Risk reporting to the board and top management
OK, I admit it. When I was CRO at Business Objects (where I was also CAE), I didn’t do what I now propose is necessary.
This is what I said in World-Class Risk Management:
I believe management and the board need two reports (in addition to a report on the effectiveness of risk management);
-
The first is focused on objectives. It enables them to determine how well they are traveling the path to each of their objectives. It will answer the questions “is the level of risk for each of our critical objectives at desired levels?” and “do we need to take action to treat the risk, such as changing plans and strategies?”
-
The second is focused on individual risks. This is especially useful when one risk may affect multiple objectives. The report will let them assess whether specific areas of concern, such as access to confidential information, are being managed appropriately.
I provided the Business Objects management and board a report with the executives’ consensus assessment of the more significant risks to the enterprise. (I facilitated and coordinated the management of risk by the management team. Even though I was CRO, I considered it their responsibility to assess risk, not mine.) For each risk, we provided their view on the potential consequences of the risk (we only considered potential adverse events and situations) and the likelihood of such an effect, as well as whether that level was acceptable.
In other words, I provided only the second of the two reports I now believe are necessary – one that I now consider to be the lesser in terms of value in running the organization.
Why is that?
When you consider risk outside of its context, which is leading the organization to success and its achievement of objectives, you may well fail to make the wrong decisions when it comes to strategy, tactics, and plans.
It’s looking at a piece of the picture instead of stepping back and seeing the whole.
Unfortunately, I know of few organizations that have integrated risk into its strategy management and performance monitoring and reporting.
Have you?
Join us for a discussion of effective risk management, first in Chicago (April) and then in London (May). Details are here.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, Protiviti has a Board Perspectives piece coming out in two weeks on board risk reporting that has similar views.
Great minds……
Norman,
I agree with your comments, but would take it even further. Often (mostly?) there is a discord between vision/mission, strategy and the shorter term business plan (which morphs into budgets) with the specific uncertainties of the different aspects (and timing effects) of these plans (in other words, risks”).
I am a bit biased, but I blame the commonly held philosophy that prevails on many boards, that the Audit Committee (which looks backwards) should handle the identification, effects and treatment of potential future events (which is forward thinking), with the individuals involved commonly ill-equipped to handle the strategic elements.
In my experience (mostly in the resource sector), the bigger organizations are better at this, whereas smaller companies (especially family-run) and government organizations do not seem to handle this as well.
Norman, as always, your posts make sense and provoke thought – please keep it up!
Cheers,
Peter Cockcroft
Thanks Norman and Peter for your thoughts.
I believe the challenge lies in the intrinsic tension between risk and strategy management. Many organisations have the Board responsible for the strategy/performance management while risk management is delegated to a smaller committee. The internal organisation structures also reflect culturally and technically how the strategy and risk functions are positioned/located to each other, indicating their difference in priorities and importance.
And good to see you here, Peter.
Cheers,
Damian Wong
More important is to have a sensitized Board which is also worried about regulators and reputation..that being in place, one report is good enough and the Board will partner with the executive team intelligently in dealing with RISKS. Without that, 2 or 4 reports do not make a big difference..
Norma, Did internal audit produce similar reports?
The first will answer the questions “is the level of risk for each of our critical objectives at desired levels, bearing in mind the controls actually operating?” and “do we need to take action to treat those risks above the desired level found to be threatening our objectives due to absence or proper operation of controls?”
The second is the standard audit report, or summary of these.
David, I am referring to the reports from the CRO or similar. I don’t see internal audit as the primary reporter on risk to the board.
Norman, I’m not suggesting that IA are a primary reporter on risks to the board, but they are are primary reporter as to whether those risks are being controlled to within the desired level by controls actually operating,and therefore whether the objectives are likely to be achieved. What reports did you make to the board in your role as CAE?
David, I reported to the board my assessment of the overall condition of the systems of risk management and internal controls. I also, in individual reports, informed them of areas where the management of specific risks was not adequate – less often about the actual level of risk, and more often about whether controls provided reasonable assurance that risks were at desired levels
Thanks Norman. I was just trying to understand how the reports from the CAE tied in with those from the CRO.
Well said Norman, I couldn’t agree more. I hear other risk and internal control professionals reporting similar findings of this apparent lack of drive (or grasp) in companies and organizations to move in the direction you propose. In fact, this is firmly built into the COSO Internal Control Framework and other frameworks. The question is “what will bring about such a change in approach”?
Keep things simple.
While I totally agree that risk policy/process are important, and guide exception reporting to the deciders, my personal experience over many years has proved that:
risk recognition and raising is far more critical to success
Can the team identify risk?
Leave classification of risk to the analysts !
Which analysts, Peter? Operations or risk officers? Should operating management be the one identifying and assessing risk, since they know far more about the business than any risk officer?
My view is simply that too many risks are overlooked because the folk that recognise them don’t speak the same language as the risk pros. Make it simple – people like yourself would clearly be ideal in deciding whether a risk is genuine, and which area should handle it. I also believe strongly in open communications. Many people cannot use words common to risk groups – a risk in itself..
Peter, I agree with you. According to ISO 31000, risk is the “effect of uncertainty on objectives”. What does that mean to most employees who need to identify and assess risks every working day? The Oxford dictionary. defines risk as ‘A situation involving exposure to danger’. Far more understandable.
Many years ago I attended a risk workshop with staff from retail stores who had no experience of consciously integrating a consideration of risk into their work. They were surprised at how much they gained from attending the workshop and how useful it was to them. So I have no doubt that the average employee, at all levels, will be only too happy to integrate risk into their work, if they are not put off by the jargon.I see the role of the CRO as a translator between staff and the systematic recording of risks.
Norman. I commented on a previous blog that one of the drivers to get integrated risk reporting at a strategic level is much greater emphasis on accurate forecasting, as this will drive out the need to consider the risks facing the organization.