It is no secret that surprises that affect a company's results are anathema to investors. Negative surprises naturally upset investors, but even positive surprises can do the same. Such reactions are true for individual retail investors as well as investment managers and analysts. For retail investors, a negative surprise can result in share price declines and possibly dividend declines in their holdings. For investment managers, a negative surprise can result in the same issues but can also damage their credibility if their buy/sell ratings are not aligned with the new reality that the surprise created. Likewise, a positive surprise can hurt their credibility if it is misaligned with their ratings.
Chief risk officers know that when a risk is not identified or is not well managed, it can lead to a surprise affecting company performance. When companies practice true enterprise risk management (ERM), all types of risks are identified, prioritized, and managed, with a heavy emphasis on those that can materially affect the company's ability to meet its strategy and financial goals. In addition, ERM has the remit to identify emerging risks, those that are less obvious and less developed. To optimize the ERM process, the chief risk officer needs to be part of strategic discussions, be knowledgeable about what is going on throughout the organization and in the macro environment, be up to date on key performance indicators (KPIs), and be involved in new initiatives, or important risks could be missed.
Ultimately, risk management's input to the board of directors and senior management is essential so that a comprehensive understanding of company risks, including potential surprise areas, is created at the highest levels. With that understanding comes an enhanced ability to fine tune what is released in public disclosures and reporting documents.
Public companies are used to filling out SEC required forms and reports. SEC's Form 10-K Section 1A and 7A and Form 20-F both require disclosure of risks. This content gets a lot of attention from regulators and investors. For many companies, filling out these sections has become almost rote. When reading the filings of companies in the same industry, the content barely varies from company to company. Of course, companies do list some risks unique to the company. Generally, companies are less likely to list a unique risk that they are trying to resolve before it becomes too big or too public. Finally, companies cannot and do not list risks they have not even identified.
Did a tech giant adequately recognize or report the risk of its consumer demand falling in China before it was sued by shareholders? Did a coffee producer and retailer realize that the meager reporting of its risks relative to its massive China expansion plans would result in a shareholder class action? Did a well-known consulting firm recognize or report the risks involved in consulting with drug makers to increase sales of opioids before it faced shareholder dissatisfaction? Did a beer producer realize or report that a new marketing initiative might not go as planned or might even backfire to result in a drop in sales? Did a healthcare company realize or report the full extent of the risks with its AI initiatives before regulators started looking into its practices? If they did identify the risks and did report them, then their investors had a chance to consider the possible effects of the risks. However, if the risks were not recognized, then the board and senior management did not get a chance to mitigate them or determine if they should be disclosed. And, if not disclosed, then any surprise they caused that hurt company results would very likely be received with dissatisfaction among investors.
Situations like the ones described above carry the potential for deleterious effects on share price, sales revenue, reputation, and shareholder litigation. In terms of shareholder litigation vis-à-vis unreported risks specifically, the April 2024 U.S. Supreme Court ruling, in Macquarie Infrastructure v. Moab Partners, LP, held that "a corporation's failure to disclose certain information about its future business risks, without more, cannot form the basis of a private securities fraud claim under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5." That does not shield corporations completely from lacking transparency about their risks. Suits can still be attempted despite this ruling, and liability remains if reported risks are represented inaccurately, such as when a risk is not expressed at the right level of materiality or a risk is made to seem like a future risk but is actually currently present.
Clearly there is a distinction between what must be reported due to regulations and what could be reported to ensure against surprising investors. The universe of risks that must be reported is smaller -- for example, those related to cyber incidents and environment/climate impacts -- than the universe of risks that could be reported. Nevertheless, nothing stops investors from trying to sue despite the chances of prevailing, and nothing stops investors from fleeing a company that has failed to be transparent about its risks. The current plethora of shareholder actions attests to this.
Questions posed at company earnings calls have shown that investors are paying attention to the risks companies choose to disclose or risks they suspect the company may be susceptible to. These investors know that a company that recognizes and addresses its risks is one that can avoid surprises better than others that do not. Transparent companies tend to be valued more favorably than those that are not transparent.
None of this is to say the chief risk officer should be the one deciding on what the company does or does not report. Nor is the point that the chief risk officer is solely responsible for addressing risk. Specific risk owners and senior management are primarily responsible for doing that. The point is that risk management, as a function, has a key role in identifying risks, including risks that may not be quite so obvious but that could lead to a negative surprise. ERM dictates that the full panoply of risks is within scope. As long as risks are communicated to the board and senior management, they will be enabled to make the best decisions about what to disclose and report.
