Board reporting is the logical follow on from my blog last week on reporting to Audit and Risk Committees (ARCs).
The “reportable offences” I am talking about this week stem from the type of reporting that is often inflicted on boards from risk and related functions. Reporting that causes boredom, that provides an excuse to reach for the phone to check emails and, occasionally, causes pain and suffering as each excruciating detail is “communicated” to the board.
Just as I wrote last week, performance and risk reporting should be integrated and should reflect on whether the organisation is operating within appetite for risk. Which leads to the question of who is doing the reporting to the board. The risk team or management?
When it comes to this first part of reporting, the answer must be management (don’t worry, there is other important reporting for the risk team). The CEO should be presenting the quarterly performance against strategic plan, the risk to future performance and whether or not the organisation is operating, and is likely to continue to operate, within the board’s appetite for risk.
The risk team’s role in all of this is to help prepare the CEO and broader executive. To help interpret the results of updates to business unit risk profiles, for example, identifying new systemic enterprise risks. Helping to ensure they are properly understood, rated and articulated for the board to comprehend.
Now enter the risk team. Some of the risks the CEO has been talking about may need a deep dive. Preparing and explaining the plan for a deep dive will be both valuable and comforting for the board.
Last but not least the risk team should be updating the board on the key metrics that indicate the maturing (hopefully!) culture of risk-based decision making. These might include basic metrics on shifts in risk profile, the % of controls behind schedule for testing or the number of risk treatments that are overdue. It might also be reporting on risk culture assessments conducted by internal audit or external experts. The focus here is on behaviours. What people do is proof of the culture you have.
I recently asked a group of participants what their biggest takeaway was from the RMIA ERM Course they had just completed. One person piped up straight away, “My job is to change behaviours!”. It was music to my ears.
Speaking of music to one’s ears. The board don’t want to be bored. They want risk reporting to be valuable to them so they can perform their oversight role in ensuring the organisation has a great strategy and understands the risks involved. Simple.
Comments