The pursuit of shareholder returns as the ultimate raison d'etre for a company to exist is increasingly being challenged. The recent agreement by the US Business Roundtable to drop shareholder primacy, and in the UK growing corporate governance emphasis on embracing section 172 of the 2006 Companies Act, are requiring businesses to explicitly focus on and consider the full spectrum of stakeholders that they interact with, serve and depend upon, of which shareholders are just one group.
For some progressive organisations, this may not be as drastic a change as it first appears when you consider the backdrop of external pressures and drivers already facing companies throughout the world to be better and more sustainable corporate citizens; for others, it may require profound changes to their strategies and business models. These changes also have the potential to influence many companies' Enterprise Risk Management (ERM) approach, principal / critical risk profile and external reporting disclosures. Outlined below are a few thoughts on how this could manifest and what it might mean in practice for ERM and annual reporting going forward.
Re-basing the way risks are identified
A common definition of a risk is an 'uncertain future event that can affect an organisation’s ability to achieve its objectives'. Risk identification activities typically focus therefore on the organisation's strategy and cascaded business objectives, with contextual factors such as operational footprint and relevant regulatory regimes further informing identification. But does the current strategy and objectives reflect the organisation’s broader stakeholder groups, including its employees, customers, suppliers, communities and the environment, or is it skewed towards targets that prioritise shareholder returns?
The reason this is important is that the nature of risks organisations identify often (logically) mirrors their objectives, so stakeholder considerations that are absent may result in associated risks not being captured or being deprioritised. If an organisation's stakeholder family is reflected appropriately in objectives then this should aid comprehensive risk discovery; if not, risk management practitioners should ensure that these are explicitly considered as a contextual factor in identification activities. In addition, the time horizon of risk manifestation should also be borne in mind; emerging risks, for example, can arise from changes in stakeholder experience and expectations on social and environmental trends, developments and responses, so these also need to be factored into risk identification. For more on emerging risks, refer to our blog post - https://www.mercandco.com/post/emerging-risk-management.
Stakeholder risk assessment
Risk prioritisation is typically based on evaluation of a risk’s probability and impact using defined risk assessment criteria. Depending on the impact criteria defined, this may further challenge the ability to assess stakeholder-relevant risks, particularly if the scale is solely based on financial loss. When setting such scales, consideration should now be given as to whether they support estimations of impacts on all relevant stakeholder groups and how. For example, many corporate impact scales we see will, in addition to financial loss, include criteria for assessing how a risk could affect the health and safety of employees and the public, corporate reputation, and the environment, so a number of obvious stakeholders are already covered. However, these are not necessarily nuanced to reflect wider stakeholder considerations such as employee mental well-being and community satisfaction and happiness, or may miss stakeholder groups entirely, such as treating suppliers fairly.
A key lens to apply when scrutinising whether risk assessment scales are appropriate should therefore not only be to consider the range of stakeholders that are relevant but also the nature of how the organisation interacts with and affects them. This may require some creative thinking; metricating and baselining communities' happiness for example is no easy task, and what makes one community ‘happy’ may not be reciprocated by others. Of note is that different functions within the organisation may already have criteria and thresholds developed that can be leveraged; for example, the ongoing development of operational resilience within financial services requires consideration of customer impact tolerances and acceptability thresholds to be defined. For more on impact tolerances, refer to our blog post - https://www.mercandco.com/post/impact-tolerance-easier-said-than-done.
What are the risk trade-offs the organisation is prepared to accept when prioritising stakeholder groups, risk taking positions and responses? Is an employee more important than a customer, is a wealthy community around a corporate HQ a lower priority than those in impoverished areas; do strategic suppliers get better terms than transactional ones? Should all stakeholders be treated equally, or are some more equal than others, especially when financial pressures bite? Note that s.172 statements should include a description of how the needs of and impacts on different stakeholder groups have been translated into the company’s decisions and strategies during the year.
When done robustly, the setting of risk appetite should already consider a broad array of ‘influencers’ of the organisation's risk taking positions including the behaviours and perceptions of customers, competitors, suppliers and regulators etc. as well as shareholders. This helps to define the 'red lines’ and limits to the risk taking envelope of the organisation and inform whether trade-offs that prioritise or deprioritise the interests of different stakeholder groups, and under what circumstances, are acceptable. Although high-level appetite statements are somewhat old fashioned, there may be value in articulating a stakeholder risk appetite statement that communicates and reinforces any preferences or primacy (or lack of). Just be cognisant of how such an articulation could be perceived externally if shared / leaked.
Subject to decisions made on the evolving ERM components outlined above, the risk profile of the organisation may change, including its principal risk list and what is therefore disclosed in the annual report. For example, if new risk assessment criteria are defined for wider stakeholder considerations that subsequently lead to certain of these new types of risks scoring as more severe than traditional financial loss / shareholder return type risks, should the latter not be included in external disclosures, either replacing relatively less severe traditional risks, or added to an enlarged principal risk disclosure?
Readers generally prefer reporting to be concise and specific, but could dropping financial risks that may be less severe than stakeholder focused ones in the interests of brevity backfire as non-disclosure for some readers? Is there an option to integrate or group some risks, and perhaps differentiate the sensitivity of each stakeholder group to each risk (while recognising that risk consolidation may reduce the quality of the disclosure due to loss of specificity in some cases). There may also be opportunities to cross-refer from the s.172 disclosure, in whatever form that takes in the strategic report, to the principal risk section, showing any new threats or uncertainties identified by the organisation in meeting the needs of a broader range of stakeholders and / or in light of changing environmental or social norms and expectations.
There is arguably no right or wrong answer here as this will depend on an organisation's specific risk profile, volume and reporting style. Obviously the way an organisation considers, engages with and treats its stakeholders also has significant upside benefits too, so this could further act to reinforce values it may wish to highlight as a competitive differentiator and exemplar of good corporate citizenship. The growing demand of asset managers for more information on an organisation's approach to identifying and managing Environmental, Social and Governance (ESG) risk factors is a case in point; being proactive and transparent by providing this insight as part of the principal risk disclosure, or elsewhere in the strategic report, should help to enhance credibility in the capital markets and improve investor sentiment.
It will be interesting to see how this develops in upcoming annual reporting. If you would like to discuss please comment below or drop me a line.