2. 2
ADDING VALUE TO THE BUSINESS THROUGH INTEGRATED RISK
REPORTING
A study from the perspective of the financial institutions
S. L. K. Gwebu
77325443
Field Study Report in fulfilment of the requirements for the Advanced Programme in
Risk Management (APRM05Y) at the University of South Africa
I hereby declare that the Field Study Report is my own work and that all the sources
that I have used or quoted have been indicated and acknowledged by means of
complete references.
S.Gwebu 28 October 2016
Signature Date
3. 3
Table of Content
Title Page
1. Abstract 4
2. Introduction 5
3. Problem Statement 6
4. Literature Review 7
4.1. Risk Management 7
4.2. Risk Reporting 9
4.3. Integrated Reporting 10
4.4. Value Creation 11
5. Conclusion 12
References 14
4. 4
1. Abstract
Integrated risk reporting is a modern technique which the management and boards
of successful corporations utilise to maximise and create new opportunities for
shareholder value creation. Integrated reporting is seen as important to guaranteeing
the viability of any corporate strategy and, by extension, the value creation process
and as the board’s governance role expands accordingly, so integrated reporting is
increasingly being used as a tool to understand and communicate value creation in
its broadest context. The aftermath of the financial crisis of 2007/8 on has been a
major learning point for banks and one of the key emphases is the importance of an
effective and efficient enterprise risk management model. Enterprise Risk
Management (ERM) has over the years evolved from the normal reactive approach
of historical view of loss events to a model that is proactive approach to predict the
future. Recent studies have aimed at broadening the study of risk management
holistically only up to the extent of proving ERM as a tool to eliminate and mitigate
risk events from hindering delivery of business outcomes.
As a result this study “Adding value to the business through integrated risk reporting”
is formulated in order to gain better understanding of risk management practices and
to examine the critical success factors for effective integrated risk reporting on value
creation from a financial perspective view.
The study will aim at broadening the concept of risk management from what recent
researchers have already concluded by incorporating modern techniques.
Keywords: Integrated reporting, Risk reporting, Value to business, Enterprise
risk management.
5. 5
2. Introduction
The management of risk in the financial institutions is increasing and vital for the
continuity of the business as advocated by the Basel Committee on Banking
Supervision (2003). Integrated reporting is increasingly seen as a necessary
requirement for delivering long-term value creation by businesses building
connectivity across organizations, breaking down internal barriers and enhancing
decision making. According to the International Integrated Reporting Framework
(IIRC 2013), integrated reporting aims at promoting a more cohesive and efficient
approach to corporate reporting that draws on different reporting strands and
communicates the full range of factors that materially affect the ability of an
organization to create value over time; improve the quality of information available to
providers of financial capital to enable a more efficient and productive allocation of
capital. Banks play an important part in the world economy, which became clear
during the recent global financial crisis where a number of banks were liquidated.
These typical losses can happen again if banks cease to perform their central role in
the economy, and it is therefore imperative that banks maintain their future growth
and ensure a sound risk management approach (Young 2012).
The financial crisis of 2007 is seen as a failure by banks to have proactive risk
management programs and as a result banks are investing on risk management.
Schroeck (2002) in his book titled “Risk Management and Value Creation in
Financial Institutions” argues that from a theoretical point of view, it is not
immediately clear if and how risk management at the corporate level can be useful
while another study by Stubbs and Higgins (2014) argue that while organizations are
producing some form of integrated report are changing their processes and
structures, or at least talking about it, their adoption of integrated reporting has not
necessarily stimulated new innovations in disclosure mechanisms.
6. 6
3. Problem statement and purpose of the study
In this study we explore how financial institutions can use integrated risk reporting to
add value to the business. This has been necessitated by the confusion regarding
the level and accuracy of risk reporting and how the reports are to be handled
(Capitec 2013). According to the King Report on Governance for South Africa
(2009), by issuing integrated reports, a company increases the trust and confidence
of its stakeholders and the legitimacy of its operations. It can increase the company’s
business opportunities and improve its risk management. By issuing an integrated
report internally, a company evaluates its ethics, fundamental values, and
governance, and externally improves the trust and confidence which stakeholders
have in it. The report recommended integrated sustainability performance and
integrated reporting to enable stakeholders to make a more informed assessment of
the economic value of a company. Integrated risk reporting entails the use of Key
Risk Indicators (KRIs) and Key Performance Indicators (KPIs) in measuring the
current performance of the business and sustainability against the emerging risk.
Value creation is not only about product innovation, meeting sales target, but value
creation also includes to a greater extent the integrated reporting which will give
confidence to all stakeholders.
The boards of directors as a third line of defense have a fiduciary to protect all
stakeholders’ interest given that they have been presented with enough information
for decision making. Financial institutions deploy risk champions in the business
units who will collect key risk data and put together a report for the central risk unit,
from the central risk unit a board report will be formalized and tabled to the executive
committee. From the executive committee this risk report will go to the board where
decision will be taken. Boards are constantly discussing if there is value in investing
in risk management and Ernest and Young (2014) examines the theory of integrated
risk reporting.
7. 7
4. Literature review
Researchers have explored the value creation purpose through integrated risk
reporting. Hatch (2013) is of the view that risk and value management are
interrelated functions and processes with value management considering the best
way to deliver the need or benefit and risk management being used to assist in
choosing the best solution and the management of the delivery risks to achieve the
expected benefit. Enterprise Wide Risk Management (EWRM) approach to risk
management and value creation must be adopted for efficiency (Bank for
International Settlements – BISS 2003)
Figure 1: Enterprise Wide Risk Management Drivers
(Source: Manab et al. 2010)
Chartered Institute of Management Accountants (CIMA 2011) provided some
insights on how it is possible to link risk to performance management through top
management reporting.
4.1. Risk Management
As with the definition of risk, there are equally many accepted definitions of risk
management in use as presented by many researchers in this field (IOSCO 1997,
Casualty Actuarial Society 2003, COSO 2004, Cumming et al. 2001, Hillson 2006).
Some describe risk management as the decision-making process, excluding the
Corporate Governance Improve communication
Regulation Globalization
Technology
Advancement EWRM
Shareholder
requirements
Competitive advantage Complexity of risks
Corporate companies’ failures Good business practices
VALUE CREATION
8. 8
identification and assessment of risk, whereas others describe risk management as
the complete process, including risk identification, assessment and decisions around
risk issues. According to Berg (2010), risk management is an activity which
integrates recognition of risk, risk assessment, developing strategies to manage it,
and mitigation of risk using managerial resources. The perception of risk in
contemporary times is changing. In the past, risk is seen negatively, while in
contemporary times, risk is viewed in either a positive or negative fashion in
response to outcomes of a myriad of events and because of the duality perspectives
of risk as both positive and negative, stakeholders need more information on risk
disclosure to make business and investment decisions and better understand
companies’ social responsibility positions (Social Responsibility Journal 2013).
Management of risk is not just ownership but responsibility, risk management entails
high levels of data integration and consideration of the interrelation of risk types for
efficiency and effectiveness in reporting. Cumming et al. (2001) affirms that risk
management involves not only an attempt to quantify risk across a diversified firm,
but also a much broader process of business decision making and of support to
management in order to make informed decisions about the extent of risk taken both
by individual business lines and by the firm as a whole. Integrated risk management
addresses risks across a variety of levels in the organization, including strategy and
tactics, and covering both opportunity and threat. Effective implementation of
integrated risk management can produce a number of benefits to the organization
which are not available from the typical limited-scope risk process (Hillson 2006).
The critical component to analyse is “Where does risk management sit in an
organisation?” However, this cannot be answered by not first addressing another
question “Where is the risk?” In order for risk to be effectively managed one needs to
understand the business, the core functions and expected outcomes. From these
variable risk will be identified and the risk owner will be easily identified and this is
where risk management sits (Duckert 2011). The risk management objectives should
be clearly defined and correspond with the parameters measuring the main goal of a
company (Wieczorek-Kosmala 2011). In Capitec’s view, risk management as a
means of ensuring that sustainable value is created for stakeholders in a responsible
manner (Capitec 2013). Wieczorek-Kosmala in his study acknowledges that the idea
9. 9
of the risk management integration is growing on importance nowadays. The primary
objective of risk management is to ensure the ongoing existence of the company
(Stiller and Joehnk 2014)
4.2. Risk Reporting
Society of Actuaries (2005) broadens the study of effectiveness of risk management
strategies to protect the organisation with special focus on the reporting the risk to
the board. There is a general concern about what should be in a risk report as often
the preparers of this report provide less information and the users of the reports want
more of this information (Association of Certified Chartered Accountants - ACCA
2014). Risk reporting is a critical function of risk management as informed decision
making flows from good operational risk reporting (Blunden 2013). Duckert (2013)
further highlights that the usage of data or facts will lead to rapid and accurate
evaluation of risk and timeliness of reporting that cannot be achieved by any means.
An effective risk reporting model is one inclusive off all risk associated with the
business, consist of qualitative and quantitative data, proactive rather than reactive
and must be data-centric (Duckert 2013).
From the model of integrated risk reporting it is critical to deviate from the norm that
the audience of the report will determine the level of the report, the report is the basis
of decision making at all hierarchal levels of the company and as such the reporting
should inform all stakeholders. There is no value created from a thumb sucked report
as this is highly likely to misinform the board. High-quality risk reporting increases
investor confidence, not just in terms of the risks being discussed, but also in the
overall quality of management (ACCA 2014). Duckert (2011) argues that risk
reporting can be summarised using the concept of risk assessment which constitutes
the identification of risk, calculating the probability of occurrence and determining the
impact or exposure. However, the ACCA (2014) study provides a broader outlook of
risk reporting, the user wish list of the risk report constitutes: identification of the key
risks the company faces, preferably in plain English; an explanation of why
management believes these risks to be critical; an explanation of why management
10. 10
believes these risks to be critical; identification of emerging and new risks and an
explanation of how management assesses risk throughout the year.
4.3. Integrated Reporting
During the recent global financial crisis it became clear that risk reports were either
taken for granted or that the reports did not provide sufficient enough information for
accurate and timely decision making and we have seen the hike in regulatory fines
within the financial institutions mostly attributed to risk management failure.
Integrated reporting is the latest reporting innovation, emerging in 2010 with the
formation of the International Integrated Reporting Council (Stubbs and Higgins
2014). Integrated reporting builds on the practices of Financial Reporting, and
Environmental, Social and Governance Reporting, and equips companies to
strategically manage their operations, brand and reputation to stakeholders and be
better prepared to manage any risk that may compromise the long-term sustainability
of the business (KPMG 2011). The consequences of the fines have lead to
liquidations, unquantifiable reputational losses and significant decline in market
share. Board members are best placed to ensure overall organizational and cultural
alignment and to achieve the benefits that come from effective reporting practices.
Investors may not yet routinely request integrated reports, but this should not be a
reason for boards to delay starting their integrated reporting journey. Investors say
they have more confidence in management when they gain a clear picture of the
business from reporting (IIRC 2014). Whilst this concept has been adopted in many
institutions there has been some criticism by some researcher for its focus on
financial capital providers to the detriment of the information demands and needs of
other key stakeholders (Cheng et al., 2014).
11. 11
4.4. Value Creation
Figure 2: Integrated view of value creation in banks.
(Source: Schroeck: Risk Management and Value Creation in Financial Institutions)
According to Hatch (2013) Investors are seeking the best risk weighted investment
return for their capital with a risk profile that is congruent with their tolerable risk
level.Effectively managing or controlling the factors that cause risk can result in
market leadership, increase in company growth and investor confidence (Manab et
al. 2010). Jensen (2001) argues that creating value takes more than acceptance of
value maximization as the organizational objective. As a statement of corporate
purpose or vision, value maximization is not likely to tap into the energy and
enthusiasm of employees and managers to create value. Seen in this light, change
in long-term market value becomes the scorecard that managers, directors, and
others use to assess success or failure of the organization. The choice of value
maximization as the corporate scorecard must be complemented by a corporate
vision, strategy and tactics that unite participants in the organization in its struggle for
dominance in its competitive arena.
The retail department of one of the leading bank was in the process of introducing a
new investment product of the bank, from the product research conducted the results
were clear that this product was to be launched immediately, the department called
in all the stakeholders for a project scoping meeting and the risk department was
12. 12
excluded as it was viewed as business disabler. The product was eventually rolled
out to the market at significant costs to the company, without a proper risk
assessment for board approval and no regulatory approval granted. The product did
not yield the expected outcomes, customer complaints and claims increased and the
regulator fined the bank heavily. The board instituted investigations and one of the
key findings was that a risk assessment was not conducted on the product which
could have highlighted the significant flaws and provided solutions for a safer product
to create the value it was intended for. The three lines of defence in risk
management working collectively can achieve results far beyond the management of
risk.
The biggest benefits of integrated reporting will not come from being compliant or
from attracting investors, they will come from the discipline of needing to think, plan
and manage in a more integrated way and this will help companies achieve the
agility and flexibility they need to respond to change and seize opportunities in an
increasingly transient world (IIRC 2014). Ranesh et al. (2012) concluded that bboth
risk management and value management are considered to be best practice in
project management and enable organizations to define objectives when delivering
complex projects whilst reducing risk and maximizing value.
5. Conclusion
The risk culture incorporated with integrated reporting can achieve results far beyond
the management of risk, it creates a culture of integrated thinking and integrated
decision making where everyone understands and operates on the culture. As
affirmed in the Capitec (2013) report that integrated risk management can be utilised
in aligning strategy, processes, people, technology and knowledge with the purpose
of evaluating and managing opportunities, threats and effectively balancing risk and
controls. Value Management and Risk Management are key enablers and
interrelated processes for successful decisions and delivery of benefits for an
organization (Hatch 2013). Any organization that continuously identifies and pursues
growth and expansion opportunities will unlock and create value for its stakeholders
as affirmed by (Mpact 2015, Ranong et al. 2009). Regulators are strengthening their
13. 13
grip on financial institutions in as far as corporate governance as a result of the
recent global financial crisis, the reporting hierarchy in the banking industry has been
put under spotlight with regulators constantly dictating on what is to be reported in
the risk reports and the ownership of those reports.
It is my conclusion that integrated reporting will create a platform of innovative ideas
to give any organisation a competitive advantage over its competitors. The users of
the reports rely on the creators of the reports for accurate and timely decision
making that will add value to the long-term strategic objectives of the business.
Therefore, a well sponsored corporate governance framework with emphasis on
integrated risk reporting will not only be a function used for the risk universe but will
now be used as a business enabler in value creation.
14. 14
References
1. Association of Chartered Certified Accountants, 2014. Accountants for
Business; Risk Reporting.
2. Bank for International Settlements, 2003. Basel Committee on Banking
Supervision, the Joint Forum; Trends in Risk Integration and Aggregation.
3. Berg, H. 2010. Risk Management: Procedures, Methods and Experiences.
June 2010.
4. Blunden, T., Thirlwell, J. 2013. Mastering Operational Risk. 2nd
Edition.
Harlow Pearson Education Ltd.
5. Capitec Bank Holding, 2013. Integrated report
6. Casualty Actuarial Society. Overview of Enterprise Risk Management. May
2003.
7. Chartered Institute of Management Accountants, 2011. Integrating Risk and
performance in Management Reporting. Volume 7, Issue 5.
8. Cheng, M., Green, W., Conradie, P., Konishi, N. and Romi, A. 2014. The
international integrated reporting framework: key issues and future research
opportunities. Volume 25, Issue 1.
9. Committee of Sponsoring Organizations (COSO). Enterprise Risk
Management—Integrated Framework: Executive Summary. COSO, New
York, 2004.
10.Cumming, C.M., and Hirtle, B.J. 2001. The Challenges of Risk Management
in Diversified Financial Companies.
11.Duckert, G.H. 2011. Practical Enterprise Risk Management: A Business
Process Approach. John Wiley & Sons, Inc., Hoboken, New Jersey.
12.Ernest and Young Global Limited, 2014. Integrated Reporting; Creating Value.
13.Hatch 2013. Integrated Risk and Value Management for Decision Making on
Projects.
14.Hillson, D. 2006. Integrated Risk Management as a Framework for
Organizational Success.
15.Institute of Director Southern Africa, 2009. King Report on Governance for
South Africa
16.International Integrated Reporting Council, 2013. International Integrated
Reporting Framework.
15. 15
17.International Integrated Reporting Council, 2014. Creating Value; Value to the
Board.
18.International Organization of Securities Commissions (IOSCO), 1997.
Financial Risk Management in Emerging Markets Final Report.
19.Jensen, M.C. 2001. Value Maximization, Stakeholder Theory, and the
Corporate Objective Function.
20.Manab, N.A, Kassim, I., and Hussin, M.R. 2010. Enterprise-Wide Risk
Management (EWRM) Practices: Between Corporate Governance
Compliance and Value Creation.
21.Monika Wieczorek-Kosmala 2011. Beyond Standardization: Remarks on the
recent approaches to the integrated risk management implementation.
22.Mpact 2015. Risk Management Review.
23.PWC, 2015. Integrated Reporting; Where to Next.
24.Ranesh, A., Zillante, G., and Chileshe, N. 2012. Towards the Integration of
Risk and Value Management.
25.Ranong, P., and Phuenngam, W. 2009. Critical success factors for effective
risk management procedures in financial industries.
26.Schroeck, G. 2002. Risk Management and Value Creation in Financial
Institutions. John Wiley & Sons, Inc., Hoboken, New Jersey.
27.Social Responsibility Journal Vol. 9 Issue 1 2013: Risk disclosure during the
global financial crisis.
28.Society of Actuaries, 2005. Risk Management; Developing Effective Risk
Management Strategies to Protect your Organization.
29.Stiller, D., Joehnk, P. 2014. Risk Management in Companies: A Questionnaire
as an Instrument for Analysing the Present Situation
30.Stubbs, W., Higgins, C. 2014. Integrated Reporting and Internal Mechanisms
of Change.
31.Young, J. 2012. International Conference; Improving Financial Institutions:
The proper balance between regulation and governance.
32. www.kpmg.co.za: Integrated reporting; Understanding the requirements.