Rhetorical Organisation of Risk Management Reports by Malaysian Banks †

: Risk management reports (henceforth, RMRs) are paramount to an organisation’s business processes and are used to inform stakeholders on the current risks experienced by a company. Some reports by companies, such as banks, are receiving more attention due to their importance to the public and current economy. While a plethora of studies have been conducted on RMRs in other disciplines, such as business, accountancy and ﬁnance, the same scenario is not apparent in language studies. Therefore, the present study intends to linguistically analyse the RMRs published by Malaysian commercial banks by examining their rhetorical organisation. In doing so, 40 RMRs published between 2016 and 2020 were analysed for their rhetorical moves and steps. The ﬁndings recognised ﬁve rhetorical moves in the RMRs, of which one was optional, one was conventional, while the rest were obligatory. The present study could assist readers of RMRs to better understand the structure of the reports.


Introduction
A risk management report (henceforth, RMR) is a section in corporate annual reports that is used as risk disclosure by companies. It was first included by choice, where companies voluntarily included the section only if there was a need to do so. However, beginning in 2005, the section has been made mandatory by mature capital markets. According to the authors of [1], the United States became the first country to enforce this. The practise was followed by China in 2007. The RMR is regarded as an important section because it informs stakeholders on the current circumstances of a company's risk [2], and it has been the topic of interest of researchers in the fields of finance and accountancy for years [3].
In Malaysia, the way that the RMR has been referred to has gone through several changes. It was first known as Risk Management. However, a few years later, some banks changed it to Managing Risks or the Risk Management Approach. Since 2014, Bursa Malaysia has set guidelines for all publicly listed companies, including banks, to label the section as the Statement on Risk Management and Internal Control. Apart from that, the RMRs by the listed companies in Malaysia are also guided by the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers [4]. Some of the guidelines that all publicly listed companies must adhere to include: 1.
The main features of the company's risk management and internal control system; 2.
The ongoing process for identifying, evaluating and managing the significant risks faced by the company in its achievement of objectives and strategies; 3.
The process has been in place for the year under review and updated for inclusion in the annual report;

4.
The process (or where applicable, through its committees) has been applied in reviewing the risk management and internal control system, confirming that necessary actions have been or are being taken to remedy any significant failings or weaknesses identified from that review; 5.
That a review on the adequacy and effectiveness of the risk management and internal control system has been undertaken; 6.
Commentary on the adequacy and effectiveness of the risk management and internal control system; 7.
The process has been applied to deal with the material internal control aspects of any significant problems disclosed in the annual report and financial statements; 8.
Where material joint ventures and associates have not been dealt with as part of the group for the purposes of applying these guidelines, this should be disclosed.
Even though a lot of studies have been conducted so far on RMRs, studies from linguistic perspectives are minimal. It would be interesting to find out how a genre-based methodology can be used to analyse the organisational structure and communicative functions of RMRs. Therefore, the present study is guided by two research questions:

1.
How are the RMRs of Malaysian commercial banks rhetorically organised in terms of the move-step structure? 2.
To what extent are the moves obligatory, conventional or optional in nature?

Risk Management Reports (RMRs)
RMRs are reports about the risks encountered by companies. Because different companies have to deal with different types of risks, they tend to communicate about the risks in different ways. The authors of [5] argued that risk reporting is normally communicated differently using either the internal, external or intermediate level between the two. Internal risk reporting takes place between management and employees, and the information on the risk identification, measurement, performance development and monitoring circulates within the company only to ensure that the company's objective is achieved [5]. The intermediate level refers to a situation in which the communication involves the company's board of directors and is between an internal information channel and the external public disclosure panel, where the board of directors plays a role as a management control measure, and is able to successfully manage risk-related issues in the company [5]. Lastly, external reporting takes place when the communication of the risk information involves the public. It becomes one of the main requirements because the companies are using external financing and should comply with the regulatory agencies, creditors and investors [5]. The focus of the present study is on the external level of risk reporting, which can be found in the annual reports.
In the banking sector, risk reporting is regarded as a "fundamental tenet of a sound banking system" [6]. It reflects the practise of the risk management of banks. Moreover, banks are exposed to different types of risks that may affect their performances. Therefore, it is important for the banks to inform their stakeholders regarding their current risk management status. Furthermore, the information is also important to existing and potential investors prior to making financial decisions. This has become the main factor for banks to practise honesty in disclosing risks. Failure to do so will result in the loss of trust and confidence in the CARs of the companies [5,7].
Hitherto, RMRs have become the interest of researchers in the fields of accountancy and business. Therefore, it is not surprising to see that most of the studies conducted on RMRs are from these disciplines. In recent years, however, some scholars have conducted language studies on RMRs, even though they are not based on linguistic theory. The studies were more concerned with the impact of language on RMRs. The authors of [8], for instance, looked at cybersecurity risk reporting by 112 companies in the United States. The reports were published between 2011 and 2018. The findings show that the length of the reports increased as a result of regulatory enforcement. Using multiple regression analysis, they discovered that the latter reports were more difficult to read. The author of [9] revealed that less specific or boilerplate language in risk reporting is not helpful in making investment decisions. Boilerplate language often relates to using repeated information in disclosures. Some scholars refer to this as disclosure inertia [10]. Both studies highlighted the function of the language used in RMRs, rather than studying the language used itself. Only recently, the authors of [11] investigated the rhetorical moves in RMRs by an Islamic bank in Malaysia. The study, however, lacks diversity, and it is still at the preliminary stage because it only involved five RMRs produced by the same bank. Thus, the results are different from the moves in the present study. Nevertheless, the study has opened opportunities for more studies on similar genres.

Rhetorical Organisation
Rhetorical structure is a term that has often been used to refer to the structure of a genre text. Some scholars have been referring to it as structure [12,13], organisation [14], schematic structure [15], cognitive move-structure [16] and rhetorical organisation [17]. Studying the rhetorical structure of a text is common in genre analysis. It describes the structure that constitutes a text, which is often addressed as moves. The author of [18] defines moves as "discoursal or rhetorical units that perform coherent communicative functions in a written or spoken discourse" (p. 228). By identifying moves, readers will be aware of the rhetorical goals of the writers or genre producers. Furthermore, moves are often identified with steps, which are the building blocks of moves. Steps often work in combination to achieve the overall purpose of the moves. While some moves may comprise a few steps, there are also moves that do not require any steps to achieve the communicative functions.
Therefore, to understand the rhetorical structure of a text entails the identification of the moves and steps through a close analysis of the text. The authors of [19] argue that genre knowledge is "best conceptualized as a form of situated cognition embedded in disciplinary activities.. . . " (p. 3). This shows the importance of knowing how a text is structured. They further illustrated how possessing a genre and knowing its rhetorical structure is beneficial for academic and professional writers.
During its initial years, move analysis was often conducted on the academic genre. The author of [10] explored the moves of the introduction sections of research articles. His analysis discovered four moves that constituted research articles: establishing the field, summarising previous research, preparing for present research and introducing present research. This later became a steppingstone for other scholars to explore the rhetorical structures of more academic texts, such as these [20][21][22], and research articles [23][24][25]. There are also a number of studies that have been conducted on the spoken academic genre, such as oral presentations [26,27] and academic lectures [28,29].
With the advancement of knowledge, move analysis has now been widely used as a tool to analyse the rhetorical structures of professional genres. However, the number of studies is comparatively lower than the studies on academic genres. One of the professional genres that has caught the attention of genre analysts is annual reports. Many studies have investigated the moves and steps of different sections of annual reports [30,31]. Some of them include chairmen's statements [17], managerial forewords [32,33] and management discussion and analysis [34]. However, studies on RMRs from a genre standpoint are still limited and will therefore be discussed in the present study.

Method
The present study adopted a qualitative research design. It used the Move Analysis by the author of [12,13] as the theoretical framework. The following subsections further describe the methodology used in analysing the data.

Corpus
A corpus that comprised 40 RMRs by eight commercial banks in Malaysia was built for the present study. The corpus was named the Corpus of Risk Disclosure by Malaysian Banks (CORDMAB), and it consisted of 155,162 word tokens. All RMRs were published in the banks' annual reports from 2016 to 2020. They were obtained from the Bursa Malaysia website. Only the last five years of RMRs were selected for each bank because they are more relevant to the current practise of the banks' risk reporting. For confidentiality purposes, the names of the banks were changed to alphabet letters from A to H, followed by the last two digits representing the years the RMRs were published. For example, A16 refers to RMRs by Bank A published in 2016.

Data Analysis
The analysis of the corpus was conducted using Atlas.ti 22, a qualitative analysis software. Prior to the analysis, all RMRs were extracted from annual reports and uploaded onto the programme. Then, codes were created based on the moves and steps identified. The RMRs were later tagged with the codes to ease the process of the frequency count. An example of the tagging process is shown in Figure 1.

Corpus
A corpus that comprised 40 RMRs by eight commercial banks in Malaysia was built for the present study. The corpus was named the Corpus of Risk Disclosure by Malaysian Banks (CORDMAB), and it consisted of 155,162 word tokens. All RMRs were published in the banks' annual reports from 2016 to 2020. They were obtained from the Bursa Malaysia website. Only the last five years of RMRs were selected for each bank because they are more relevant to the current practise of the banks' risk reporting. For confidentiality purposes, the names of the banks were changed to alphabet letters from A to H, followed by the last two digits representing the years the RMRs were published. For example, A16 refers to RMRs by Bank A published in 2016.

Data Analysis
The analysis of the corpus was conducted using Atlas.ti 22, a qualitative analysis software. Prior to the analysis, all RMRs were extracted from annual reports and uploaded onto the programme. Then, codes were created based on the moves and steps identified. The RMRs were later tagged with the codes to ease the process of the frequency count. An example of the tagging process is shown in Figure 1. To the best of the researchers' knowledge, there have been few studies on RMRs from a genre standpoint. Therefore, this provides more opportunities for research from this perspective. What is the generic structure of RMRs? Is it possible to come up with a reliable move scheme that can be a reference for those whose work contributes to RMRs? These are some instances of questions that genre-based research may be able to answer.
In genre-based studies, it is important to ensure the reliability of the moves and steps found by researchers. Thus, to answer Research Question 1, two intercoders were asked to check the demarcation of the moves and steps. The first intercoder holds a master's degree in ESL and has prior experience in coding moves for genre studies. The second intercoder is currently working on his master's research in the field of genre analysis. The researchers first identified the move scheme, which was later used to train the intercoders. The Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers [4] was also used as a reference in determining the moves and steps. Later, a series of trainings and discussions were held with the intercoders. Prior to finalising the move scheme, the agreement percentage of the demarcation of the moves and steps was sought between the researchers and intercoders. The percentage recorded was more than 80%, and the scheme was later finalised. To the best of the researchers' knowledge, there have been few studies on RMRs from a genre standpoint. Therefore, this provides more opportunities for research from this perspective. What is the generic structure of RMRs? Is it possible to come up with a reliable move scheme that can be a reference for those whose work contributes to RMRs? These are some instances of questions that genre-based research may be able to answer.
In genre-based studies, it is important to ensure the reliability of the moves and steps found by researchers. Thus, to answer Research Question 1, two intercoders were asked to check the demarcation of the moves and steps. The first intercoder holds a master's degree in ESL and has prior experience in coding moves for genre studies. The second intercoder is currently working on his master's research in the field of genre analysis. The researchers first identified the move scheme, which was later used to train the intercoders. The Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers [4] was also used as a reference in determining the moves and steps. Later, a series of trainings and discussions were held with the intercoders. Prior to finalising the move scheme, the agreement percentage of the demarcation of the moves and steps was sought between the researchers and intercoders. The percentage recorded was more than 80%, and the scheme was later finalised.
Using the finalised move scheme, the researchers coded the rest of the samples. Once the coding process was complete, the annotated moves were counted for their frequency. This was performed to answer Research Question 2. Moves that occurred 100% are cate-gorised as obligatory [16], conventional moves are those with 60% to 99% occurrence and below, and moves that occurred 60% are optional [35].

Results and Discussion
The analysis on all 40 RMRs revealed that they are formed of five moves, which could be further described into steps. The RMR section for all banks is named the Statement on Risk Management and Internal Control, and it is divided into two parts. The first part focuses on general information on the management of the risks, while the second part highlights the internal efforts made by the banks in governing the risks. During the analysis, it was found that each bank had similar information from year to year. However, this is not surprising in annual reports because some companies were inclined to practise "disclosure inertia". The term refers to providing little or insignificant changes in disclosures [10]. This practise often takes place in RMRs [36]. Table 1 shows the moves found in the RMRs. The findings in this subsection answer Research Questions 1 and 2.

Move 1: Overview of the Bank's RMR
The first move begins with a statement that the RMR was written as a requirement set by Bursa Malaysia. However, it was found that Move 1 is optional, as it could only be found in 47.5% of the corpus. Presumably, this low occurrence is because the overview of RMRs was not made compulsory by Bursa Malaysia. An example of Move 1 can be seen in the following excerpt taken from Sample A17: "The Statement on Risk Management and Internal Control is made pursuant to Bursa Malaysia Securities Berhad Listing Requirements which require the Board of Directors ("the Board") to disclose in its Company Annual Report a statement on key features of the risk management and internal control system of the Group during the year under review."

Move 2: Outlining the Bank's Responsibilities
Move 2 informs the readers of the responsible parties in charge of the risk management of the bank. In the corpus, they are referred to as the Board, which should be understood as the Board of Directors who are responsible for the bank's situation. This is evident in the following example: "The Board is cognisant of its overall responsibility and oversight of the Group's system of internal controls and is constantly keeping abreast with developments in areas of risk and governance." (Sample D18).

Move 3: Introducing the Bank's Risk Management Framework
Having good risk management requires a good framework, which serves as a strong foundation to support the risk governance. In doing so, banks need to introduce the risk management framework, which is evident in Move 3. Unlike the first two moves, which can stand on their own without any move constituents or steps, Move 3 comprises two steps. As shown in Table 1, the move and its steps are conventional, with 87.5% occurrence, as they are not found in the RMRs of Bank C. The following excerpt serves as an example (Sample H18): "The Group has in place a risk management framework approved by the Board for identifying, measuring, monitoring and reporting of significant risks faced by the Group in the achievement of the Group's business objectives and strategies".
The first step of Move 3, M3S1, describes the main function of the risk management framework. It tells readers how the framework helps the banks in governing the risk. This can be seen in the following example (Sample H18): "The Group's risk management framework ensures that there is an effective on-going process to identify, evaluate and manage risk across the Group". This step is also conventional, with 87.5% occurrence, as it was missing from Bank C.
Following the step is M3S2, which discusses the bank's risk management process. This step often begins with a diagram to help illustrate the process. This step is conventional and appears in 87.5% of the RMRs only. An example of the step is displayed in Figure 2 (Sample H18). and oversight of the Group's system of internal controls and is constantly keeping abreast with developments in areas of risk and governance." (Sample D18).

Move 3: Introducing the Bank's Risk Management Framework
Having good risk management requires a good framework, which serves as a strong foundation to support the risk governance. In doing so, banks need to introduce the risk management framework, which is evident in Move 3. Unlike the first two moves, which can stand on their own without any move constituents or steps, Move 3 comprises two steps. As shown in Table 1, the move and its steps are conventional, with 87.5% occurrence, as they are not found in the RMRs of Bank C. The following excerpt serves as an example (Sample H18): "The Group has in place a risk management framework approved by the Board for identifying, measuring, monitoring and reporting of significant risks faced by the Group in the achievement of the Group's business objectives and strategies." The first step of Move 3, M3S1, describes the main function of the risk management framework. It tells readers how the framework helps the banks in governing the risk. This can be seen in the following example (Sample H18): "The Group's risk management framework ensures that there is an effective on-going process to identify, evaluate and manage risk across the Group". This step is also conventional, with 87.5% occurrence, as it was missing from Bank C.
Following the step is M3S2, which discusses the bank's risk management process. This step often begins with a diagram to help illustrate the process. This step is conventional and appears in 87.5% of the RMRs only. An example of the step is displayed in Figure 2 (Sample H18).

Move 4: Highlighting the Bank's Internal Control in Mitigating Risks
The second part of RMRs, which emphasises the internal efforts made by the banks, is articulated in Move 4. Because this is an essential part of RMRs, its occurrence was 100%. An example of the move can be seen in the following excerpt (Sample H17): "The Group's system of internal control is designed to manage and reduce risks that will hinder the Group from achieving its goals and objectives." This move is realised by three steps, which will be further described below.
The first step, M4S1, shows the bank's efforts to stop financial crime. The number of financial crime cases, such as financial fraud, has been escalating in recent years [36]. Therefore, it becomes necessary for companies, and especially banks, to prevent it from taking place in their institutions. In doing so, some measures are introduced under this step, such as "Anti-bribery and corruption", and "Anti-money laundering/ counter financing of terrorism". This step is conventional because it only occurred at 62.5% in the corpus. The following excerpt serves as an example of this step: "ANTI-BRIBERY AND

Move 4: Highlighting the Bank's Internal Control in Mitigating Risks
The second part of RMRs, which emphasises the internal efforts made by the banks, is articulated in Move 4. Because this is an essential part of RMRs, its occurrence was 100%. An example of the move can be seen in the following excerpt (Sample H17): "The Group's system of internal control is designed to manage and reduce risks that will hinder the Group from achieving its goals and objectives". This move is realised by three steps, which will be further described below.
The first step, M4S1, shows the bank's efforts to stop financial crime. The number of financial crime cases, such as financial fraud, has been escalating in recent years [36]. Therefore, it becomes necessary for companies, and especially banks, to prevent it from taking place in their institutions. In doing so, some measures are introduced under this step, such as "Anti-bribery and corruption", and "Anti-money laundering/ counter financing of terrorism". This step is conventional because it only occurred at 62.5% in the corpus. The following excerpt serves as an example of this step: "ANTI-BRIBERY AND CORRUPTION-One of the core values of the Group is integrity, and the Group will not tolerate any acts which are in breach of this value. The Group firmly believes in acting professionally, fairly and with integrity in all business dealings and relationships." (Sample D19).
Following the first step is M4S2, which presents and describes the risks that the banks encounter. However, this step only had 55% occurrence. Presumably, this step is neither compulsory nor requested in the Statement on Risk Management and Internal Control: Guidelines for Directors of Listed Issuers. Some banks also disclosed the risks in other sections of the annual reports rather than the RMR. Some of the risks that the banks encountered include Credit Risk, Operational Risk, Market Risk, Liquidity Risk, IT and Cyber Risk and Environmental Risk. An example of this step is shown in Sample B17: "EMERGING RISKS-The Group has identified several emerging risks, as listed below": Human resource is an important element because it contributes to the growth of any company, including banks. They must show their adherence to the human resource policies. Therefore, this has become the main purpose of M4S3. In this step, the policies presented are mainly related to staff development. This step is conventional because it occurred in 75% of the corpus. The following excerpt serves as an example of this step: "The Group People Policies serves as a baseline with clarity on the philosophy and principles for People Management and Development in the Group." (Sample F19).

Move 5: Concluding the Report
Similar to other sections of an annual report, an RMR is also ended with a formal closing [37,38]. This occurred in all the RMRs, and thus the occurrence was 100%, making it an obligatory move. This move is composed of two steps that concern the review of the report. Some banks included the "Conclusion" heading to signal the move, while the rest immediately disclosed the reviewing process.
The first step, M5S1, discloses the internal committees involved in reviewing the risk management system of the banks. It is an obligatory step because it had 100% occurrence. This step assures readers that the risk management and internal control practises have been thoroughly reviewed by the internal auditors appointed by the banks. This can be seen in the following example: "The Board has received assurance from the Group Managing Director/Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Internal Auditor and Chief Compliance Officer that the Group's risk management and internal control system is operating adequately and effectively, in all material aspects, based on the risk management and internal control system of the Group" (Sample E20).
The last step is M5S2, which discloses the external reviewers of the RMR being published. However, unlike the previous step, its occurrence was only 97.5% because it was not found in C16. This made the step conventional. M5S2 is used to inform readers that the reviewing process of the RMR involved external auditors and followed the guidelines that had been set by Bursa Malaysia. The following excerpt serves as an example of this step: "As required by Bursa Securities' MMLR Paragraph 15.23, the external auditors have reviewed this Statement on Risk Management and Internal Control. Their limited assurance review was in accordance with Audit and Assurance Practice Guide 3: Guidance for Auditors on Engagements to Report on the Statement of Risk Management and Internal Control included in the Annual Report, issued by the Malaysian Institute of Accountants." (Sample E20).

Conclusions
The present study investigates the moves and steps of RMRs by Malaysian commercial banks. A total of 40 RMRs by eight Malaysian commercial banks listed in Bursa Malaysia served as the data of the study. The RMRs were found to consist of two parts, which included general information on the management of the risks, and the internal efforts made by the banks in governing the risks. The findings revealed five rhetorical moves used in the reports. One optional move, one conventional move and three obligatory moves were identified in the corpus. It should also be noted that the practise of disclosure inertia [10] was found in the RMRs of all the banks. Through this practise, the information included in the reports was retained every year, with very minimal changes.
Genre-based studies on RMRs are still new, and therefore, this leaves a lot more opportunities for future research. The studies could include a comparative move analysis of the RMRs between countries or different types of companies. Some countries are still new to disclosing risks. Thus, the studies may provide insights into how similar or different the rhetorical moves are that can be found in the RMRs in these countries and countries that