French regulator slams companies' efforts to detail risks

Most French listed companies included a chapter on risk factors in their shareholder reference documents in 2006, but these were often inadequate for understanding the risks faced by companies and the measures taken to confront them, according to France's stock market watchdog.

Noting that many companies had continued to offer only summary descriptions of risk factors in their reference documents, the Paris-based Autorite des Marches Financiers said it "insists in particular on the fact that simply adding a chapter (on risk) is not enough. The chapter must precisely target risks or categories of risks taken into account by internal control procedures," it said.

The agency's assessment appears in its third annual report on listed companies' corporate governance and internal control, which examined 109 companies' reference documents for 2006.

The AMF also recently released an application guide to supplement its reference framework for the internal control system.

Since 2001, the AMF has required listed companies to include a chapter on risk factors in reference documents to improve comparability of information available to shareholders. In 2003 and 2004, it issued recommendations specifying risks that chapters should address, including financial and legal risks, industrial risks linked to the environment, and insurance and coverage of risks. It updated recommendations last year to take into account the European directive on shareholder prospectuses.

In its 32-page report, the AMF found that two-thirds of (surveyed) companies identified major risks they faced--about the same as in 2005--and that about half had used some form of risk mapping.

However, it added that, "although descriptions cover a very wide range of diverse risks, from operational risks to financial risks, the level of detail was disparate."

Limited action

The AMF said most companies that had employed risk mapping had "at best" simply indicated how roles were assigned within the company. It noted that fewer companies reported "the methods used to map risks, the number of macroeconomic risks considered and the parameters for ranking them, such as nature, frequency, criticality, hierarchical and or geographical level affected."

"AMF renews its recommendation that companies make a link between risks, particularly those described in the reference document, and the procedures put in place. This link should allow a better comprehension of the way that the enterprise apprehends the risks, formalizes and ranks them, and then manages them," said the AMF.

The AMF's new guide was developed with help from external and internal auditors and security issuers, said Louis Vaurs, chief executive officer at the Institut Français de l'Audit et du Contrôle Internes, who served as secretary for the project.

"The reference framework is focused on internal control, not on risks. You could say it corresponds more to COSO 1 than to COSO 2, which specifically addressed enterprise risks," said Mr. Vaurs, referring to internal control frameworks written by the Committee of Sponsoring Organizations of the Treadway Commission, a private sector initiative sponsored by five major American associations and institutes for accountants, executives and auditors.

Nevertheless, Mr. Vaurs continued: "One of the components of the (IFACI) framework addresses risks, because companies are asked to have a system for inventorying and analyzing the main identifiable risks with regard to their objectives, and to insure they have risk management procedures. It also includes a questionnaire on analysis and management of risks, aimed at making administrators more conscious of their enterprise's risks," he said.