Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Risk Reporting to the Board​​​​

Comments Views

Boards and their committees (including but not limited to the risk committee (if present), the audit committee, the compensation committee, the governance committee, and so on) need reports on a regular basis to support their oversight of the organization's management of risk.

​A new report from the ERM Initiative at North Carolina State University, written by Bruce Branson, shares some interesting and perhaps useful information.

Reporting Key Risk Information to the Board of Directors (PDF) ​is based on input from 22 U.S. organizations that serve on the Initiative's advisory board. They include a number of prominent organizations, listed on page 25 of the report.

Here are some findings I find interesting:

  • Only about half of the respondents provide a report to their full board at least annually.
  • Only two said they provide risk reports to committees other than audit or risk.
  • Only half provide reports more frequently than annually, and those reports are at best quarterly.
  • Most board discussions are short: The most common is 30 minutes, but frequently it is less. Only five reported a discussion that takes a substantial amount of time — an hour or more.
  • Risk dashboards or heat maps seem to be the most common visual presentation tool, although reports also follow a tabular form. Examples are included in the report.
  • Risks are generally broken out into categories, such as operational, compliance, strategic, and so on.

Overall, the report reflects what seems to be a very traditional style of risk reporting.

Is that sufficient?

This is what I say in World-Class Risk Management:

Risk owners and those responsible for the oversight of the management of risk (on the board and in the executive ranks) need both periodic reports of risk status and alerts when significant changes are detected in the level of risk.

In chapter 5, on the value of periodic reporting, I said that I believe management and the board need two reports (in addition to a report on the effectiveness of risk management):

  • The first is focused on objectives. It enables them to determine how well they are traveling the path to each of their objectives. It will answer the questions, "Is the level of risk for each of our critical objectives at desired levels?" and "Do we need to take action to treat the risk, such as changing plans and strategies?"
  • The second is focused on individual risks. This is especially useful when one risk may affect multiple objectives. The report will let them assess whether specific areas of concern, such as access to confidential information, are being managed appropriately.

I also say that:

A world-class organization integrates performance and risk reporting. As each manager views his performance metrics, the key indicators of progress towards his and the organization's objectives, he can see and take into account the condition of related risks. This allows him to adjust course, act to treat potential negative events, and prepare to seize opportunities.

Let me explain.

Risk is the effect of uncertainty on objectives. Whether you are an adherent of the COSO ERM Framework (and those at the ERM Initiative are) or the ISO 31000: 2009 global risk management standard, it is clear that risk needs to assessed, discussed, and acted upon as it relates to the achievement of enterprise objectives.

But, I don't see that in this report.

How does a board, committee, or executive know whether the likelihood of achievement of one or more enterprise objectives is at an acceptable level? For that, you need a report that is focused on objectives. Multiple risks may affect a single objective, so a report that is limited to discussion of one risk at a time, rather than one objective at a time, limits the oversight of performance.

​Maybe it is time to change the strategy.

I also say that the board needs a report that focuses on individual risks, because they frequently affect multiple objectives.

But, it is essential to identify those objectives — and I don't see that in this report.

While the report says that, for some, risk reporting and discussion happens as part of the planning cycle, isn't it essential that risk be included in any board discussion of performance? I believe the answer is a resounding "yes."

There are problems with identifying risk level as a single point where the axes are impact and likelihood. Risk is probably better represented by a range of potential consequences, each with a different likelihood. But that's a topic that will take too long to discuss in this post.

One closing point.

If boards are only taking a limited time to focus on risk, doesn't this indicate it is seen as something separate from performance and achieving results? It is one thing to have a risk management activity, and quite another to have the management of risk be an essential element in informed decision-making at all levels across the organization, every minute of every day.

I welcome your thoughts.

Is it time to provide the board and its committees with a different and upgraded level of insight into the achievement of enterprise strategies and objectives?​​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3