Useless risk statements

Companies on both side of the Atlantic are required to describe the material risks threatening their business.  The stated objective is to help potential investors decide whether to invest in the company and to help actual shareholders to assess the risk of their investment.

American companies list their risks in their annual report, Form 10K under a compulsory section called Risk Factors and let the reader, if anyone ever reads these statements, decide how relevant they are. British companies go further and boast about the process called Risk Management. They insist, for instance, that the risk processes are imbedded into company procedures or that they carry out robust assessments of potential risks. They use risk buzz words such as risk appetite and risk overview to show their effectiveness. Sometimes they throw in trendy topics and convert them into risks such as climate risk.

AstraZenica, for instance, have a report called ‘Group Risk Report’ reviewed by the Board to show how systematic and professional they are. Sometimes companies prepare annual risk reports. The very efficient prepare quarterly ones. They set up committees and councils with odd peculiar names to review their risks, for instance the ROCC in GlaxoSmithKline: the Risk Oversight & Compliance Council, or the ARC: the Audit & Risk Committee.  People are appointed to train employees about risk. Risks have to be identified, monitored, evaluated, graded, audited, communicated, approved and then written into the annual report.  It is all so perfect.

But the listed risks are essentially the same for every company. Some stated risks are not risks at all but are just business as usual, for instance the competition. Some announce risks but not others, for instance taxation, yet they all pay taxes in multiple countries. Some announce odd peculiar risks, for instance social media. This leaves a few real risks, for instance cyber security, but they cannot explain them otherwise they would give away confidential information and leave the company open to attack.

And then the risk statements are so dull and dry I doubt if anyone ever reads them. In addition they are incredibly long. For instance, Risk Factors in the Form 10K for Abbott Laboratories for the 2021 Annual Report runs for 6 pages and over 4300 words. Bristol-Myers Squibb Company either do a better job of describing their risks or have a higher risk profile, because their Risk Factor section has over 10500 words. Amazon takes over 7500 words to explain their risks.

Whether one has to plough through four thousand, seven thousand or ten thousand words to understand a company’s risk profile, it is a daunting task. Companies do try to help readers by separating risks into sub-sections with headings such as Operating Risks, Business Risks, Legal Risks and sometimes even General Risks. But this is no help at all because so many of the risks are the same from company to company, even in different industries.

So the stated objective has failed. Risk statements do NOT help potential investors decide whether to invest in the company and certainly do NOT to help actual shareholders to assess the risk of their investment.

And who reads them anyway, except for me!

[1] I analysed the risk statements from the 2021 and 2022 annual reports of eight pharmaceutical companies, four based in USA – Abbott Laboratories, Abbvie Inc, Bristol-Myers Squibb Company, Johnson and Johnson, and four based in the Europe – AstraZenica, GlaxoSmithKline, Sanofi, Novartis.