Risk management has always been an obscure – if not to say nonexistent – topic at many Brazilian public companies. A study by the KPMG consultancy last year already revealed this. The study examined one hundred Novo Mercado companies, 57 Nível 1 and Nível 2, and 45 from the BM&FBovespa's traditional listing tier, and found that only 17% of companies listed on the exchange's most demanding tier disclosed substantial information on risk management practices. When it came to Nível 1 and 2 companies, the percentage was 43.9%; for traditional tier companies, 13.3%. An analysis of the new Reference Forms filed to date will only reinforce the perception that there's still much to be improved regarding this subject.

The document, whose publication became mandatory when the Brazilian Securities and Exchange Commission (CVM) issued its Instruction 480, introduces a series of new disclosure requirements on risk factors and risk management. Companies did not do a very good job providing the necessary explanations in Reference Form items 5.2f and 5.2g , which respectively request a detailed account of risk management control structures and a confirmation that such structures are suitable for verifying the effectiveness of the chosen risk management policy.

Inpar's response, for instance, was very brief. The two items took up no more than two lines: "The Company monitors its risks through a multi-disciplinary organizational structure in which the executive officers assess whether the company's actions are being conducted in line with the adopted policies". When approached by CAPITAL ABERTO, the company's press relations department said that Inpar was one of the first companies to turn in its reference form, in December 2009, due to an ongoing stock offering. "If specific information needs to be presented differently in the next Reference Form, which is scheduled to be submitted by June 30, InPar will comply in accordance with the consolidated guidelines released by the CVM", reads the company note.

Another real estate company, PDG Realty, also provides only general explanations in its form: "The Financial department, jointly with Internal Affairs and Legal, analyzes risks periodically in order to inform the directors and officers, who evaluate whether the company's actions are compliant with the adopted policies", the document reads. "Such as it is currently written, one may doubt whether the company has any risk management structure in place at all", said a specialist who asked to remain anonymous.

Though they might seem inconsequential, items 5.2f and 5.2g require special care, in the opinion of specialized consultants. "Showing how the company is organized to identify and mitigate risks is just as important as mentioning the risk factors", says Sidney Ito, a partner in the corporate governance area of KPMG. The manner in which a company expresses itself in the new document required by the CVM reveals a lot. Vague explanations can indicate two things: either the company does not have a risk management structure in place, or it does and doesn't want to disclose it, which is also bad because it keeps important information from investors", asserts Luiz Carlos Passetti, a partner in the audit department of Ernst & Young.

Waldemir Bulla, a partner at the Protiviti risk management and internal audit consultancy, believes that most Brazilian public companies apply some method of dealing with risks, with a higher or lower degree of sophistication.
But only a few put up structures that knit together all the relevant information. "It's done in a localized way, with each department acting in isolation. These companies usually have little documentation on processes and therefore find it hard to gather and organize the pertinent data", he says.

Some companies managed to convey a somewhat clearer idea of how their risks are being managed. The AES Eletropaulo power company, for instance, informed in items 5.2f and 5.2g that it applies the guidelines released by the Committee of Sponsoring Organizations of the Treadway Commission (Coso), an American nonprofit that targets best practices in internal controls, risk management and corporate ethics and is seen as the global benchmark for these issues. The company also classifies its corporate risks into four categories (strategic, financial, operational and regulatory) and analyzes them according to priority, considering time horizon (short, medium or long term) and the relative and financial importance of each risk exposure. Gafisa informed that enforcing internal control is a responsibility of all employees, guided by pre-established procedures for control-related activities and routines. Those procedures, in turn, must be in line with the company's various policies, ranging from procurements to construction and information technology.

Ito from KPMG believes that for companies to respond adequately to this question, they will have to structure their risk management systems. "Many have approached me, interested in doing just that", he says. Without adequate procedures, evasive answers will most likely continue to appear. "Companies are not likely to expose a weakness by openly saying that they don't have a risk management structure in place", he says. Talking about a system that doesn't really exist is also risky business, however.

CTRL C, CTRL V — Yet another problem detected in company risk explanations is the uniformity of some of the answers. One item where a lot of "copying and pasting" was seen was number 4.2, where companies were supposed to state their expectations regarding reductions or increases in risk exposure compared to the previous fiscal year. PDG Realty, Inpar, JBS, Hypermarcas and Gafisa provided practically identical answers. With a minor change here or there, the following can be read in the reference forms of all five companies: "The company constantly analyzes the risks to which it is exposed and which may adversely affect its operations, its financial condition, or the results of its operations. The company is constantly monitoring for macroeconomic and industry-specific scenario changes that could influence its activities, by tracking the most relevant performance indicators”.

Ivan Clark, a capital market partner at PricewaterhouseCoopers for Brazil and South America, foresees that many other companies will resort to "copying and pasting" by June 30th, the deadline for Reference Form filing with the CVM. "It's a Herculean task", Clark says regarding the document, which can easily surpass the 250-page mark. He reveals that when he was reviewing the paperwork for a client, more than 30 versions of the document had to be prepared. "Due to all that work, many companies, especially those that don't intend to raise funds in the market in the medium term, will prefer to copy and paste certain items instead of burning the midnight oil over them", he believes.

Another characteristic of risk factor disclosure has been an excess of zeal on the part of some companies. Companies with a defined controller, such as Hypermarcas and JBS, declare that the interests of their controllers might conflict with those of the minority shareholders. "Every company with a controller is subject to that, there's no need to mention it", Ito remarks. The fear of punishment for lack of information has led some companies to put absolutely everything on the table. According to the KPMG partner, these excesses will tend to disappear over time.

Form makes insurers' jobs easier Despite the shortcomings observed in the risk presentations submitted by companies in their reference forms up until now, the Zurich insurance company is happy with the document's debut. Zurich specializes in D&O insurance, which protects the top executives of a company against lawsuits. The firm views the Reference Form as a great ally in the search for information on potential clients. "It will make our job easier", says Eduardo Pitombeira, the insurer's financial products director. One of the most celebrated points is the mandatory disclosure of existing lawsuits against directors and officers. Pitombeira reveals that this information was one of the hardest to investigate. Legal history is part of a questionnaire that Zurich usually sends to its potential clients during a risk analysis. And companies would often omit the true situation of their executives. "The companies themselves had trouble finding the information. Usually, someone in HR would be charged with gathering up the data and completing the questionnaire", says Pitombeira. He believes that companies should realize the importance of completing the form carefully and thoroughly. "It will be extra protection against attacks from investors, since their investment decisions will be supported by a much larger amount of information", he says. (S.M.)