The new government requirement for reporting on resilience means boards will need to disclose their planned responses to risks, a recent breakfast briefing heard.
Corporate reporting on “long term” risks—as required by the government’s plan for new so-called “resilience” reporting—will present companies with tough choices about what they will reveal.
Michael Lucas, a founding partner of the risk advisory firm Brave Consultancy, told a breakfast briefing in London hosted by Diligent and Board Agenda that responding to the new reporting requirements would involve difficult decisions.
“It will represent a challenge about what you are going to disclose. What are boards going to be saying about their strategy in five to seven years that they are comfortable to put in the public domain?”
Lucas was part of a panel of experts brought together to explore implications of the resilience reports, to be introduced as part of the government’s audit reform agenda.
The initiative asks companies to disclose how they are responding to short, medium and long term risks and offer scenario analysis of major risks.
The new resilience reports are intended to incorporate the “going concern” and “viability” statements currently included in annual reports.
The resilience statement proposal comes as a result of numerous financial scandals, including the collapse of construction giant Carillion in 2018. The idea was outlined by Sir Donald Brydon in a report, Assessment of the Quality and Effectiveness of Audit, in December 2019. Sir Donald’s work was one of three major reports looking at audit, auditors and the audit market following Carillion’s demise.
The panel heard that the “long term” reporting envisaged as part of a resilience report would include: identifying and explaining the timeframe used; a summary of the trends likely to have an impact on an organisation over that period; and an explanation of the actions the organisation expects to take in response.
‘The right people doing the right thing’
Another panel member, Sonya Butters, leader of Deloitte’s assurance team in the UK, stressed the importance of internal controls to company resilience.
“What are internal controls all about? They are about making sure you’ve got good data and you’ve got the right people doing the right thing,” she said.
“All of that is part of how you are a resilient organisation who survives.”
Michael Lucas underlined the importance of internal controls and internal audit to resilience. “There will be a requirement for the internal controls team to understand which of the controls are particularly important in terms of resilience.
“And there will be a requirement for internal audit teams to focus on those areas of the business which are really important for providing mitigation to those risks and scenarios.”
Simon Henry, chair of the audit committee at mining giant Rio Tinto, was also on the panel. He said that process underlying the management of resilience would require skills currently in short supply at many organisations, especially when attempting to assess a company’s prospects over the long term.
The challenge, he argued, would be identifying the right factors without claiming certainty—“because there isn’t any”.