Financial disclosures should be tailored to the business and written clearly and concisely for the investor. They shouldn’t be verbose, overly complex reports that don’t meet the investors’ needs and are the product of legal and compliance departments.
“Risk factors have taken on the dynamic of sitting in the corner of the legal department, and the corner of the financial reporting, and have become more of [a] protective type of communication rather than [a] communicative document,” said Sam Eldessouky, senior vice president and corporate controller, Valeant Pharmaceuticals, at a recent Pacesetters in Financial Reporting presentation in New York City.
Indeed, as a result of differing objectives of the legal department and financial reporting, disclosures can fail to be the effective tools for investors they should be. To combat this, disclosures should be continuously updated, based on factors unique to the business, concise, and written in plain English.
According to a recent study by the Investor Responsibility Research Center Institute (IRRCi) and EY, “There is an opportunity for companies to streamline language around common risk factors and to offer more insightful, company-specific information. For risks that are particularly important, a company could enhance its disclosures by providing more descriptions of its risk mitigation efforts.”
Tailored to the company
Risk factors should be very company-specific and not boilerplate. In practice, however, many are generic, unclear, overly voluminous, and not particularly helpful in understanding the true risks of the company.
Unfortunately, many companies view disclosure preparation as a check-the-box type of exercise, instead of detailing the unique risk factors that are relevant and representative of their business.
Panelist Jonathan Nus, executive director, EY, shared that, although comparability exists within an industry, in looking at disclosures of the top 10 companies within an industry, risk factors are overly consistent and comparable because they copy each other.
“I think where it falls apart a lot of times is that risk factors are treated more like a photograph rather than a movie. The disconnect is really between risk factors and a risk profile of a company. Once upon a time, it was very easy to compartmentalize companies within a sector.”
Companies can also fall into the habit of simply carrying forward disclosures from year to year without reassessing their continued relevance. “To the extent that the business profile and the risk profile of a company is changing, the risk factors just aren’t keeping up,” said Nus. “I think what’s happening is that there are some companies that are taking the lead in terms of connecting the dots, and making sure that the KPIs are aligned, the business model is aligned, their key metrics are aligned, but I think a lot of times it’s still treated in silo. I think that’s a major challenge.”
Clearly and concisely for the investor
Zeroing in on the risk factors that are unique to the business is an effective way that companies are reducing the number of risk factors. By identifying risks specific only to them, or combining some closely related risks, readers can better focus on and process the information that matters most to them and help streamline financial reports.
Valeant’s Eldessouky said companies should be thinking about the 10Q as not just a compliance document, but as a communicative document. The focus should be: What kinds of information around risk and risk management are investors looking for?
Moderator Keith F. Higgins, chair, Securities & Governance Practice, Ropes & Gray, and former director, SEC Division of Corporation Finance, explained, “If I were an investor, I’d want to know: How is the company going to be run in the longer term so that my investment will continue to grow and the company I’ve invested in will be able to respond effectively to things that it can’t always anticipate?”
On the lengths of disclosures, Eldessouky shared, “It is growing: 22 risk factors on average, and the average section in the filing is eight pages long. Another study found that the length of risk factor disclosure increased 85% relative to the rest of the 10K. It’s an area where there’s certainly a lot being disclosed. I still think they are somewhat overwhelming.”
Who owns the disclosure?
A reason that the length and complexity of disclosures has increased is that the preparers may have different objectives. On the legal side, disclosed risk factors can serve as mitigating factors if a lawsuit is brought against the company (e.g., if the securities don’t perform as well as expected, the investor was warned of such an outcome). On the financial reporting side, risk factors are intended to describe possible circumstances that could make investing in the company risky or speculative.
“When it comes to risk, there’s not one measure,” said Eldessouky. Members of the financial reporting team, the legal team, and operations may have different points of view on what is risky, and how risky it is. “Trying to balance the different views, what the risk is and putting it into risk factors, I think that’s where the disconnect starts happening in terms of where we are today in terms of how companies outline risk factors.”
Lori Zyskowski, partner, Gibson and Dunn, admitted that risk-factor disclosure is largely driven by the fear of securities litigation. Risk factors are used by companies to protect themselves from being sued for making statements about the future, such as forward-looking statements.
“There’s boilerplate forward-looking statement language in everybody’s 10K that looks at all of the factors and makes sure that the risk factors are also covered,” said Zyskowski. “The problem with that is it enhances the desire to make the risk-factor disclosure longer, and to make it as all-encompassing as possible. The issue is: It’s not as effective if it’s not tied to the company’s actual risks, and if it’s boilerplate and not specific. Quite frankly, the requirements under the rules are to make it specific to the company and not boilerplate. What companies can do is really think about whether or not the risks that they’re listing and describing are truly risks of the company, or whether they’re remote risks.”
Learn how to simplify GRC with automated functions that integrate with your existing processes.
This article originally appeared in FEI Daily and is republished by permission.