Risk reporting to the board and top management
OK, I admit it. When I was CRO at Business Objects (where I was also CAE), I didn’t do what I now propose is necessary.
This is what I said in World-Class Risk Management:
I believe management and the board need two reports (in addition to a report on the effectiveness of risk management);
The first is focused on objectives. It enables them to determine how well they are traveling the path to each of their objectives. It will answer the questions “is the level of risk for each of our critical objectives at desired levels?” and “do we need to take action to treat the risk, such as changing plans and strategies?”
The second is focused on individual risks. This is especially useful when one risk may affect multiple objectives. The report will let them assess whether specific areas of concern, such as access to confidential information, are being managed appropriately.
I provided the Business Objects management and board a report with the executives’ consensus assessment of the more significant risks to the enterprise. (I facilitated and coordinated the management of risk by the management team. Even though I was CRO, I considered it their responsibility to assess risk, not mine.) For each risk, we provided their view on the potential consequences of the risk (we only considered potential adverse events and situations) and the likelihood of such an effect, as well as whether that level was acceptable.
In other words, I provided only the second of the two reports I now believe are necessary – one that I now consider to be the lesser in terms of value in running the organization.
Why is that?
When you consider risk outside of its context, which is leading the organization to success and its achievement of objectives, you may well fail to make the wrong decisions when it comes to strategy, tactics, and plans.
It’s looking at a piece of the picture instead of stepping back and seeing the whole.
Unfortunately, I know of few organizations that have integrated risk into its strategy management and performance monitoring and reporting.
Join us for a discussion of effective risk management, first in Chicago (April) and then in London (May). Details are here.