Many Canadian companies need to clean up their acts when it comes to disclosing the risks they face.

The Canadian Securities Administrators have issued reports noting recurring risk disclosure “deficiencies” in the management’s discussion and analysis that accompanies financial statements of Canadian public companies, according to a report published in March by the Canadian Institute of Chartered Accountants.

“Securities regulators’ reviews of MD&As have frequently identified risk disclosure as an area of improvement for the majority of issuers,” the CICA report states. “For example, securities regulators in Ontario have noted that ‘analysis of risks and uncertainties continues to be a weak area’ — regulations require in the MD&A ‘an analysis of how material risks and uncertainties may affect the business, not just a description of the risks’.”

According to an Ontario Securities Commission staff notice, many companies either did not disclose risks at all, or they simply provided a list of risks without including a detailed analysis of how they might affect finances and operations.

“I don’t see a whole lot of sense in just dumping a laundry list of risks,” says David Stephen, a consultant to the CICA who is knowledgeable about enterprise risk management.

Additionally, not coming clean on its vulnerabilities could damage a company in the eyes of potential shareholders, the CICA report states: “Investors may interpret the quality and transparency of risk disclosure as a reflection of the quality of management and corporate governance.”

“ERM is the only way to get under the hood of a company,” says Jim Thomson, a principal with consulting firm Towers Perrin in Hartford, Conn. And Trevor Mapplebeck, a partner in Toronto with New York-based consulting firm Oliver Wyman, says a firm should reveal how material the risk is to the bottom line.

“Key to that is not just a statement of, ‘Here are the risks we face.’ It could have an effect on performance and, therefore, stock price,” Mapplebeck says, noting the company should be explaining how it is measuring, quantifying and integrating risk into its business strategy and operations.

“The better the information around the risk, the better informed the investor will be,” Mapplebeck says.

Although the MD&A is usually viewed by investors as insights from the CEO and chief financial officer, there is another C-level executive they may want to take a look at — the chief risk officer.

CROs are responsible for making sure companies identify, analyse and deal appropriately with risk, generally using this process, known as ERM. Think of them as portfolio managers, but instead of assets, they manage a portfolio of uncertainties.

Companies without CROs might hand the responsibility to the CFO or hire a chartered enterprise risk analyst, a designation just established by the Society of Actuaries last year.

— LAURA BOBAK