The Missing Pieces of Risk Reporting

In today’s world, numerous things could impact your business at any given moment. Your business must be prepared to respond to changes, whatever they may be—natural disasters, data breaches, or economic factors in record time. Given this environment, there has never been a better time to implement an effective Risk Management (RM) strategy. To do this, your business needs thorough risk reporting.

Risk reporting is the process of communicating real-time risks and performance data to various stakeholders within your company and to external stakeholders. The report includes the risks your company is facing. A risk report should convey critical risks or the most dire risks that could spell doom for your company. It should also highlight emerging risks that could impact the company in the future. The risks can be things like regulatory compliance risks, but they can also be more expansive such as the impact of the shift to working-from-home for employees.

It must be noted that monitoring risk is a continuous activity. The results of a risk report will demonstrate an awareness of what is happening across an organization. Despite the constant threat of risks, almost all risk reports to a board of directors or management consist of the top 10 risks the organization is facing. While this can convey a degree of risk to the company, there are several issues with this approach to risk reporting.

The Risk Report Journey

The top 10 risks are determined during the risk analysis process. This process uncovers the most severe risks most likely to cause harm to the company. Undeniably these results belong in a risk report. However, an important aspect is often missing from such risk reports. They rarely convey the process that leads to the results.

Risk reports can and should include insights into the risk reporting process. These insights provide valuable background information for the reader. This information helps directors and managers understand the risks to make better decisions based on them. There are several process-related questions a risk report should address, including:

  • Which stakeholders were involved in the process?
  • Were external parties involved, clients/partners or experts?
  • Where does the information come from?
  • How was the risk analysis performed? In what setting? Individual interviews, group discussion workshops, questionnaires, Excel, etc.?
  • Were there equal opportunities for everyone to speak their minds during the process?

Reporting the journey that leads to the results is very important. This is even more true for risk reports that serve to provide transparency and gain support from the company’s external stakeholders. A black-box approach is generally not a good idea for a report that will be used for such purposes.

Providing insights into the risk process also provides opportunities to show how your company is evolving on the risk maturity ladder. It gives external parties, like auditors, regulators, customers, partners, and shareholders confidence in knowing that you are taking risks into account.

With RM practices back in the spotlight since the COVID-19, companies are expected to do a better job of taking risks into account going forward. The exact same thing happened years ago during the financial crisis. However, many companies have still not learned from past crises. Maybe they will learn from this one and begin to take RM much more seriously.

Real-time Risk Reporting

How are your risk reports formatted? They are most likely written in Word or Excel. This is not necessarily a problem. However, keep in mind that by the time you have finished the report and are ready to present it to the board or management team, your Word/Excel reports are outdated. It’s a snapshot of the risks your organization faced from several months ago when the report was being compiled.

The world we are currently living in changes by the day. Consequently, the risk report is always outdated. The report should ideally present the board or management risk data of today, the now, real-time. If they do not have the most recent data, how will they use that information to make sound and timely impactful business decisions? They want their decisions to have a positive effect on the company. To do that, they need the most recent information. With outdated risk reports, they will always be lagging one or two steps behind the current situation.

RM is a continuous process that needs to be integrated into the day-to-day business. Therefore risk reports should clarify the risk progress as well. There are several questions your risk report should address to ensure its data is as current as possible:

  • How does the current top 10 compare to last month’s top 10?
  • Are risks going down, indicating they are appropriately managed and going in the right direction?
  • Or are risks going up, and do we need to act upon them?
  • What are the emerging risks that are not (yet) in the top 10 but should be watched?

Risks and Objectives

The top risks must be linked to the objectives. These objectives are specific, measurable goals that the company hopes to reach. Taking the ISO 31000 definition of risk into account: risk is an effect of uncertainty on objectives; therefore, in risk reporting, you must always link the risks to objectives. For board-level reporting, these objectives will be the company objectives. But for project risk reporting, it will be the project objectives, and so on.

Entity objectives are linked and integrated to even more detailed and specific objectives. These can relate to specific business areas such as operations, compliance, legal, and so on. Furthermore, these specific objectives can be broken down into sub-objectives, including sales, production, and infrastructure. No matter the objective or sub-objective, risks need to be tied to them. 

The impact of each risk on the objectives should be explained and quantified. Explain what has been done, what is planned, and the expected results or target risk. Advise further actions on the risks such as avoid, accept, control, or transfer. Provide room for input from the board and management to guide your decision-making. For management to make decisions with risk in mind, they must be able to visualize in the risk report what and how risks are affecting the objectives.

Presenting Your Risk Report

Everyone agrees that a risk report should be easy to read and understandable. It could be argued that your risk report should be presentable in a couple of PPT slides; this forces you to be concise in wording and use of visualizations to state your case. You could use process diagrams to depict the risk process, and the results can be presented in risk dashboards.

Ideally, the risk data can be pulled from a data source. This source can be an ERM software, database, or Excel, as long as it has current and up-to-date data. Once you generate the report template populated with the current risk data, you can add your findings and recommendations to it. Usually, the latter should be in your risk system already as well.

Finally, use a fixed-layout format. RM is a continuous process, and you will be regularly creating risk reports. Once your readers get used to the format you use, they will know what to expect, where the relevant information can be found, and how to interpret the report. Over time, the format can also be incrementally improved based on reader feedback and other new developments.

Conclusion

Risk is an unavoidable part of doing business in today’s world. Now, companies are expected to take risks seriously and be prepared to address them proactively. To do that, they must put a Risk Management strategy in place. Regular risk reports will be one of the most important parts of any RM strategy.

The risk report must convey a highly detailed amount of information clearly and concisely. It should give insight into the risk report process and show how the risks were determined. As much as possible, your risk report should have the most current real-time data possible. Every risk needs to be tied to an objective in a format that directors and management teams can understand. Companies do not have unlimited resources. Therefore, they need the correct information to decide how they assign their valuable and limited resources to best achieve their objectives and be prepared for the future.