Risk Management and Integrated Reporting

When it comes to organizational risk assessment, financial risk assessment (and management of financial risks) comes as top one, followed by work accidents risk prevention and physical security risk assessment and management especially for objects and plants that are more vulnerable regarding crime or terrorist attacks.

Taking only these three risk domains in account there are three specialized groups of experts dealing with respective risks, evaluating them and preparing and executing respective measures to prevent or adapt financial, workforce or physical accidents. From three of them only financial risks are really integrated in business plans, models and reports, while other two are represented only in financial plans on profit and loss side while sometimes mentioned but not integrated into balance reports.

While there are perhaps some exemptions from the common situation briefly presented above, majority of organizations deal with risk on assessment and prevention level so that costs of assessment and prevention of various risks is included in Profit and Loss statements (P&L) but not in Balance sheet statement. Risks are evaluated as costs, but not explicitly as market values or liabilities.

Let us check Investopedia. Under liabilities where assessment of risks are/should be found Investopedia lists:

Current liability accounts might include:

  • Current portion of long-term debt
  • Bank indebtedness
  • Interest payable
  • Rent, tax, utilities
  • Wages payable
  • Customer prepayments
  • Dividends payable and others

Long-term liabilities can include:

  • Long-term debt: interest and principle on bonds issued
  • Pension fund liability: the money a company is required to pay into its employees’ retirement accounts
  • Deferred tax liability: taxes that have been accrued but will not be paid for another year; besides timing, this figure reconciles differences between requirements for financial reporting and the way tax is assessed, such as depreciation calculations

And that is all! One can only find liabilities related to financial capital and financial liabilities related to financial part of workforce, with not even a hint about other two already mentioned domains of risks and liabilities connected to risks.

Before we take a step towards an obvious conclusion that organizations should find a way how to asses liabilities, let us upgrade a list of possible risks and liabilities. We already know that each sane investor in fact intuitively if not rationally asses such all liabilities and not financial only when purchasing shares or enter in any other transaction with organization. We all assess organizations holistically, trying to take in consideration all possible risks on all possible levels. I cannot mention all of them, since there are too many. In the next paragraph there are links to various resources and conferences that I have compiled in 10 minutes.

International Conference on Risk Assessment (in Health). Toxicology and Risk Assessment Conference. Trust and Reputation Risks. Defence &HSL conference. Cybersecurity. Workforce Legal Risks. Intellectual Property at Risk. Machine Safety Risk Assessments. Safety Leadership Conference. Etc. Etc.

My purpose was not to be exhaustive in listing, but to point out the existence of many other possible risks and with that enable liabilities to become tangible. While some of them are industry specific, many of them pertain to every possible organization even though their manifestation differ from one organization to another in accordance to respective business model of each organization.

My point is that risks on all levels should not only be evaluated as costs but at the same time as liabilities expressed in words and numbers on balance report previously conceptualized through integrated reporting process.

In confronting such integrated reporting system and integrated balance report we face two kinds of challenges:

  1. To identify specific threats/risks/liabilities for each important business model mechanism that runs values addition to each of six capitals.
  2. To take in account that each of respected mechanisms acts not on its own, but is dependant on results of all other mechanisms of business model.

First task is easier to accomplish. One should simply start to dig into each business model process and decide about critical points (KPI) that add most to the success of that specific process and with that to the business model as a whole.

There is no extrinsic rule how to select most important critical points since there exist no general rule for, as much as also general business model does not exist. Each business model is unique as much as each human is unique regardless majority of us have two legs, lungs and brains. There is no outside help available to define a model according to which each of us develop as human being. Integrated reporting practice and theory only points to most common places where KPI are to be found, but each capital exerts its values uniquely. Six predefined capitals are there only to help us define overall capital value. But again there is no extrinsic rule even for the number of capitals existing. One could easily go for more capitals by finding smaller capital entities existing within six capitals defined by IR procedures.

So for the beginning we know that not only financial, but as well manufactured, intellectual, human, social and natural capitals should be defined through business model mechanisms so that each mechanism tackles at least one of six capitals and that at the end each capital is defined or included into at least one business model mechanism.

Let me stress at this point that I strongly believe that one should not take such mechanistic view on business modelling as explained above. Organization is much more than a sum of distinct processes digitally describable. But for the sake of risk assessment and risk management one should at least pretend to have a mechanic control over each procedure. The crucial point happens in transformation of risk management that is represented as cost into liability represented as value in balance statements. It is that transformation that at the same time transforms digital/mechanistic view of organization into analogue integrated thinking of organizations as holistic organisms.

The transformation from cost to value, from profit and loss statement to balance statement, from digital to analogue, happens through mechanisms tackled by the second task: to understand and describe (as much as possible) interdependence of all critical points.

Let me give you an example: Physical security of nuclear plant depends on:

  • Human ability of security staff.
  • Quality of products integrated in security systems.
  • Added value (profit) created by a plant and allocated to security systems.
  • Local community relations that represent first shield of nuclear plant security.
  • Appreciation of natural resources like water that cools nuclear plant reactor.
  • Number of experts produced by educational system available for nuclear plant.
  • And so on and so on.

It is quite obvious that each of mentioned values/risks/capitals depends further on all other mentioned and unmentioned capitals. The number of interdependencies is so vast that it (the number) produces rationally not expected results, emergencies. Emergency is a necessary result of any complex system like human being or organization, a result of vast number of interdependencies. One example of such emergency on organizational level is balance report.

It should now be clear that the main challenge in integrated reporting is not only to identify risks attached to creation of value of each capital, but to report about risks in a manner that takes in account complexity of relations that in the end result in balance reports.

It also comes as a necessary result that organization should not separate identifications and evaluations of various risks. While it is necessary that specialists manage risks, identification and evaluations should be understood holistically. I would like to be evaluated by holistic doctor, treated by highly specialized surgeon and then at the end evaluated by holistic doctor again. When managed, nuclear reactor should be guarded by highly specialized security force that has not much time to think since they have to act fast and reliable. But the task to evaluate complexity of risks involved in nuclear reactor security and to evaluate results should be addressed by experts in holistic, integrated thinking that understands emergencies that happen by default in complex systems.

Andrej Drapal