The year is flying by as we’re well into the third quarter already. Midyear risk reports should be done, assuming your company prepares one quarterly, and you are likely getting ready to prepare a Q3 update.
As I discuss in The Ultimate Primer for Effective Risk Reporting, board risk reports serve a dual purpose.
On one hand, they provide the Board with assurance that management understands risks to objectives and is taking steps to address them…to “take stock” as Norman Marks puts it in his book World-Class Risk Management.
On the other, as these scenarios show, boards are increasingly expected or even required to play an active risk oversight role. No longer can they claim they were unaware. To illustrate this emphasis, consider how:
- The latest iteration of the COSO standard lists “reporting” as a core component, including a lengthy section specific to board risk reports.
- Legislation passed in the wake of the 08/09 financial crisis (…commonly known as Dodd-Frank) requires bank holding companies with more than $10 billion in assets to have a separate board-level risk committee.
- Risk oversight is one of four pillars institutional investor Vanguard Group uses to evaluate corporate governance practices and the stability of companies the firm invests in. Standard & Poor’s also carefully evaluates overall risk controls and oversight before assigning a credit rating. As this open letter to Boards from Vanguard explains:
Risk and opportunity shape every business. Shareholders rely on a strong board to oversee the strategy for realizing opportunities and mitigating risks. Thorough disclosure of relevant and material risks – a key board responsibility – enables share prices to fully reflect all significant known (and reasonably foreseeable) risks and opportunities.”
Despite this obligation and the increasing significance of robust board oversight of risks, many companies struggle with developing board risk reports that deliver actionable information in an easy-to-digest way.
According to NC State’s annual State of Risk Oversight report from 2020, many companies do report risks to the Board regularly, but close to two-thirds of respondents either have ad-hoc reporting or no structural process and minimal reporting. The level of satisfaction is rather low as well, with over 40% of respondents claiming they are “not at all” or “minimally” satisfied with the quality of reports they receive. (Personally, I feel an obligation to see that satisfaction in the quality of reports increase…and fast!)
Developing risk reports that Boards find helpful for oversight and decision-making
The original article on risk reporting includes many general tips for developing reports regardless of the audience. For example, many organizations will use very technical terms in their reports that only risk managers will really know the meaning of. Instead, you should be careful and only use language the enterprise uses already.
One point I mention in the risk reporting article and want to reiterate – How board risk reports are put together will vary from one company to the next, so it’s impossible to provide a specific outline, or as COSO puts it:
Management provides any information that helps the board fulfill its oversight responsibilities concerning risk. There is no single correct method for communicating with the board…
However, there are five general tips for developing effective board risk reports, including:
- Keep reports high-level – board risk reports should be general in nature and only include top risks impacting objectives. They should prompt discussion on how to proceed, whether through mitigation measures, additional risk taking, or a change in the strategy.
- Don’t copy/paste top risk reports – many companies will simply relay information found in top risk reports from the World Economic Forum, NC State, or industry-specific surveys. It’s okay to refer to reports like this, but you should refer the Board to the most relevant risks to the organization. In other words, you can use those surveys and reports as a comparison tool, but don’t make the assumption that if a risk is on the survey, it has to be a major risk for your organization.
- Outline what actions are being taken already – with the relevant risks in hand, discuss at a high-level what the company is already doing and compare it against what similar organizations are doing. This benchmarking activity helps the Board understand where the company currently stands and what it needs to focus on.
- Highlight priorities going forward – the benchmarking activity helps the Board see where things stand as it is, but they will still need direction on actions and priorities for dealing with top risks and opportunities. If your company’s experience is similar to those of your peers, then priorities will be the same, but if your experience is more unique, priorities will be much different.
- Utilize visuals – in order to make information on slides more digestible, use visuals when possible. As I discuss in this article, surveys show that 65% of people are visual learners. Keep in mind that, instead of packing as much text as possible into one slide, that it’s okay to have more slides if it helps the audience better and more quickly comprehend the information.
When recently helping a mid-sized medical device client develop a risk report for their board, we didn’t refer much to global reports like those from the World Economic Forum. Instead, we focused more on manufacturing outlooks, other industry-specific information, and reports for comparable sized companies, comparing that information against where the company currently stood.
What we discovered was that actions the company took in 2019 and early 2020 helped it better weather last year’s storm, so its priorities going forward didn’t particularly align with competitors.
The Board was able to understand this clearly from the report and use the information to ask management targeted follow-up questions.
As NC State’s annual survey shows, many companies struggle to develop actionable board risk reports. Improving this is critical to ensuring ERM is viewed as a helpful tool for securing the company’s success and not just another check-the-box exercise.
This article was originally written for ERM Insights by Carol.