FINANCIAL CRISIS IMPROVING QUALITY: DOES THE FINANCIAL CRISIS HAVE A POSITIVE INFLUENCE ON THE QUALITY OF THE RISK PARAGRAPH?

FINANCIAL CRISIS IMPROVING QUALITY: DOES THE

FINANCIAL CRISIS HAVE A POSITIVE INFLUENCE ON THE

QUALITY OF THE RISK PARAGRAPH?

Master thesis - Lieke Pelle

Amstelveen, June 24

2013

FINANCIAL CRISIS IMPROVING QUALITY: DOES THE

FINANCIAL CRISIS HAVE A POSITIVE INFLUENCE ON THE

QUALITY OF THE RISK PARAGRAPH?

Master thesis, MscBA, Accountancy & Controlling

University of Groningen, Faculty of Economics and Business

Amstelveen, June 24

2013

Lieke Pelle

First supervisor/ university

Prof. dr. D.M. Swagerman

Second supervisor/ university

Dr. D. Tavenier

Supervisor/ KPMG

S. Bader MSc

Abstract

This research investigates whether the financial crisis has an influence on the quality of the risk paragraph. The quality of the risk paragraph is measured using a disclosure index. The sample consists of 31 non-financial listed companies from the AEX and the AMX. The annual reports of the years 2007, 2009 and 2011 are analyzed. The most important result of this research is that the quality of the risk paragraph in general improved over the years. There are differences in quality between the companies, however the overall results show that the quality improved during the years of analysis.

Contents Chapter 1: Introduction ... 5 1.1 Motivation ... 5 1.2 Purpose ... 7 1.3 Research question ... 7 1.4 Contribution ... 8 1.5 Preconditions ... 9 1.6 Research model ... 10 Chapter 2: Theory ... 11

2.1 A need for qualitative risk disclosure ... 11

2.1.1 Agency theory ... 11

2.1.2 Stakeholder theory ... 12

2.1.3 The two theories integrated: Risk disclosure ... 13

2.2 Perception during financial crisis ... 15

2.3 Law, legislation and recommendations ... 16

2.3.1 Risk paragraph ... 16

2.3.2 Law ... 17

2.3.3 Dutch Corporate Governance Code ... 17

2.3.4 COSO ... 18

2.4 What is already known about the quality of risk disclosure ... 19

2.4.1 Literature ... 19

2.4.2 Research by institutions ... 20

Chapter 3: Methodology ... 21

3.1 Sample ... 21

3.2 Research methods ... 22

3.2.1 Disclosure index ... 22

3.3 Reliability and validity ... 23

Chapter 4: Results ... 24

Chapter 5: Discussion of the results ... 30

Chapter 6: Conclusions, limitations and recommendations ... 34

6.1 Conclusions... 34 6.2 Limitations ... 34 6.3 Recommendations ... 35 Reflection ... 37 References ... 39 Appendices ... 44

Appendix 1: Final list companies ... 44

Appendix 2: Foundation disclosure index ... 45

Appendix 3: Disclosure index ... 47

Chapter 1: Introduction

In this chapter the motivation, purpose, research question, contribution, preconditions and research model are discussed.

1.1 Motivation

At first, some statements:

“Evolution of risk management, as regulation, is seldom proactive and evolves as a reaction to adverse events in the financial markets and institutions: failures, temporary or permanent dislocations and crisis.” (Went, 2009: 1)

“The essence of risk management is that a listed firm should create long term shareholder value. Part of this, is that a firm has a well-designed internal control system and meets the need for risk reporting.” (De Groot, 2006: 64)

In the past there have been some well-known bankruptcies of listed firms due to accounting scandals. Examples are Enron, WorldCom and Ahold. The appearance of the scandals raised questions about the risk management implied by firms. These questions led to new laws and rules and new Corporate Governance Codes (Aebi et al., 2012). In the Netherlands, the Dutch Corporate Governance Code was introduced. From the stakeholders the need for transparency about the risks the firm is facing and the firms risk management was triggered by the accounting scandals. Narrative communication in annual reports is seen as the crucial element in achieving the desired change in the quality of corporate reporting. As said, regulators were focusing attention on the discussion. In some countries, guidelines have been revised and extended; while in other countries disclosures have become mandatory (Beattie et al., 2004). The recent global financial crisis again raised interest in risk management and disclosure and brought to attention regulatory reforms and responses from various government agencies and accounting standard setters. Also the current global crisis gave rise to risk reporting in non-financial sectors (Dobler, 2008; Dobler et al., 2011). Due to the crisis, there is an increasing reliance on equity as a source of finance. Therefore, gaining this external financing is a high priority for companies. With this, the use of appropriate governance mechanisms focused on risks is more important than ever (Brown et al, 2009). Stakeholders want more transparency about the risk-focused governance mechanisms to make their decisions. According to De Groot

(2006) the annual report is an important instrument for creating transparency. Amran et al. (2009) also mention that various stakeholders are pointing at the use of additional disclosure to meet the information needs of the stakeholders. So firms can answer the need from stakeholders for more transparency and quality, by disclosing more in their annual report.

Eumedion acts in the interests of the investors in the field of corporate governance and sustainability. Every year Eumedion writes spearhead letters to listed companies in which they point out the subjects which are important to investors. In the 2008 spearhead letter of Eumedion, one spearhead is strategy and risk management. According to Eumedion, stakeholders want answers to several questions, like which risks are related to the strategy, what is the chance these risks will appear and what is the scope of the risks in terms of impact on the result and equity? What do internal risk management and control systems look like and which procedures are in place? Which adjustments and improvements are implemented in system?

Eumedion concludes that the disclosure of the internal risk management and controls systems with respect to the most important risks is not that informative or there is no disclosure at all. Eumedion states they would be pleased to see an informative and insightful broad risk paragraph in the annual report, in which all data related to the risks and risk management are concentrated. Also, the investors would like to see a ranking of the risks, for example a top 5 of the most important risks (Eumedion 2007).

The spearhead letter for 2009 also points at the risk management disclosure of the companies. These spearheads come forth by the research done by Eumedion (2008) which examines whether the companies have complied with the spearheads for 2008. The result is that companies are still falling short in the description and quantification of the risks they are facing. Eumedion (2009) also points at the uncertainty and turmoil of the financial markets, which makes it even more important for investors to have a better insight of the company’s risks. In their spearhead letter they give six elements in which investors will be interested. The first element is a good description of the middle- and long term strategy. Further, a description of the risks the company is facing related to the strategy of the company, where the risk appetite is described. Thirdly, they advise a description of the most important strategic, operational, financial, compliance and financial reporting risks, whereby at least a qualitative description of the risks is given. From the investors there is a need for an overview of the, for example 5, most important risks. Also advised is a sensitivity analysis of the risks, only if a sensitivity analysis can be expected keeping the best practices in mind. Fifth is a description of the design and functioning of the internal control and risk management system. Finally,

Eumedion advises a description of any shortcomings in the internal control and risks management system, any changes made in the current year and any improvement planned. The most important subjects need to be discussed with the audit committee and the board of directors.

In the spearhead letter for 2010 Eumedion states that for a long-lasting recovery of trust between the shareholder and the company, it is of great importance that the communication about the strategy and risk profile is as transparent as possible. Eumedion states that shareholders would like to see a description of the outstanding risks related to strategy in the annual report, including environmental risks and social risks and a description of the risk profile of the company, which includes the attitude towards the outstanding risks, risk appetite, and the sensitivity of the company for realization of the risks (Eumedion, 2010). The NBA (2010) has investigated the quality of risk paragraphs of listed companies in the Netherlands for the year 2009. Results highlight the information about the risk appetite, which should have a better quality. The overall conclusion of the research conducted by the NBA shows that companies can take large steps to improve the quality of their risk paragraphs. This is, at the same time, what stakeholders are demanding from the companies, especially in times of crisis. However, do the companies actually process the recommendations and needs from the institutions and stakeholders?

1.2 Purpose

As mentioned, there is a growing need for more quality in the risk paragraph especially during the crisis. Laws and regulations are sharpened through the years and, for example, Eumedion emphasizes on the shortcomings of the quality of the risk paragraph and gives guidelines for companies to follow. The purpose of this research is to estimate the extent to which companies add quality to their risk paragraph in order to fulfill the needs of the stakeholders. To what extend do companies follow the guidelines and recommendations that are handed to them? And is there any progress to observe during the analyzed years? This research will try to give answers to those questions and more. The purpose is to give stakeholders and companies an overview of the quality of the risks paragraphs and to show where the quality is high and improving and where the quality is below expectation and should be improved.

1.3 Research question

It is evident that stakeholders need more transparency and information during the crisis. This also implies more quality in the risk paragraph. However, do firms answer the need from

stakeholders and add quality to their risk paragraph? This problem results in the following research question:

Does the financial crisis have an influence on the quality of the risk paragraph in the annual report?

To support the research question, subquestions are established, which will be addressed in the theory chapter. These subquestions are: Why is there a need for a qualitative risk paragraph? What is the influence of the crisis on the perception that stakeholders have on companies? Which laws, regulations and recommendations are relevant for the disclosure on the risk paragraph? And last, what is already known about the quality of the risk paragraph?

1.4 Contribution

Previous research about the relationship between risk management and the crisis has been conducted by for example Paape et al. (2009) and Pirson and Turnbull (2011). Pirson & Turnbull (2011) illustrate that systematic shortcomings of the board can increase the probability of poor risk management at the board level during a crisis. Paape et al. (2009) also discuss the risk management system against the background of the financial crisis. They emphasize on the need for transparency and mark the fact that risk management should be more embedded in the daily operational management. Additionally, research on the quality of risk reporting has been investigated by researchers (De Groot, 2006; Dobler, 2008; Lajili & Zéghal, 2005). De Groot (2006) gives important recommendations for the risk management and risk reporting for listed companies, to create long-lasting shareholder value. Dobler (2008) argues that restricted risk disclosure can be explained by the uncertainty of information characteristics and issues of credible communication. His overall conclusion is that the informativeness of risk reporting, even in a regulated environment, should not be overestimated. Lajili and Zéghal (2005) performed a content analysis on the risk disclosure by Canadian firms. The results show a high level of risk disclosure; however, the disclosure is limited in their usefulness due to a lack of clarity, uniformity and quantification. This research is either analyzing risk management and the crisis or analyzing risk disclosure. This research will link both subjects and therefore, will add a research relationship, namely the quality of risk reporting and the crisis. Since there is not much research conducted about determinants on the quality of risk disclosure (Dobler et al, 2011), this research will contribute to the field of risk disclosure by looking at the crisis as a determinant on the quality of risk disclosure. There is no existing literature that examines if the crisis has an influence on the quality of the risk

paragraph. For this reason, this research can lead to new insights by investigating this relationship.

Most of the research in the field of risk management and risk disclosure has a focus on the financial markets, however as Dobler (2008) points out, the financial crisis gave rise to risk reporting in non-financial sectors. This research will focus on the non-financial firms, to contribute to the field of research on risk reporting for non-financial firms.

During a financial crisis, managers want to attract external financing and satisfy stakeholders. On the other hand stakeholders want qualitative information about the risks a company is facing. This research can indicate if the managers respond to the need of the stakeholders, and thereby their own need for external financing, and add quality to the risk paragraph.

1.5 Preconditions

Due to the time frame there are some preconditions to this research, which will explained below.

In this research only companies from the Netherlands are used as research objects. In every country there are different laws and regulations to which companies need to comply. In order to keep the results comparable, the companies need to comply with the same laws and regulations and they need to be subject to the same best practices. Therefore, only the risk paragraphs of the annual report of companies that are listed in the Netherlands and have their statutory seat in the Netherlands are analyzed for the years 2007, 2009 and 2011.

In 2007 the financial crisis had not yet begun. Two years later, the financial crisis had just started and better risk management and risk reporting was stimulated by authorities. The year 2011 is chosen, because the annual reports from this year are the latest available at the moment of analysis. Some companies disclose information regarding risk management on different places in their annual report. It is higher valued when all risk information is integrated in one place; therefore, only the risk paragraph is analyzed. Also risk information that companies place on their website is excluded from this research.

In order to assess the quality of the risk paragraph, a disclosure index is established. The disclosure index is conducted of different items that will be discussed in the theory chapter. The implementation of IFRS 7 is excluded as a research item in the disclosure index, since IFRS 7 requires disclosure of the financial risks reported on the annual accounts. This research will only focus on the annual reports, so IFRS 7 is not relevant.

1.6 Research model

Figure 1: the research model

The research model is shown in figure 1. The desired quality of the risk paragraph will be estimated based on literature research and the answers to the subquestions. Next, the risk disclosure in the annual reports will be measured by content analysis using a disclosure index. The desired quality of the risk paragraph together with the risk disclosure from the annual reports and additional information gathered by interviews, will lead to a value judgment of the quality of the risk paragraph.

A conceptual model is not necessarily needed for this research. Though, when the left subquestions of the research model are included as influential factors, the research model could be considered as a conceptual model.

The structure of the research is as follows. First, in chapter 2 the theory will be discussed and answers will be given to the subquestions. In chapter 3 the methodology used will be outlined. Then, in chapter 4 the results of the analysis of the annual reports will be shown. In chapter 5 the results will be discussed and the results will be linked to the theory. In this chapter the quality of the risk paragraph will be valued. Finally, in chapter 6 the overall conclusions, limitations to the research and recommendations for future research will be given.

Need for qualitative risk paragraph

Crisis influence on perception

Laws, regulations and recommendations

Research quality risk disclosure

Desired quality of the risk paragraph

Risk disclosure in annual report

Quality of the risk paragraph

Chapter 2: Theory

In this chapter the theory will be discussed. Throughout the chapter, answers will be given to the subquestions. At first, in paragraph 2.1 the need for a qualitative risk paragraph will be discussed. Then, paragraph 2.2 addresses the influence of the financial crisis on the stakeholder’s perception of the company. In paragraph 2.3 law, regulation and rules are discussed. And last, paragraph 2.4 addresses what is already known about the quality of risk disclosure.

2.1 A need for qualitative risk disclosure

The research question builds on two theories, the agency theory and the stakeholder theory. The next subsections will give an introduction and implementation of both theories.

2.1.1 Agency theory

The agency theory is defined by Jensen and Meckling (1976) as: “a contract under which one or more persons (the principal (s)) engage another person (the agent) to perform some service on their behalf which involves delegating some decision making authority to the agents. If both parties to the relationship are utility maximizers there is a good reason to believe that the agent will not always act in the best interests of the principal.” The agents in this definition are the managers and the principals are the shareholders. The agent will make a consideration of the costs and benefits of the decisions to be taken. The managers will have more information, which impedes the shareholder from ensuring that the managers are acting in their best interests. The agency problem can give rise to agency costs. The agency costs are the sum of the monitoring expenditures by the principal, the bonding expenditures by the agent and the residual loss, which is the dollar equivalent of the decrease in welfare experienced by the principal due to the divergence of ownership and control. Agency costs are inevitable, because it is almost impossible to ensure the agent is acting in the right way from the principal’s viewpoint, at zero cost (Jensen and Meckling, 1976). Both the agent and the principal want to reduce the agency costs to a minimum. Incentives for the agent can be the solution for the agency problem and consequently can minimize the agency costs.

One, much-discussed, way to provide incentives for the agents based on the agency theory, are executive compensation plans (Scott, 2012). Bonuses should be an incentive for managers to act in the best way for the shareholders. However, especially now during crisis, the bonuses are

subject of discussion. Are financial incentives necessary for agents to act in the interests of stakeholders? Other incentives may be just as effective as the incentive of bonuses.

Incentives are likely to play a major role in risk reporting, even in a (partly) regulated disclosure environment (Dobler, 2008). Risk disclosure motives have an essential impact on managers’ reporting decisions (Miihkinen, 2012). Managers may be reluctant to disclose information because of countervailing incentives arising from the threat of external effects (Dobler et al., 2011). Because the nature of risk reporting is subjective, partly non-verifiable and its foresight is incomplete, a manager can report on risks in different ways. If these reporting alternatives induce different decisions and actions, the manager can direct the users’ reactions and particularly manage “derivative” risks arising from such reactions to some extent. This makes risk reporting as a means of risk handling (Dobler, 2008). If a manager has access to risk information, deficits in voluntary risk reporting imply managerial incentives to withhold private information. Managers do not intentionally withhold less favorable risk news. This suggests that managers may not be averse to communicating risk information more effectively (Linsley & Lawrence, 2007).

The financial crisis can be an incentive for agents to act in the best way preferred by principals. Stakeholders want to have more information about the risks the company is facing during crisis, and especially at these times, companies need the external financing from the stakeholders. The extent to which companies disclose information can depend on the need for external financing (Lang & Lundholm, 1993). In this way, the financial crisis can be an incentive for companies for more disclosure, which will reduce the agency problem.

2.1.2 Stakeholder theory

The stakeholder theory, according to Mitchell et al. (1997), tries to indicate a fundamental question: which groups are stakeholders requiring or deserving management attention? Freeman’s (1984) definition of a stakeholder is: “any group or individual who can affect or is affected by the achievement of the organization’s objectives”. This is a broad definition of a stakeholder. There is a more narrow definition by Clarkson (1994): “voluntary stakeholders bear some form of risks as a result of having invested some form of capital, human or financial, something of value, in a firm. Involuntary stakeholders are placed at risk as a result of a firm’s activities. But without the element of risk there is no stake”. A company’s success and survival depends on the ability of management to satisfy all stakeholders (Clarkson, 1994). In one of the theses of Donaldson and Preston (1995) the stakeholder theory is described as managerial. They state that it recommends attitudes, structures and practices that constitute stakeholder management. Stakeholder management requires simultaneous attention to the legitimate

interests of all appropriate stakeholders, as well in the establishment of organizational structures and general policies as in case-by case decision making. In this, the managers are responsible for the selection of activities and direct resources to obtain benefits for legitimate stakeholders.

According to Mitchell et al. (1997) the stakeholder status is determined by three factors which have to be simultaneously present. These three factors are legitimacy, power and urgency. When a potential concern arises, before decision-makers view a particular issue as an observable call for attention, all three factors must be present, or at least believed to be present. The stakeholder theory is enriched by this model from Mitchell et al. (1997) by articulating the process through which stakeholder status is set up and also by emphasizing the transitory nature of the stakeholder status (Magness, 2008).

Corporate social responsibility (CSR) is an increasingly important subject related to the stakeholder theory. There is a demand from stakeholders for CSR activities and those CSR activities provide value-relevant information for the stakeholders (Dhaliwal et al., 2012). Deegan and Gordon (1996) found that companies disclose more environmental information when the membership in environmental organizations was also increasing.

Although CSR, with regard to risk disclosure, mainly covers the environmental aspect, risk disclosure overall is seen as important to stakeholders (Beretta & Bozzolan, 2004). Stakeholders want the less uncertainty as possible and transparency, due to risk disclosure, reduces this uncertainty (Lang & Maffett, 2011). As mentioned in the thesis of Donaldson and Preston (1995), managers are responsible for which actions are undertaken to benefit the stakeholders. Managers should, according to the thesis, disclose information on the risks they are facing, to give stakeholders transparency of the company.

2.1.3 The two theories integrated: Risk disclosure

Beretta and Bozzolan (2004) define risk disclosure as follows: ‘risk disclosure is the communication of information concerning firms’ strategies, characteristics, operations, and other external factors that have the potential to affect expected results’. External reporting of risk-related information is mainly required from firms using external financing and is often mandated by regulatory agencies, creditors and investors. Risk reporting in this case usually involves regulatory requirements in the form of prospectus uses and annual reports (Lajili & Zéghal, 2005). Risk disclosure can diminish the agency problem and can provide the stakeholders with the information they are demanding. According to the stakeholder theory, when a company identifies and addresses risks and opportunities, it protects and creates value for their stakeholders (Amran, 2009). In short, risk disclosure reduces the information

asymmetry between the company and its stakeholders by providing the stakeholders with information of the risks a company faces and how these risks are managed (Dobler et al, 2011). This implies that stakeholders will be more satisfied and in turn invest more, which is desired by managers.

As stated by Healy and Palepu (2001), corporate disclosure is critical for the functioning of an efficient capital market. There are substantial swings in trading and risk-taking behavior during the crisis that is driven by changes in investor perceptions (Hoffmann et al., 2013). Due to its inherent discretion, risk reporting is dependent on disclosure incentives (Dobler, 2008). A company can engage in (voluntary) risk disclosure for many reasons. For example it can be a response to innovation, globalization or changes in business and capital market environments (Healey & Palepu, 2001). The financial crisis can be seen as a change in business and capital market environment. As in the case of the recent financial crisis, stock markets are under pressure and rules regarding the budgets are sharpened.

Put together perfectly by Lajili and Zéghal (2005): ‘Driven by increased complexities in the business world, and the need for transparency and improve disclosure quality by reducing information asymmetries, risk and risk management disclosures are potentially useful to analysts, investors and other firm stakeholders. These disclosures provide guidance with increased market volatility and business uncertainty and their impact on firm-level economic value and growth, as well as trading volume sensitivity to different risks.’ As mentioned by Dobler (2008) risk reporting depends on disclosure incentives. A possible incentive can be the need from stakeholders for more disclosure and as Lajili et al. (2005) mention, disclosure provides guidance with increased market volatility and business uncertainty. Risk disclosure shall reduce the information asymmetry between managers and stakeholders by providing users of financial reports with information on the risks a company faces, now and in the future, and on how these risks are managed (Dobler et al., 2011). The more firms give appeal to the need for transparency and quality, the more qualitative the risk paragraph will be, the less the asymmetry.

But why is the information about the risks so important? Do the risks say something about the future of the company? Nowadays, more importance is attached to disclosure on the risks a company is facing. Not only financial statements are important, but also the qualitative information is important. An upcoming way of reporting is Integrated Reporting. Integrated Reporting is focused on qualitative, long-term reporting. The risks a company is facing,

especially the long-term risks, can help stakeholders assess the state of the company and the future of the company. Integrated Reporting is expected to become the best way of reporting in

the future1.

2.2 Perception during financial crisis

The financial crisis started in the United States in 2007. In the period of 2000 till 2007 banks had taken too many risks with the provisioning of mortgages. The mortgages they provided, where accompanied by a low interest rate. In 2007 the interest rate rose and house owners had difficulties to pay off their mortgages. The housing market collapsed. Banks were incurring losses, since the mortgage owners were unable to pay off their mortgage. The risk of the mortgages provisioned by the United States banks, were in the period before 2007 packed in opaque financial products. These products were transferred to banks around the globe. All those banks faced the problems that arose by the mortgages. Trust between banks disappeared and mutual funding decreased. Some of the banks could not meet their obligations and went bankrupt. The most well-known example is Lehman Brothers. All over the globe the stock markets were under pressure. From that moment the world-wide crisis was a fact.

The Netherlands is an export country with an open economy. The crisis therefore has great consequences for the Dutch economy. There was a decreasing demand for products and, consequently, the unemployment rose. European rules regarding the budget were sharpened, in

order to prevent a similar crisis in the future2. Concluded, the Netherlands is affected by the

current financial crisis and therefore, this crisis and its consequences influence the listed companies in the Netherlands.

Previous research examines the willingness of investors to take risks, after they have experienced a number of losses subsequently (Thaler & Johnson, 1990; Bareberis, 2013). Results indicate that investors are less willing to take risks. A dramatic experience, for example the Great Depression in 1930, can have a permanent impact on the perceptions of an investor and his risk taking behavior (Malmendier and Nagel, 2011). So the experiences at the beginning of the current financial crisis may have its influence on investors’ perceptions of the company’s risks. A financial crisis, and so the current financial crisis, may have a strong impact on investors because of their salience (Hoffmann et al., 2013). More qualitative risk

1 _{http://www.theiirc.org/about/aboutwhy-do-we-need-the-iirc/, 24-06-2013} 2

disclosure can help stakeholders to form and reform their perceptions and base their decisions on the disclosed risk information.

Furthermore, an important and relevant example concerning the risks a company is facing is originated from another sector. In the banking sector the writing off of the losses which banks have incurred due to the crisis is currently a problem. The European banks are too optimistic about the credit risks they are facing and in their annual report. It is up to the companies to conscientiously bring out a fair outline. To regain the confidence of the stakeholder, companies should take the pain now instead of spreading it over the years. (Financieele Dagblad, January

4th 2013). Recognizing the losses and its accompanying risks should be reflected in the annual

report.

Is there deliberately an omission of information that companies do not dare to show in times of crisis? The answer is no according to Linsley & Lawrence (2007). However, this was concluded before the crisis. And although, this is a case from the banking sector, it can be applicable for non-financial companies too. Most companies have incurred losses in some way due to the crisis. These companies want to compensate the biased perception that the stakeholders have due to the crisis, which can be achieved by showing positive information. The omission of less favorable information is beyond the scope of this research. Though, it would be an interesting subject for future research. A proposal will be discussed in section 6.3.

2.3 Law, legislation and recommendations

The following subsections will discuss the content of the risk paragraph, the laws applicable for listed companies, the Dutch Corporate Governance Code and the framework of COSO.

2.3.1 Risk paragraph

According to De Groot (2010), risk reporting consists of three components, namely the risk profile, the description of the risk management system and the in-control statement. The risk profile consists of the most important operational, strategic, financial and legal and regulatory risks which the company is facing. The description of the risk management system is an explanation of the company’s specific risk management system. Finally, the in-control statement is a statement of the board about the design and/or the existence and/or the functioning of the explained system of risk management/ internal control and/or the reliability of the risk profile. As resulted from a research done by KPMG (2009), the placing of the in control statement is very diverse. Some companies have a separate statement, some have

included the statement in the director’s report and other companies have included the statement in the annual account.

2.3.2 Law

Section 2:391 BW is applicable for listed companies. It states that the board needs to give a description of the outstanding risks and uncertainties the company is facing. Section 5:25c Wft is also applicable for listed companies which have their registered office in the Netherlands. The European Transparency guideline from 2009 is incorporated in section 5:25c Wft. Companies, just as section 2:391 describes, need to provide a statement, in addition to the annual account and the annual report, including a description of the outstanding risks the company is facing.

2.3.3 Dutch Corporate Governance Code

In the Netherlands listed companies have to deal with the Dutch Corporate Governance Code, which is introduced in 2003. It applies for listed companies which have their registered seat in the Netherlands. The Code is designed in accordance with the comply or explain principle. In 2008 the Code is revised by the commission Frijns. Section II.1.4. of the Code gives best practice definitions for the companies. They state that in the annual report the management board shall provide:

a) “a description of the main risks related to the strategy of the company;

b) a description of the design and effectiveness of the internal risk management and control systems for the main risks during the financial year; and

c) a description of any major failings in the internal risk management and control systems which have been discovered in the financial year, any significant changes made to these systems and any major improvements planned, and a confirmation that these issues have been discussed with the audit committee and the supervisory board.”

Hereafter, an explanation is given for the best practices from section II.1.4. Regarding point ‘a’, a description should be given of the most important risks the company is facing: strategic and operational risks, financial risks, legal and regulatory risks and financial reporting risks. In the description the company needs to pay attention to her risk profile, the risk appetite and, as far as possible, the risk sensitivity. A quantification of the mentioned risks can have a positive effect on the informative value of the description. The description of the outstanding risks relates to the in the section 2:391, paragraph 2 BW prescribed ‘risk paragraph’ and to the description of the actual risks within the scope of the section 5:25c Wft.

At part ‘b’, the board should indicate in the description of the design and functioning of the internal risk management and control systems which framework is implemented for the evaluation of the internal risk management and control systems (Corporate Governance Code 2008).

The initial Code from 2003 does not addresses a description of the risks. The main difference between the Code from 2003 and the revised Code from 2008 is that in the Code from 2008 is explicitly stated that the board is responsible for the description of the strategy and the accompanying risk profile (Corporate Governance Code 2003; Corporate Governance Code 2008). One of the reasons for the revision was that the financial crisis revealed shortcomings in the governance model. There was a need for a better understanding of relevant risks the

company is facing3.

2.3.4 COSO

The Committee of Sponsoring Organizations (COSO) has designed frameworks and guidance on enterprise risk management and internal controls to improve organizational performance and governance (website COSO). In May 2013 COSO released a new framework ‘Internal Control – Integrated Framework’ (COSO, 2013). This framework is based on the framework published in 1992. The newly released framework does currently not apply for the companies in this research; though, it is an interesting subject for future research, as will be discussed in section 6.3.

The framework of COSO ‘Enterprise Risk Management – Integrated framework’ (COSO, 2004) consists of a cube with objectives, components and entities units. The objectives are what the company wants to achieve and the components are what is needed to achieve those objectives. The four objectives are strategic, operations, reporting and compliance. The eight components are: internal environment, objective setting, risk assessment, risk response, control activities, information & communication and monitoring. The third dimension states the entities units, namely subsidiary, business unit, division and entity-level (COSO, 2004).

According to COSO (2004) risk is identified as follows: ‘Risk is the possibility that an event will occur and adversely affect the achievement of objectives.’ Important to the risks that may occur is the risk appetite. COSO (2004) defines the risk appetite as the ‘amount of risk, on a

3

http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2009/05/25/kabinetsreactie-op-de-geactualiseerde-nederlandse-corporate-governance-code.html, 11-06-2013

broad level, an entity is willing to accept in pursuit of value’. Risk appetite can be considered as qualitative and quantitative.

2.4 What is already known about the quality of risk disclosure

The next subsections will outline the research literature of risk disclosure, research by institutions and the last subsection will conclude with the desired quality of the risk paragraph.

2.4.1 Literature

Increased complexity of business strategies, operations and regulations makes it difficult for stakeholders to appreciate financial information without clear accompanying explanations (Beretta & Bozzolan, 2004). Lajili and Zéghal (2005) show that the usefulness of risk disclosures has been decreased at Canadian firms, due to a lack of uniformity, clarity and quantification. According to Linsley and Shrives (2006) few UK firms give quantitative risk information and that the risk reporting lacks coherence. An informative risk paragraph is important to stakeholders, because they need to understand the risks a firm takes to create value and they want to know the sustainability of current value-creating strategies for the future prospects (Beretta & Bozzolan, 2004). The risk reporting allows the stakeholders to assess the risks of an entity’s future economic performance (Dobler, 2008). In addition, the accuracy of the stakeholder’s forecasts is likely a function of the transparency of the firm’s information environment, including the effects of their private information acquisition and firms’ disclosure policies. High-quality narrative communication in the non-financial statement sections of annual reports is important to making firm reporting more useful to investors (Miihkinen, 2012). Also, decision-making often involves facing an unknown future. Stakeholders prefer to find ways to analyze and rationalize the possible future implications of an action before deciding to act. Stakeholders require more disclosure from public companies concerning prospects for future performance and the sustainability of current value-creation drivers (Beretta & Bozzolan, 2004). In addition, Francis and Schipper (1999) argued that stakeholders get little benefit of backward-looking information, the greater the “look ahead” value of financial reports, the greater their value relevance to investors. To serve the needs of the market and provide the information required for corporate transparency and accountability, the reported information needs to expand beyond the emphasis on backward-looking information (Beattie et al., 2004; Broadbent et al., 2008). According to Abraham and Cox (2007) the information disclosed on risks is too brief, not forward looking enough and not wholly sufficient for decision making purposes. Concluded, there is a gap in the reported risk

information and the risk information desired by stakeholders. The stakeholders therefore cannot assess the risk accurately and in accordance with their needs.

2.4.2 Research by institutions

The report of the American Insitute of Certified Public Accountants (AICPA, 1994) committee discusses elements on which a company should focus on in their business reporting. These elements are financial- and non-financial data, management’s analysis of the financial- and non-financial data, forward-looking information, information about management and stakeholders and background of the company. Although they are not all applicable for risk reporting, it is important for companies to keep the elements in mind. The Institute of Chartered Accountants in England and Wales (ICAEW, 2011) state in their report ‘Reporting Business Risks: Meeting Expectations’ seven principles for better risk reporting. These seven principles are: tell users what they need to know, focus on quantitative information, integrate into other disclosures, think beyond the annual reporting cycle, keep lists of principal risks short, highlight current concerns and report on risk experience. As clearly stated in the report, the seven principles are points for consideration for all public companies. The ICAEW (2011) concludes risk disclosure should focus on the different types of risk, the sources of uncertainty that affect volatility and expected future performance.

The Nederlandse Beroepsorganisatie voor Accountants (NBA), former Nederlands Instituut Van Register Accountants (NIVRA), has studied the quality of the risk paragraph of 63 listed companies from the Netherlands in 2009 (NBA, 2010). An important result was that only a few companies, 11%, explicitly indicate which risks are the most important. Moreover, a prioritization is absent in most of the companies. Another result from the research from the NBA is the lack of quantitative information about the effects of the risks on the profit and the equity. They refer to the revised Corporate Governance Code, which states that a quantification of the mentioned risks can have a positive effect on the quality of the description. Another result from their research concerns the risk appetite. According to the NBA the risk appetite should be part of the risk paragraph, which is in line with the Code. With regard to the framework used, for example COSO, the NBA also points at the Code, which mentions that the board needs to explain which framework is implemented for the evaluation of the risk management system. The NBA assumes that the board declares in their risk paragraph which framework is used. Another recommendation from the NBA is that the in control statement should be in the same paragraph as the risks, because of the ease of use for stakeholders (NBA, 2010).

2.4.3 Desired quality of the risk paragraph

To measure the quality of risk disclosure, the definition of quality is essential. NIVRA (2010) describes the quality of risk disclosure in their research as: ‘compliance with legislation and regulations and the extent to which the information needs of key stakeholders such as shareholders, as well as the ease of use are taken into account.’ The desired quality of the risk paragraph is composed of the above mentioned laws, regulations, best practices and recommendations together with the definition of the quality of risk disclosure. There are different ways to measure the quality of disclosure. One approach to measure the quality of disclosure is using a disclosure index. The disclosure index is a proxy used before by researchers as Beretta & Bozzolan (2004), Botosan, (1997) and Lang & Lundholm (2000). The ultimate desired quality of risk disclosure is the maximum score obtainable on the disclosure index.

In order to measure the quality of disclosure, it is not only important how much is disclosed, but also what is disclosed and how it is disclosed (Beretta & Bozzolan, 2004). As investigated, the level of disclosure is dependent on size and industry (Ahmed & Courtis, 1999; Robb et al., 2001). Therefore, it is not justified to take the quantity of disclosure as a direct measure. To investigate the amount of disclosure per company, the amount of risk disclosure should be measured relative to the total amount of disclosure in the annual report (Beretta & Bozzolan, 2004).

Chapter 3: Methodology

In this chapter the methodology used will be explained. First, the sample will be outlined followed by the research method and the disclosure index. Last, the reliability and validity will be discussed.

3.1 Sample

This research is a general discussion of the risk paragraphs of companies. This general discussion is tailored to the situation in the Netherlands. The decision to use the situation in the Netherlands is because the Dutch laws, regulations and recommendations are best available. Although the sample needs to be tailored, the conclusions will still be generalizable for most listed companies. In Europe, and many other countries, companies have to report according to

IFRS. This makes the annual reports highly similar to each other and this enhances the generalizability of the conclusions of this research.

The ultimate sample consists of listed companies which have their statutory seat in the Netherlands. The indices used are the AEX and the AMX. By taking the AEX and the AMX, the Dutch listed companies with the largest capitalization are captured.

Companies in the financial sector are excluded from the sample. Financial companies have to comply with additional regulations, like Basel III. The disclosure index established is not generally applicable for companies in this sector. Research items need to be added to make the disclosure index applicable for financial companies. This will make a comparison between financial and non-financial companies not reliable.

Based on the three before mentioned criteria, three companies are excluded. In May 2011 TNT NV has demerged into two single listed companies, TNT Express NV and PostNL NV. The

demerger was retroactive to January 1st 2011. Due to the demerger, there is no annual report

2011 available for TNT NV and there are no annual reports 2007 and 2009 available for both TNT Express NV and PostNL NV. Further, Ziggo NV is a listed company only since May 2012. This leaves no other conclusion than excluding TNT Express NV, PostNL NV and Ziggo NV from the sample.

During the analyzing of the risk paragraphs, USG People NV had to be excluded from the sample. The 2009 annual report was only available on the internet, which made calculating a disclosure ratio not feasible. A comparison between the years is therefore not possible. For this reason USG People NV has been excluded from the sample.

The final list of 31 companies is included in Appendix 1.

3.2 Research methods

The principal method used to analyze the annual reports is content analysis. The content analysis will take place based on a disclosure index. Conclusions will be drawn based on literature and the results of the content analysis. Additionally, the conclusions will be supported by two interviews with Rients Abma, director Eumedion and Johan Schrumpf, senior manager KPMG.

3.2.1 Disclosure index

A disclosure index is established to measure the quality of the risk paragraph. This disclosure index will focus on the mandatory and voluntary disclosure. The mandatory disclosure is required by law. The voluntary disclosure is channeled by the best practices of the Corporate

Governance Code and COSO. Furthermore, attention is paid to the recommendations by Eumedion, the research done by the NIVRA, ICAEW and AICPA and findings from research literature (Abraham & Cox, 2007; Beattie et al., 2004; Beretta & Bozzolan, 2004; Broadbent et al., 2008; Francis & Schipper, 1999; Linsley & Shrives, 2006). For the comparativeness only annual reports in English will be used. The foundation for the final disclosure index is included in Appendix 2.

The quantity of the disclosure is measured relative to the total disclosure of the company’s annual report. This is done by using the pages in the annual report as the recording unit. By dividing the pages dedicated to the risk paragraph by the total pages of the annual report, a ratio for the relative quantity of disclosure is provided.

The disclosure index is found in Appendix 3. The final score is determined by adding up the answers yes, 1 point, from the questions 1 till 11 and their subquestions. There is an equal score of 1 point for the subquestions. Every subquestion is equally important and no subquestion needs a higher valuation than other subquestions. The maximum score that can be reached is 29. The questions 12, 13 and 14 will all be assessed differently. Question 12 will give the disclosure ratio as explained above; question 13 will show the amount of categories out of the 5 categories which are addressed for the total amount of companies per year and last, question 14 will give the total amount of risks that are addressed by the total amount of companies per year.

3.3 Reliability and validity

When using a disclosure index the reliability and the validity of the measurement are an important aspect (Beattie et al., 2004). In this research there is no possibility to measure the reliability and validity. However, the disclosure index will be applied as reliable and valid as possible.

Chapter 4: Results

All scores from the companies on the disclosure index are collected and reflected in graphs. Each graph will be explained in this chapter. In the next chapter the results will be analyzed and discussed.

Graph 1: Disclosure score

In graph 1 the average disclosure score of all companies together is shown. The scores for 2007, 2009 and 2011 are respectively 24,7%, 27,5% and 28,1%. There is an upward trend between the years, which means the quality of the risk paragraph is improving during the years; although, the upward trend is flattening along the years.

0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 2007 2009 2011 Av er a g e dis clo sure sco re o f a ll c o m pa nies Disclosure score

Graph 2: Total disclosure score per company per year

Graph 2 shows the scores of each company per year. In the majority of the cases the score of 2011 is equal to or greater than the score in 2009. There are some exceptions, these include Aalberts Industries, Heineken, Ten Cate, TomTom, Wessanen and Wolters Kluwer. For some companies there is no difference at all over the years. These companies are AMG, ASM, ASML, Boskalis, Fugro, Heijmans, Philips and Reed Elsevier. The highest score overall, 13, is from KPN in 2011 and the lowest overall score, 3, is from Pharming and Unilever, both in 2007. From the 31 companies, 29% has the same quality of the risk paragraph in all three years. 13% has the same score in 2007 and 2009 and another score for 2011 and 16% has a different score for 2007, but the same scores in 2009 and 2011. There are some remarkable differences between the companies and between the years. These will be discussed in the following chapter. 0 2 4 6 8 10 12 14 Aalb er ts I n d u st ries A h o ld Ak zo N o b el AM G Ar ca d is AS M AS ML B AM Gr o ep B o sk al is B ru n el C SM DS M Fu g ro Heij m an s Hein ek en Im tech _KP N Nu tr ec o Ph ar m in g Ph ili p s R an d st ad R ee d E ls ev ier SB M Of fs h o re T en C ate T KH Gr o ep To m To m Un ilev er Un it4 Ag res so Vo p ak W ess an en W o lter s Klu wer T o ta l dis clo sure sco re

Disclosure score per company

2007 2009 2011

Graph 3: Prioritization of most important risks Graph 4: Average amount of risks in all risk paragraphs

Graph 3 shows the amount of companies that ranked their risks to their importance. In 2007 none of the companies ranked their risks. In 2009 two companies and in 2011 three companies prioritized their risks. This means 10% of the companies ranked their risks to their importance in 2011.

The average amount of risks addressed in all risk paragraphs is depicted in graph 4. In 2007 the average is 11 risks, in 2009 13 risks and in 2011 15 risks. This means an increase of 18% from 2007 to 2009 and 15% from 2009 to 2011. It could be concluded there is an upward trend in the amount of risks disclosed.

Graph 5: Risk categories out of the 5 categories (Strategic-, operational-, financial-, compliance- and environmental and social risks)

0 1 2 3 4 2007 2009 2011 Am o un t o f co m pa nies

Prioritization of risks

Amount of risks

Total categories in risk paragraph

Risk categories out of the 5 categories

2007 2009 2011

The above graph, graph 5, gives an overview of the amount of categories in which the risks are classified. The five categories are strategic risks, operational risks, financial risks, compliance risks and environmental and social risks. As shown in the graph, most companies make use of four risk categories, namely strategic, operational, financial and compliance. There are some exceptions. BAM Groep does not use these four categories, it excludes the financial risks in the risk paragraph, but they do make use of the environmental risk category. This is the case for all three years. Brunel International excludes the compliance risks from the four categories and includes the environmental risk category. This is the case for the years 2007 and 2009. In 2011 Brunel International makes use of five risk categories. Last, Vopak makes use of all the five categories in the years 2007 and 2011, but in 2009 they exclude the operational risks.

Addressing all the five categories is seen as the most qualitative. The amount of companies using all five categories is growing trough the years. In 2007 six companies classified their risks in five categories, in 2009 eight companies and in 2011 nine companies.

Graph 6: Quantitative information Graph 7: Forward looking information

Graph 6 depicts the amount of companies that disclose quantitative information about their risks. The criteria to consider information as quantitative information, is that the information should help the stakeholder to give him a good perception of the possible impact of the risk. The amount of companies with quantitative risk disclosure for 2007, 2009 and 2011 are respectively 9, 10 and 12. This is an increase of 11% between 2009 and 2011 and 20% between 2009 and 2011. In 2011 39% of the companies, against 29% of the companies in 2007, give quantitative information about the risks they are facing.

The disclosure score on forward looking information of each company is shown in graph 7. The criteria for considering information as forward looking information is that it should be

0 2 4 6 8 10 12 14 2007 2009 2011 T o ta l c o m pa nies dis clo sing qu a ntit a tiv e info rm a tio n

Quantitative disclosure

concrete what the company is expecting or planning for the future. Vague descriptions or merely the naming of continuing operations for the future are not considered as forward looking information. For 2007 and 2009 the amount of companies disclosing this information is equal, namely 6 companies. In 2011 this amount has grown to 11 companies. This means an increase of 83%. In 2011 35% of the companies are disclosing forward looking information on the risks.

Graph 8: Risk appetite included in risk paragraph Graph 9: Risk sensitivity included in risk paragraph

Graph 8 depicts the amount of companies that include information about their risk appetite in the risk paragraph. There is an increasing trend in companies addressing their risk appetite. From 2007, 2009 and 2011 the amount of companies is respectively 3, 7 and 10. In terms of percentage these increases are 133% from 2007 to 2009 and 43% from 2009 to 2011. Most companies that disclose information about their risk appetite start in 2007, 2009 or 2011 and subsequently keep disclosing the information. The only exception is Vopak; they disclose the information on their risk appetite in 2007 and 2009, however not in 2011. In 2011 32% of the companies disclose information on the risk appetite against 10% in 2007.

Graph 9 shows the number of companies that include risk sensitivity information in their risk paragraph. In 2007 one company disclosed information on their risk sensitivity and in 2009 and 2011 three companies disclosed this information. Two companies start disclosing risk

sensitivity information in 2009 and continue to do so in 2011. The 3rd company already

disclosed the information in 2007 and continued in 2009 and 2011. In 2011 10% of the companies disclosed information on risk sensitivity.

0 2 4 6 8 10 12 2007 2009 2011 T o ta l c o m pa nies inclu din g risk a pp et it e

Risk appetite

Risk sensitivity

Graph 10: Risk management system Graph 11: Framework used for risk management

The above graph, graph 10, shows the average scores of the disclosure on the risk management system. The risk management system is assessed using five measures, namely the design of the system, the effectiveness of the system, major failings of the system during the year, changes made in the system during the year and improvement planned on the system for the coming year. In total five points could be scored. The average score for 2007 is 2,13; the average score for 2009 is 2,32; and for 2011 the average score is 2,26. The differences are 8,9% from 2007 to 2009 and a decrease of 2,6% from 2009 to 2011.

The companies that disclose on the framework they use for their risk management and internal control systems are depicted above in graph 11. In 2007, 20 companies disclosed this information, in 2009 24 companies and in 2011 23 companies. The increase from 2007 to 2009 is 20%. There is a slight decrease observable from 2009 to 2011; -4,2%.

Graph 12:Ratio disclosure risk paragraph per percentage ratio

0 0,5 1 1,5 2 2,5 2007 2009 2011 Av er a g e sco re o n sy st em dis clo sure

Risk management system

18 19 20 21 22 23 24 25 2007 2009 2011 T o ta l c o m pa nies incld uin g fra m ew o rk us ed

Framework

Percentage of annual report dedicated to risk paragraph

Disclosure ratio

2007 2009 2011

Measured is the amount of pages the risk paragraph consists of relative to the total amount of pages of the annual report. The percentages are depicted above in graph 12. The three main ratios are 3%, 4% and 5%. As is clear from the graph, the year 2011 becomes more represented the higher the percentages get. An exception to this is the ratio of 6%; in 2007, 2009 and 2011 2 companies maintain a ratio of 6%.

Chapter 5: Discussion of the results

The research question to be answered is ‘Does the financial crisis have an influence on the quality of the risk paragraph in the annual report?’. An analysis with a disclosure index is performed. The results from this analysis are mixed. Some research items show results according to the expectation, others show results that are contrary to the expectation. In this chapter each research item will be further analyzed and discussed.

At first, the overall result of the positive trend is in line with the expectation, which indicates that the quality of the risk paragraph is getting better along the years. Though, the growth in terms of percentage is weaker when the years are passing. This is by definition not directly opposed the expectation, but it is remarkable. The positive trend can be caused by the revision

of the Code in 2008. Since the 1st of January 2009 the revised Code is in effect. In the revised

Code, the board is responsible for the description of the strategy of the company description and the risk profile. This may have resulted in more attention paid to the risk paragraph by companies and, consequently, this may have led to a more qualitative risk paragraph. Of the 31 companies, 26% has the same score in all years and 19% has a negative change going from 2009 to 2011. Although this is against expectation, there is a positive or no change in 81% of the companies. These results support the expectation of an improvement of quality.

There are many differences between companies and between years. The highest scores are obtained in 2011, which is an encouraging result. Although, some companies show a lower score in 2011 in comparison to 2009. This means that the quality at these companies has been better and therefore, could be better in 2011. It is clear from these results that the limit has not been reached and that improvement should take place, to increase the quality of the risk paragraph.

Put forward in the Spearhead letter for 2008 and 2009 from Eumedion, stakeholders would like to see a prioritization of the most important risks, for example a top 5. It is a remarkable result that there is no company giving a prioritization in 2007. Two companies ranked their most

important risks to their importance in 2009, which may be an effect of the two Spearhead letters from 2008 and 2009; however, it should be noticed that 2 companies out of 31 is a very marginal result.

A possible problem with the prioritization of the most important risks is the listing of the companies. Some companies are not only listed in the Netherlands, but also in the United States. The litigations risks are much higher in the United States than they are in the Netherlands. This leads to more risks being disclosed and companies being unwilling to give a prioritization of the most important risks, because of the threat of claims. This could be a plausible explanation why not all of the 31 companies will give a prioritization of the most important risks.

A possible explanation for the upward trend of the average amount of risks disclosed could be in line with the above mentioned reasoning. Companies want to reduce the risk of claims as much as possible and therefore, they disclose on many risks. Another reasoning could be that since the start of the crisis, companies are facing more risks and consequently, they have more risks to disclose. The research item of the total amount of risks disclosed follows in first instance from the fact that part of quality is quantity. An overload of risks can be counterproductive, this indicates that more quantity does not always lead to higher quality. Therefore, it is hard to give an explicit interpretation for this research item. It is clear that companies are disclosing more risks during the years, but it is difficult to determine whether this is a good development.

The four categories to disclose on are advised by the Code, Eumedion and COSO. The peak is at four categories, which could imply companies are disclosing according to the best practices of the Code and the recommendations given by Eumedion and COSO. Eumedion has added a fifth category to the well-known four, namely the environmental and social risks. This category is advised by Eumedion in their Spearhead letter for 2010. It is positive that companies disclosed information on this fifth category already in 2007. The use of all five categories is increasing during the years. This supports an improvement of the quality. The expectation is that the use of this fifth category will only increase in the coming years. It would be interesting to investigate to what extent companies pay attention to this fifth category. A proposal for future research on this subject is illustrated in section 6.3.

The Spearhead letter for 2008 from Eumedion points at the lack of quantification of the risks. One of the seven principles of the ICAEW is a focus on quantitative information. Further,