The enactment of GDPR marked a significant shift in data protection laws, aiming to enhance and standardize privacy rights and protections across the European Union. This paper examines the adjustments in risk communication practices within annual reports and assesses whether these changes align with best practices in the field.
Introduction
Communication forms the basis of human interaction and organisational success. For organisations, communication is not just the transmission of information. But a strategic tool that shapes perceptions, decisions, and relationships (Saronge Ngala Bonnyventure 2022). Stakeholder communication can be seen as a part of organisational communication and consists of the efforts an organisation undertakes to manage relations with stakeholders (Morsing, M., & Schultz, M. 2006). Part of this stakeholder communication is the communication of risks. For big stock-listed organisations, the risks that are relevant for its stakeholders are mainly communicated in the organisation’s annual reports (Abraham, S., & Shrives, P. J. 2014). The current research intends to shed light on the way organisations communicate risks in their annual reports when faced with a legislative ‘risk event’. A risk event can be seen as an event that causes a negative impact or increases the likelihood of a negative outcome (Aven, T., & Thekdi, S. 2022). In the current study, we focus on the implementation of the General Data Protection Regulation (GDPR). This can be seen as a risk event from the company’s perspective because noncompliance can lead to harsh fines.
The General Data Protection Regulation (GDPR), enforced by the European Union (EU) in May 2018, can be seen as an overhaul of data protection laws aimed at strengthening and standardising privacy rights and data protection for individuals within the EU. This regulation mandates organizations to implement strict data processing and security measures, impacting how personal data is collected, stored, and shared. The GDPR introduces significant changes in privacy regulation. These include the requirement for explicit consent from individuals for data processing, the right to be forgotten, and data breach notification requirements. GDPR imposes hefty fines for non-compliance that can reach up to 4% of annual global turnover or €20 million, whichever is greater (Marelli & Testa, 2018; Voss, 2018). Furthermore, the regulation’s extraterritorial scope means that it applies to any organization worldwide that processes the data of EU citizens (Garrison & Hamilton, 2019).
The current study investigates the change in risk communication concerning data breaches and privacy in annual reports, focusing on the period from one year before to one year after the implementation of the GDPR. This prompts the research question: “How has risk communication regarding data breaches and privacy in annual reports evolved from the year preceding to the year following the GDPR enactment, and how do these changes align with established best practices in risk communication?” To answer this, the study analyses 15 annual reports from three different companies, using both quantitative and qualitative methods.
For several reasons, understanding the effects of GDPR implementation and risk communication is relevant. Firstly, this study offers insights into the actions companies have taken leading up to and after the GDPR implementation. Annual reports serve as a key channel for communicating with shareholders, who play a significant role in shaping company policies. Thus, the way risks are communicated in these reports reflects the company’s concerns and planned actions. This can provide the basis for an impact assessment of the GDPR legislation. Secondly, the research helps to identify best practices when it comes to risk communication related to the new implementation of legislation. This is something that will likely become more relevant in the future. More legislation is being enacted that forces companies to report on non-financial risks. Recent examples of this are the implementation of the Corporate Sustainability Reporting Act (CSRA) and the Corporate Sustainability Due Diligence Directive (CSDDD) (European Commission 2024). Lastly, the study will provide the basis for a framework that can be used to evaluate non-financial risk communication in annual reports.
Research Question
Main research question:
“How has risk communication regarding data breaches and privacy in annual reports evolved from the year preceding to the year following the GDPR enactment, and how do these changes align with established best practices in risk communication?”
Sub questions:
- What are the established best practices of an effective risk message?
- Have there been observable shifts in the quantity of risk communication in data breach and privacy risk communication after the implementation of GDPR?
- Have there been observable shifts in the quality of data breach and privacy risk communication after the implementation of GDPR?
Theoretical Framework
Risk communication has changed a lot in the last decades. Society has become more interconnected, and risks have become more complex. This increases the need for good risk communication. The classic approach to risk communication can be seen as a part of technocratic policymaking, in which experts advise policymakers on the best policy. After making the policy, the policymakers inform stakeholders of the risks (Millstone, van Zwanenberg, Mariis, Levidow 2004). Nowadays, risk communication is seen as a two-way interaction where attention is given to the specific information needs of the stakeholders and different fora where organisations and stakeholders can interact (Gurabardhi, Z., Gutteling, J. M., & Kuttschreuter, M. 2005). The goal of this communication is to help stakeholders make risk-informed decisions (Aven, T., & Thekdi, S. 2022, Renn 2018). In the current study, only one aspect of risk communication is covered. This is the communication that is sent by the organisation to its stakeholders, in the form of an annual report. For this theoretical framework, we will therefore focus on sending an effective risk message. Drawing upon risk communication science, five criteria have been established for an effective risk message.
Clarity and Comprehensibility
Clarity in risk communication is critical for stakeholder understanding and engagement. Covello and Allen (1988) underscore the importance of creating messages that are easy to understand to ensure that stakeholders can engage with the information presented. Sending a comprehensible message requires understanding the stakeholder’s needs and capabilities in understanding the message. The language and figures used in the message should fit the stakeholders, addressing their concerns and perceptions (Breakwell, G. 2000, Woods, M. and Marginson, D. E. W. 2004)
Completeness and Consistency
Completeness and consistency are important for effective risk communication as they directly affect the stakeholder’s ability to trust the source and to use the information in decision-making. To achieve consistency, risk communication should be part of every stadium of risk governance (Renn, O 2008). And cover every communication outlet (Smillie, L., & Blissett, A. 2010). A complete risk message should have a quantification of the risks (Moeller, R. R. 2011, Rejón-López et al. 2023). This means that measurable data is provided and explained. Quantification helps stakeholders understand the magnitude of a risk. The risk quantification should be followed by a risk appraisal, where the organisation reflects on different aspects of the risk. These aspects include the technical aspect of the risk such as its probabilities and consequences, but also aspects such as stakeholder opinions and possible risk mitigating measures (Renn, O 2008).
Transparency
All the above-mentioned criteria influence the trustworthiness of the risk message. But extra attention should be given to transparency. Transparent communication involves being open about the nature of the risks, the uncertainties involved, and the methodologies used in risk assessment. (Combes-Thuelin, E., Henneron, S., & Touron, P. 2006,)
Methodology
To answer the main research question, the study conducted a literature review and analysed 15 annual reports from three different companies across three industries. These reports were evaluated using a mix of quantitative and qualitative research methods. The following table outlines how each research question is addressed.
| Research Question | Methodology |
| 1. What are the established best practices of an effective risk message? | Literature Review |
| 2. Have there been observable shifts in the quantity of risk communication in data breach and privacy risk communication after the implementation of GDPR? | Quantitative Analysis (Word Count) |
| 3. Have there been observable shifts in the quality of data breach and privacy risk communication after the implementation of GDPR? | Qualitative Analysis (Thematic Analysis) |
Tabel 1 Methodology Matrix
Sample
To provide a holistic overview of how different industries are affected by the GDPR legislation, three different companies from three different industries have been selected. These companies are Amazon, ING and Fresenius. Amazon is a dominant actor in e-commerce, streaming and web services. This means that Amazon handles large amounts of customer and organisational data. ING is a prominent international bank. The financial sector has strict regulations on risk reporting. Represented in directives such as the Markets in Financial Instruments Directive (MiFID II) and the Capital Requirement Directive (CRD IV) (European Securities and Markets Authority, n.d.). Fresenius is a global healthcare company and as such, it deals with sensitive personal and patient data.
The timeframe of the reports is from 2015 until 2019. This period allows us to observe the baseline in 2015, the years leading up to the implementation of the GDPR Act 2016-2017, the immediate response in 2018 and the year after the enactment in 2019.
Research design
To evaluate the risk communication in annual reports, a literature review was conducted to establish best practices of a risk message. This review answers the first research question. 1: What are the established best practices of an effective risk message? After completing the literature review, the annual reports were analysed. The selected reports have been analysed using a combination of quantitative and qualitative methodology. First of all, the reports were read to get a basic understanding of the data. Using this knowledge, the literature review and the GDPR legislation itself, a list of GDPR-related keywords was established. The frequency of usage of these terms will answer research question 2: Have there been observable shifts in the quantity of risk communication in data breach and privacy risk communication after the implementation of GDPR? After this quantitative analysis was completed, a thematic analysis was conducted using Nvivo. The codes for this analysis were established by drawing from the literature review as well as the identification of patterns in the reports themselves. From these codes, three themes are established. The thematic analysis provides an answer to research question 3. ‘’Have there been observable shifts in the quality of data breach and privacy risk communication after the implementation of GDPR?’’. The main research question is answered by combining the answers from the sub-questions in the conclusion chapter.
Results
This chapter presents the findings of the study, beginning with a discussion of the quantitative results. After this, the outcomes of the qualitative analysis are given, focusing on the codes and how these codes were organized into themes. Each organization’s annual reports are then examined more closely, integrating both insights from the literature as well as the data analysis. The insights gathered serve as the foundation for addressing the research questions, which will be answered in the Conclusion chapter.
Quantitative results
In Tabel 2: Total pages and frequency of GDPR-related terms in annual reports, the total number of pages and the frequency of usage of GDPR-related terms are presented. The tables show us that the total amount of pages fluctuates. For ING, the fluctuations are the largest in 2015 and 2017 compared to subsequent years. For Fresenius, we can notice an increase in the total amount of pages over the years. This is important to consider when interpreting the results from the subsequent figure. Figure 1: Yearly trends by Term for Each Organisation provides a visual representation of the numbers from Table 2: Total pages and frequency of GDPR-related terms in annual reports. For ING and Fresenius, an increase in the usage of GDPR-related terms in 2018, followed by a slight decrease for some terms in 2019 can be noticed. The number of GDPR-related terms for Amazon has stayed almost consistent over the years.
| Company Name | Total Pages | Privacy | GDPR | Cybersecurity | Data Protection |
| ING 2015 | 286 | 1 | 0 | 0 | 1 |
| ING 2016 | 459 | 13 | 0 | 1 | 3 |
| ING 2017 | 230 | 0 | 0 | 4 | 0 |
| ING 2018 | 440 | 25 | 19 | 6 | 44 |
| ING 2019 | 449 | 22 | 15 | 15 | 20 |
| Amazon 2015 | 90 | 4 | 0 | 0 | 2 |
| Amazon 2016 | 86 | 4 | 0 | 0 | 2 |
| Amazon 2017 | 89 | 4 | 0 | 0 | 2 |
| Amazon 2018 | 84 | 4 | 0 | 0 | 3 |
| Amazon 2019 | 87 | 0 | 0 | 0 | 0 |
| Fresenius 2015 | 163 | 0 | 0 | 0 | 0 |
| Fresenius 2016 | 209 | 2 | 0 | 0 | 1 |
| Fresenius 2017 | 247 | 6 | 3 | 1 | 57 |
| Fresenius 2018 | 281 | 24 | 7 | 11 | 73 |
| Fresenius 2019 | 277 | 7 | 6 | 12 | 70 |
Tabel 2: Total pages and frequency of GDPR-related terms in annual reports.
Figure 1: Yearly Trends by Term for Each Organisation
Qualitative results
The codes from the qualitative analysis are presented in Table 3: Coding Qualitative Analysis. The table provides an overview of the used codes, their description, the number of references and the amount of reports the code was found. The codes are clustered into three themes: 1) Compliance, 2) Consequences and 3) Mitigation. The theme of Compliance entails all the codes of regulatory adherence. This was a prominent theme across all the organisations. Consequences capture descriptions of effects related to non-compliance to regulation as well as negative outcomes of data loss related to (malicious) events. Mitigation captures all the efforts that are taken to comply with regulations as well as other measures taken to safeguard privacy and prevent data loss.
| Code | Description | References | Files | Theme |
| Consequences of GDPR-related risk | Risks that occur as a consequence of the GDPR legislation. | 2 | 1 | Consequences |
| Data Breach / Protection Risks | Descriptions of risks related to data breaches/failure to protect data. | 44 | 15 | Consequences |
| Risk management methods | Descriptions of (general) risk management methodologies. | 21 | 8 | Mitigation |
| GDPR related investments | Descriptions of investments by the organisations as a consequence of the GDPR enactment | 20 | 9 | Mitigation |
| GDPR Compliance | Descriptions of compliance with the GDPR legislation | 34 | 11 | Compliance |
| Government regulation risk | Risks that occur as a consequence of governmental legislation | 36 | 13 | Compliance |
| Privacy issues | Mentions of issues/problems related to privacy | 5 | 4 | Consequences |
| Mitigating Measure GDPR | Description of risk mitigation measures related to GDPR | 54 | 13 | Mitigation |
| Trust | Descriptions of stakeholder trust related to GDPR. | 9 | 5 | Consequences |
Tabel 3 Coding Qualitative Analysis
Having established a foundational understanding of GDPR-related risk communication from 2015 to 2019 across annual reports, we now delve deeper into the specific risk communications from each company. Initially, the annual reports are examined through the established themes from the qualitative analysis. Subsequently, these reports are evaluated against the five established criteria for effective risk communication derived from the theoretical framework.
Amazon
Compared to ING and Fresenius, Amazon’s annual reports are notably shorter, averaging 87 pages compared to 373 for ING and 235 for Fresenius. The information on risks presented in Amazon’s reports is minimal, typically limited to mere mentions of the potential risks the company faces. Amazon discusses privacy and data protection risks without quantifying or providing a risk appraisal. Non-compliance is considered the main driver of these risks. The following excerpt from the 2015 reports is exemplary of this. “Government Regulation Is Evolving and Unfavorable Changes Could Harm Our Business… It is not clear how existing laws governing issues such as property ownership, libel, and personal privacy apply to the Internet, e-commerce, digital content, and web services” (Amazon, 2015, p. 12).
Minimal information is given on the actions taken to mitigate these risks. As can be seen from the following excerpt: “…we have developed systems and processes that are designed to protect customer information and prevent data loss and other security breaches, including systems and processes designed to reduce the impact of a security breach at a third-party vendor or customer” (Amazon, 2018, p. 10-11). Amazon mentions that despite these measures absolute security can not be guaranteed. Although we have developed systems and processes that are designed to protect customer information and prevent data loss and other security breaches, including systems and processes designed to reduce the impact of a security breach at a third party vendor, such measures cannot provide absolute security (Amazon, 2015, p. 10).
Overall, the risk communication presented in Amazon’s reports is limited. It acknowledges relevant risks but fails to provide quantitative assessments or detailed evaluations. The mitigation strategies mentioned are described only in general terms, followed by a disclaimer that these measures cannot guarantee absolute security. Consequently, the discussions around privacy and data protection resemble more of a legal disclaimer than thorough risk communication. While the information is Clear, Comprehensible, Consistent, and Transparent, it lacks Completeness to make informed decisions. Over the years examined, there has been little change in how Amazon communicates these risks, indicating a minimal impact of the GDPR legislation on their risk communication strategies.
ING
ING’s approach to risk communication, as showcased in their annual reports, is comprehensive compared to that of Amazon and Fresenius. ING’s documentation robustly covers both financial and non-financial risks. ING’s reports highlight an elaborate risk governance model that includes methodologies like Stress Testing, Value at Risk, and Event Risk. ING recognizes that the implications of data protection and privacy extend beyond mere compliance, providing stakeholders with a better understanding of data breache- and privacy consequences. “These events can potentially result in financial loss and harm to our reputation, hinder our operational effectiveness, result in regulatory censure, compensation costs or fines resulting from regulatory investigations and could have a material adverse effect on our business, reputation, revenues, results, financial condition and prospects. Even when we are successful in defending against cyberattacks, such defence may consume significant resources or impose significant additional costs on ING” (ING, 2019, p. 421).
Already by 2015, ING was communicating about preventive measures such as educational programs aimed at bolstering data protection, compliance, and risk management knowledge among employees: “Global education and awareness training in the form of e-learning modules was provided on topics such as Financial Economic Crime (FEC), Anti-Bribery and Anti-Corruption, Anti-Competitive Conduct (Competition Law) and Fraud and Security… Classroom trainings and workshops were held on Scenario Analysis in both the Netherlands and Belgium as well as webinars at basic and advanced levels” (ING, 2015 p. 213).
The transparency and clarity of ING’s risk communications are evident, as detailed operational aspects of their risk management frameworks are openly discussed. “ING’s most important risks and control measures are regularly reported to and discussed by the Risk Committee of the Supervisory Board… The design and operation of the Risk Appetite Framework and the Non-Financial Risk Framework are discussed annually with the Risk Committee and the full Supervisory Board” (ING, 2016, p. 66). Furthermore, ING addresses the challenges involved in mitigating risks related to data protection, highlighting their transparency. “I realise that achieving this systemic approach will not be easy, since it involves cooperation between national authorities and regulators and changes to privacy laws and how information is shared between banks and tax and legal authorities” (ING, 2019, p. 93).
While ING’s risk communications are comprehensive in terms of clarity, consistency, and transparency, they could benefit from more detailed quantifications of risk. This would enable stakeholders to better gauge the relative severity of different risks.
Fresenius
Compared to ING and Amazon, Fresenius takes the middle ground when it comes to data protection risk communication. A strong increase in reporting related to data protection can be noticed over the years. As well as for the other companies, compliance plays a major role for Fresenius. However other negative outcomes are acknowledged as well, such as customer trust. Mitigating measures and challenges related to implementing these measures are also described in the report. An example of this can be found in a section from their 2017 report on patient data.
The Fresenius Group operates many facilities and handles the personal data (PD) … In such a decentralized system, it is often difficult to maintain the desired level of oversight and control over the thousands of individuals employed by many affiliated companies and its business associates. On occasion, the Fresenius Group or its business associates may experience a breach under the Health Insurance Portability and Accountability Act Privacy Rule and Security Rules, the EU’s General Data Protection Regulation and / or other similar laws (Data Protection Laws) … On those occasions, the Fresenius Group must comply with applicable breach notification requirements. The Fresenius Group relies upon its management … to direct, manage and monitor the activities of its employees. On occasion, the Fresenius Group may identify instances where employees or other agents deliberately, recklessly or inadvertently contravene the Fresenius Group’s policies or violate applicable law. The actions of such persons may subject the Fresenius Group and its subsidiaries to liability under the Anti-Kickback Statute, …’’
Fresenius is the only company in the study that has quantified its risks by implementing a risk matrix. Although only general risks are mentioned, this matrix provides the reader with some information on the ranking of the risks.
Figure 2 Risks affecting the one year period (Fresenius 2019 P. 67).
Conclusion
Now that we have presented the results we come back to the research questions. By answering the subquestions we can conclude the main research question.
- What are the established best practices of an effective risk message?
Drawing from existing risk communication literature, we conclude that Clarity, Comprehensibility, Completeness, Consistency and Transparency are the most important factors for an effective risk message. The quality of each of these factors is largely dependent on both the goal of the risk communication as well as its audience.
- Have there been observable shifts in the quantity of risk communication in data breach and privacy risk communication after the implementation of GDPR?
The study observed a quantifiable increase in mentions of data protection and GDPR-related terms across annual reports leading up to and after the GDPR enactment. This shift indicates a heightened focus on these aspects, likely driven by the regulatory requirements and the high penalties for non-compliance introduced by GDPR.
- Have there been observable shifts in the quality of data breach and privacy risk communication after the implementation of GDPR?
Leading up to the GDPR enactment, companies have elaborated on the data breach and privacy risks. Providing more information on consequences and mitigating measures. The risk communication itself however has changed little. Companies do not provide satisfactory risk quantifications, making it difficult for stakeholders to assess the impact of the described risks.
“How has risk communication regarding data breaches and privacy in annual reports evolved from the year preceding to the year following the GDPR enactment, and how do these changes align with established best practices in risk communication?”
The GDPR legislation does not force companies to report data protection risks. Despite this, the GDPR enactment has increased the quantity and quality of the risk reporting on privacy and data protection in two of the three studied companies. While the studied companies are aligning with best practices in Clarity and Transparency, there remains room for improvement in the area of Completeness. The reports tend to describe risks and compliance efforts without adequately quantifying the potential impacts or evaluating the effectiveness of the mitigation measures in place. This lack of detailed risk assessment may hinder stakeholders’ ability to make fully informed decisions.
These findings underscore the evolving nature of risk communication in response to significant regulatory changes like the GDPR. As companies continue to adapt, ongoing research will be essential to further understand the effectiveness of these communications and their alignment with best practices in risk reporting.
Limitations and recommendations for further research
This section outlines the limitations of the study and provides recommendations for future research. The first limitation of this study is the small sample size, focusing on just three organisations: Amazon, ING, and Fresenius. This constraint limits the ability to generalize the findings across the entire industry. Future studies should aim to include a broader range of companies, ideally with multiple organisations from each sector, to yield more generalizable results. Another limitation pertains to the scope of the data sources used. The study analysed only 15 annual reports due to time constraints. While annual reports are a significant component of publicly listed companies’ risk communication, they do not encompass all risk-related disclosures. Companies often release other risk-related information through risk reports, press releases, and stakeholder dialogue. Future research should consider these additional sources to provide a more comprehensive view of a company’s risk communication practices. This also means that this study’s approach only captures one direction of risk communication—from the organisation to its stakeholders. However, risk communication is fundamentally two-directional. A more complete understanding of risk communication should also consider inputs from stakeholders back to the organisation.
Regarding methodology, although the chosen approach offers a detailed overview of the data, it may not be the most suitable for addressing the research question effectively. Future research should develop a more grounded risk message evaluation model to operationalise the quality of risk messages. Subsequent studies should then apply this model to assess the effectiveness of risk communication in annual reports more accurately.
References
Abraham, S., & Shrives, P. J. (2014). Improving the relevance of risk factor disclosure in corporate annual reports. The British Accounting Review, 46(1), 91-107. https://doi.org/10.1016/j.bar.2013.10.002
Aven, T., & Thekdi, S. (2022). Risk Science: An Introduction. Routledge.
Amazon.com, Inc. (n.d.). Annual reports, proxies, and shareholder letters. Retrieved March 13, 2024, from https://ir.aboutamazon.com/annual-reports-proxies-and-shareholder-letters/default.aspx
Bonnyventure, S. N., Bwonya, J. E., Owuori, P. J., Mudany, J. O., & Ogutu, M. (2022). The Nexus Between Strategic Decision-Making, Strategic Communication and Organizational Performance: A Critical Literature Review. Journal of Strategic Management, 6(3), 37–49. https://doi.org/10.53819/81018102t2071
Glynis M Breakwell, Risk communication: fators affecting impact, British Medical Bulletin, Volume 56, Issue 1, 2000, Pages 110–120, https://doi.org/10.1258/0007142001902824
Combes‐Thuélin, E., Henneron, S. and Touron, P. (2006), “Risk regulations and financial disclosure: An investigation based on corporate communication in French traded companies”, Corporate Communications: An International Journal, Vol. 11 No. 3, pp. 303-326. https://doi.org/10.1108/13563280610680876
Covello, V. T., & Allen, F. W. (1988). Seven cardinal rules of risk communication. U.S. Environmental Protection Agency. Retrieved from https://nepis.epa.gov/Exe/ZyPURL.cgi?Dockey=9101O1DI.TXT
European Commission. (2023). Corporate sustainability reporting. Directorate-General for Financial Stability, Financial Services and Capital Markets Union. Retrieved on March 20, 2023, from https://finance.ec.europa.eu/capital-markets-union-and-financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en
European Securities and Markets Authority. (n.d.). Article 1: Scope. Retrieved April 1, 2024, from https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii/article-1-scope
Fresenius Medical Care. (n.d.). Annual reports. Retrieved March 14, 2024, from https://www.freseniusmedicalcare.com/en/media/multimedia/publications/annual-reports
Garrison, Chlotia, and Clovia Hamilton. “A Comparative Analysis of the EU GDPR to the US’s Breach Notifications.” Information & Communications Technology Law 28, no. 1 (2019): 99–114. doi:10.1080/13600834.2019.1571473.
Gurabardhi, Z., Gutteling, J. M., & Kuttschreuter, M. (2005). An empirical analysis of communication flow, strategy, and stakeholders’ participation in the risk communication literature 1988–2000. Journal of Risk Research, 8(6), 499–511. https://doi.org/10.1080/13669870500064192
ING. (n.d.). Annual reports. Retrieved March 13, 2024, from https://www.ing.com/Investors/Financial-performance/Annual-reports.htm
Marelli, L., & Testa, G. (2018). Scrutinizing the EU General Data Protection Regulation: How will new decentralized governance impact research? Science, 360(6388), 496-498. https://doi.org/10.1126/science.aar5419
Millstone, E., Van Zwanenberg, P., Marris, C., Levidow, L., & Torgersen, H. (2004). Science in trade disputes related to potential risks: Comparative case studies. IPTS Technical Report Series EUR 21301 EN. European Commission Joint Research Centre / IPTS Institute for Prospective Technological Studies. Retrieved from https://www.researchgate.net/publication/37738649_Science_in_trade_disputes_related_to_potential_risks_comparative_case_studies
Moeller, Robert. (2011). COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes. 10.1002/9781118269145.
Morsing, M. and Schultz, M. (2006), Corporate social responsibility communication: stakeholder information, response and involvement strategies. Business Ethics: A European Review, 15: 323-338. https://doi.org/10.1111/j.1467-8608.2006.00460.x
Rejón López, M., Rodríguez Ariza, L., Valentinetti, D., & Flores Muñoz, F. (2023). Risk Disclosures and Non-Financial Reporting: Evidence in a New European Context. Scientific Annals of Economics and Business, 70(4), 547–565. https://doi.org/10.47743/saeb-2023-0039
Renn, O. (Ed.). (2008). Global risk governance: Volume 1. Springer. ISBN 978-1-4020-6798-3.
Smillie, L., & Blissett, A. (2010). A model for developing risk communication strategy. Journal of Risk Research, 13, 115 – 134. https://doi.org/10.1080/13669870903503655
Woods, M. and Marginson, D. E. W. (2004) ‘Accounting for derivatives: An evaluation of reporting practice by UK banks ’, European Accounting Review, 13(2), pp. 373–390. doi: 10.1080/0963818032000138215.
Voss, W. G. (2018). Internal compliance mechanisms for firms in the EU General Data Protection Regulation. Revue juridique Thémis de l’Université de Montréal, 50(3), 783-820. Retrieved May 1, 2024, from https://ssrn.com/abstract=3104800
Leave a Reply