(In)Consistency Between Private and Public Disclosure on Enterprise Risk Management and Its Determinants

Abstract

Worldwide governance organizations and regulators have recently called for more enhanced disclosures about how organizations manage risks. Enterprise Risk Management (ERM) is recognized as a value-contributing best practice even when legal standards do not require it (Whitman in Risk Manag Insur Rev 18(2):161–197, 2015), but public disclosure on such a process is not generally mandatory. In Italy emphasis on risk disclosure started in 2008 but it was the 2011 revision of the Corporate Governance (CG) code for listed companies to ask for the board commitment in disclosing, within the CG report, about the main internal control and risk management system’s characteristics (Borsa Italiana in Codice di Autodisciplina, 2011). Given the proprietary nature of risk information in addition to the Italian capital market characteristics (small capitalization and presence of a dominant shareholder) and the lack of any mandate for what specific aspects board should disclose, the study aims at investigating a potential variation between private and public disclosure on ERM. Relying on the ERM concepts provided by the COSO framework (2004) the author submitted a survey seeking information about ERM practices within Italian listed companies. Such a private information is compared to public CG reports released by the same companies. The comparison shows companies tend to privately reveal a more effective ERM process than the one they publicly disclose. An examination of CG and firm’s risk variables potentially determining higher variation—i.e. information inconsistency—supports proprietary costs theory rather than agency theory expectations. Thus showing the limits of voluntary disclosure dealing with risk management systems. The study might have international policy implications.