When approaching the challenge of risk reporting, there are a number of key questions risk leaders may want to ask themselves: how do you present top risks to the board, what’s the best way of engaging with them, and what information do they need to know?
These questions have been at the centre of risk reporting discussions held by our network of risk managers, who regularly interact with each other about the challenges they face when trying to communicate with different levels of the business about the risks they face.
To summarise the range of practical insights exchanged by Risk Leadership Network members about their experiences reporting on risks to the board, we have highlighted 11 key pieces of advice below.
1. Most boards like it to the point
Know your board members and be aware of how knowledgeable they are about risk-related matters. Do they have a lot of knowledge or not? Are they especially into risk? This may impact how you report to them.
2. Mitigate the need for detail
Organising pre-meetings with board members who want to receive a more detailed overview of the risks facing the business can help you mitigate the effect of their influence.
The risk report should be a catalyst for an informed discussion on risk, as opposed to a simple box-ticking exercise that just creates administrative burden for board members.
3. Get feedback
Get feedback from the board and CEO on what they are looking for.
Depending on the business and its reporting structure, this may not always be possible, so focus instead on what is most important for the board:
- What risk information will help them execute their current strategy?
- What assurance can you give them about the control environment of key risks?
- Check the information you are presenting against the question that the board will inevitably ask: so what?
4. Focus on KRIs
A risk report focused on high-level aggregated KRIs and appetite can give the board a better view of which risks and opportunities the company should focus on right now.
5. Include emerging risks
Include emerging risks and horizon scanning findings. This can provide an insight into which direction the organisation should be looking at, as well as helping the risk team to apply a strategic lens to the business' key risks and opportunities.
6. Don’t focus on long-term risks
The biggest and most important risks to a company will often be those long-term threats and opportunities that the board are aware of; hence the same risks could be presented over and over again. Unsurprisingly, the board will not need (nor want) to hear about these repeatedly.
7. Highlight risks you want the board to consider
Highlight the risks you want the board to discuss and those you need guidance on.
These could be:
- New and emerging risks, or risks related to new strategies
- Ways to enhance your risk management maturity or simplify your current approach
- Risk appetite/risk tolerance
- Whatever you believe would be relevant for them and helpful for management/you.
8. Talk in plain English
The board will want to talk about the business in plain English – without reference to special risk techniques, templates or terminology.
Ultimately, if you can tell them something they didn't know, then you've already added value.
Take two or three risk topics they intuitively understand, bring in the risk owner, and try to frame the risk as a problem statement with a clear gap, while referring to a few internal data points or facts that they may not be aware of.
This tends to result in lively discussion, a focus on practical actions and an ongoing review of progress.
9. Break up the discussion into manageable pieces
Break up any prolonged interaction and discussions with the board into manageable pieces that are very focused on the purpose of the session.
10. Strike a balance
Regular reporting needs to strike a balance between qualitative and quantitative, historic and forward-looking, summary and detailed, financial and non-financial risks.
Deep dives should be called out separately to regular reporting.
Likewise, more strategic sessions should focus on a much longer time horizon and focus and strategic risks.
11. Use visuals
Boards (and risk and audit committees) prefer visual presentations of top risks. Risk dashboards, highlighting key actions to be taken or already in place, are a good start.
Actions and decisions should come out of these meetings.