitigate them, suggests new research by the Chartered Institute of Internal Auditors (The Institute).
The Institute says that just 32% of FTSE100 companies currently provide any tangible metric on risks, or mitigation, within the strategic report section of their annual reports, in which companies are expected to give a balanced and comprehensive review of the company position and principal risks faced.
The Institute explains that under the Companies Act 2006, all FTSE100 companies are required to include a ‘strategic report’ within their annual report (as of September 2013). Financial and non-financial Key Performance Indicators (KPIs) are to be included ‘to the extent necessary for an understanding of the development, performance or position of the company's business’.
The Institute explains that whilst most companies provide an outline of the risks faced, just 32% give any measurable* indicator by which shareholders can glean a full understanding of how they impact the position of the business. This can include such figures as the number of staff that underwent cyber security training for instance to combat possible data breaches.
The Institute says examples of more tangible measures of risk included the placing of specific values on debt and credit risk, IT risks and service levels across IT systems, and information on the amount invested and number of staff placed in training targeting the mitigation of particular risks or issues.
The Institute also found that 52% of FTSE100 companies failed to provide any qualitative information on the changes to risks year-on-year. They do not explicitly state whether risks outlined were new, removed or had been upgraded or downgraded.
Institute Chief Executive, Dr Ian Peters, says, “A clear picture on risk is central to a full understanding of a company’s position, the quality of its earnings and potential long-term outlook. It is therefore imperative that the company has rigorous measures to assess risk and that these are reported. “The strategic report should allow for full review of risk and mitigation strategies. Simply outlining or describing risks faced is not enough – but this is what the majority of companies currently limit themselves to.
“Full transparency means placing a tangible measure or value on the risk and providing meaningful detail on what it means for the business.”
Notes to editors:
The research focused on annual reports for 2015-16 as a company’s key annual communication, which listed companies are required to make available to all shareholders. Internal Auditors help protect the organisations they work for by assessing whether all significant risks are properly identified, controlled and reported to the board, usually via the audit committee; and by challenging executive management to improve the effectiveness of governance, risk management and internal controls.
The IIA has been leading the profession of internal auditing since 1948 and became the Chartered Institute of Internal Auditors on 1st October, 2010. It is the only body focused exclusively on internal auditing. Its International Standards and Code of Ethics bind a global community of over 180,000 internal auditors in 170 countries and over 8,700 members in the UK and Ireland.