In organisational risk assessment, financial risk assessment (and financial risk management) comes first, followed by occupational injury risk prevention and physical security risk assessment and risk management, especially for properties and facilities that are more vulnerable to a crime or terrorist attacks.
Considering only these three risk areas, there are three specialised groups of experts dealing with the respective risks, assessing them, and preparing and implementing appropriate measures to prevent or adjust financial, personnel, or physical accidents. Of these three groups, only the financial risks are integrated into business plans, models and reports. Simultaneously, the other two are only present in financial plans on the profit and loss side and are sometimes mentioned but not integrated into balance sheet reports.
Although there may be some exceptions to the general situation briefly outlined above, most organisations deal with risks at the measurement and prevention level. The costs of measuring and preventing various risks are included in the income statement (P&L), not in the balance sheet. Risks are measured as costs but not explicitly as fair values or liabilities.
Investopedia lists under liabilities where the measurement of risks is/should be found:
Current liabilities may include:
- Current portion of long-term debt
- Bank debt
- Interest payable
- Rent, taxes, utilities
- Liabilities from wages
- Advance payments from customers
- Dividends payable and other
Non-current liabilities may include:
- Long-term debt: Interest and interest on bonds issued.
- Pension fund liabilities: the money a company must pay into its employees’ retirement accounts.
- Deferred tax liabilities: Taxes that have been accrued but will not be paid until another year; in addition to timing, this figure adjusts for differences between financial reporting requirements and how taxes are measured, such as when depreciation is calculated.
And that’s it! You’ll only find liabilities related to financial capital and financial liabilities related to the workforce’s financial part, without even a hint of the other two risk areas already mentioned and liabilities that relate to risks.
Before we take a step toward the apparent conclusion that companies should find a way to value liabilities, let’s update a list of possible risks and liabilities. We already know that any rational investor intuitively, if not rationally, evaluates all liabilities, not just financial ones, when buying stock or entering into any other transaction with an organisation. We all evaluate organisations holistically and try to consider all possible risks at all possible levels. I can’t mention all of them as there are too many. In the next section, you will find links to various resources on possible risks compiled in 10 minutes.
International Conference on Risk Assessment (in Health). Toxicology and Risk Assessment Conference. Trust and Reputation Risks. Defence &HSL conference. Cybersecurity. Workforce Legal Risks. Intellectual Property at Risk. Machine Safety Risk Assessments. Safety Leadership Conference. Etc. Etc.
Liabilities in integrated reporting
My intent was not to provide an exhaustive list but to point out many more potential risks, making liabilities tangible. While some of them are industry-specific, many of them affect every possible organisation, even if their manifestation varies depending on each organisation’s business model.
My point is that risks at all levels should be assessed as costs and liabilities, expressed in words and figures in the balance sheet report previously designed through the integrated reporting process.
In dealing with such an integrated reporting system and an integrated balance sheet report, we face two types of challenges:
- To identify specific threats/risks/liabilities for each key business model mechanism that provides value in addition to each of the six capitals.
- To consider that each of the considered mechanisms does not act alone but depends on all other business model mechanisms.
Business model and risks
The first task is easier to accomplish. One should start by delving into each business model process and determining the critical points (KPIs based on materiality) that contribute most to that specific process’s success and thus to the business model as a whole.
There is no extrinsic rule on selecting the most important critical points, as there is no general rule for this, just as there is no general business model. Each business model is unique, just as each person is unique, even though most of us have two legs, lungs, and brains. There is no outside help to define a model by which each of us evolves as human beings. The practice and theory of integrated reporting only point to the most common places to find KPIs, but each capital exercises its values uniquely. The six predefined capitals are only there to help us define the overall value of the capital. But again, there is no extrinsic rule for the number of capitals present. One could easily find more capitals by finding smaller capital units within the six capitals defined by IR procedures.
So for starters, we know that not only financial but also produced, intellectual, human, social, and natural capitals should be defined by business model mechanisms so that each mechanism tackles at least one of the six capitals, and that in the end, each capital is defined or contained in at least one business model mechanism.
The holism of risks
Let me emphasise here that I firmly believe that one should not take such a mechanistic view of business modelling as explained above. The organisation is much more than a sum of individual processes that can be described digitally. But for the sake of risk assessment and risk management, one should at least pretend to have a mechanical handle on the individual processes. The crucial point happens in the transformation of risk management, represented as a cost, into a liability, represented as a value on balance sheets. This transformation simultaneously transforms the digital/mechanistic view of the organisation into analogue integrated thinking of organisations as holistic organisms.
The transformation from cost to value, from the income statement to balance sheet, from digital to analogue, occurs through mechanisms addressed by the second task: to understand and describe (as much as possible) the interdependence of all critical issues.
Let me give an example: The physical safety of a nuclear power plant depends on:
- The human skills of the safety personnel.
- The quality of the products that are integrated into the safety systems.
- The value-added (profit) created by a plant and attributed to the safety systems.
- Relationships with the local community, which is the second shield for the nuclear power plant’s safety.
- Appreciation of natural resources such as water that cools the reactor of the nuclear power plant.
- Number of experts that the educational system provides to the nuclear power plant.
- Safety and other management procedures.
- And so on.
Each of the mentioned values/risks/capital depends on all the other mentioned and unmentioned capitals. The number of interdependencies is so great that it (the number) produces rationally unanticipated outcomes, emergencies. Distress is a necessary outcome of any complex system, such as a human or an organisation, due to many interdependencies. An example of such distress at the organisational level is the balance sheet report.
It should now be clear that the main challenge in integrated reporting is to identify the risks associated with adding value to each capital and report on the risks in a way that considers the complexity of the relationships that ultimately lead to the balance sheet reports.
This also results in the need for the organisation not to separate the identification and assessment of the various risks. While the specialists must manage the risks, the identification and assessments should be understood holistically. I want to be assessed by a holistic doctor, treated by a highly specialised surgeon and then assessed again by a holistic doctor at the end. Nuclear reactor management should employ highly specialised safety personnel who don’t have much time to think because they have to act quickly and reliably. But the task of assessing the complexity of the risks associated with the safety of a nuclear reactor and evaluating the results should be undertaken by experts in holistic, integrated thinking who understand emergencies that occur by default in complex systems.
I hope it is clear that holistic risk management applies to all businesses and not only to nuclear power plants.