In the wake of corporate scandals such as Enron in the US and Parmalat in Europe, governments are changing the rules in an attempt to prevent such embarrassments in future. The favoured approach seems to be to force organisations to be more open about their operations and financial reporting.

Under the UK government's latest proposal, all listed companies would have to produce an annual Operating and Financial Review - a report including any factors that could affect an organisation's performance and an outline of procedures in place to mitigate risks.

A company dealing with hazardous substances, for example, would have to explain how it was managing risks to prevent damage to workers' health and the environment; while a firm whose fortunes could be affected by climate changes would have to show how it was preparing for such changes.

But although the government has kindly included a few such examples, the proposal does not explain exactly what should and shouldn't be included in reviews. According to the proposal, it is up to individual company directors to decide the topics that should be covered - which should only be those areas that are "necessary for an understanding of the business".

Ah, well that clears that up then. Apparently, the aim is for quality not quantity of content. But the vagueness makes the task of selecting the elements to include incredibly difficult.

Firms only need to include areas of concern or issues that could hamper performance - or perhaps change it for the good.

However, to properly assess and pick topics, surely organisations must first go through all their procedures, operations and processes to ensure that all potential areas have at least been considered.

Indeed, under the proposal, firms are welcome to take a "nothing to report" approach - as long as they can show the report has been prepared with "due and careful enquiry". To deter directors from signing off half-hearted reviews, the government threatens unlimited fines if they are careless.

So while the proposal doesn't include a specific example of where technology could affect business performance and would therefore need to be included, the tenor of the proposal implies it should at least be part of the assessment process. As firms rely more and more on the wellbeing of their IT systems to maintain daily business operations, surely it makes sense that weak spots in these systems are considered.

But you could argue that the notion behind the review - to improve transparency of corporate governance and give shareholders a better idea of risks and how they're being mitigated - opens a whole new level of risk for firms. Not only would they be outlining potential weak spots in their IT systems and other processes - a handy resource for anyone with a grudge against the business - they'd also detail the measures taken to close the gaps. IT directors may well fear that such details could make their firms more attractive targets for attackers.

As a result, I can't imagine that a huge number of IT directors would welcome the prospect of being asked to sign off technology risk assessments for the annual review.

I hope these concerns will be raised during the consultation period and the government will take action to mitigate the risks of asking firms to publish such sensitive information.