Risk reporting to the Board
Jim DeLoach and I are friends that, I believe, share mutual respect but sometimes disagree. I like to think our occasional disagreements are more about how we present and discuss topics than they are of substance. Nevertheless, I have made some less than positive comments on his and his firm’s work a few times in these pages.
Not so much today!
In March, Jim had Six Principles for Improving Board Risk Reporting published in NACD Directorship.
I would not argue with any of his principles:
- Focus on critical enterprise risks and emerging risks.
- Address ongoing business management risks on an outlier basis.
- Ensure risk reporting is linked to key business objectives.
- Use risk reporting to advance dialogues around risk appetite.
- Integrate risk reporting with performance reporting.
- Report on whether changes in the external environment affect the critical assumptions underlying the strategy.
I think the six are all principles that should be a focus of the board’s attention. Jim expands on them in the article.
I would change the order, putting the reporting of risk to objectives first.
My dialogues with board members over the last couple of years (including work with the NACD, where I would often see Jim) have told me that they want to receive information that is actionable.
Actionable information, when it comes to board members and top executives, will focus on the type of decisions that those individuals typically make: decisions relating to strategies, major projects, and so on. While they are concerned about management’s ability to make appropriate choices regarding significant risks, they will (and should) rarely get involved in tactical decisions.
- So, whether corporate objectives and strategies, which have been approved by the board, will be achieved should be their first concern.7. This brings me to two points that I would consider adding to Jim’s list:7. Consider and obtain assurance on the culture of the organization. The COSO ERM Exposure Draft makes culture a focus and I just posted (on the IIA site, where I have another blog) a discussion of a new research paper by the Chartered Institute of Internal Auditors.
- Assess whether the management team, including the CEO and CFO, have effectively integrated the consideration of risk into every business process and decision. Do they ‘embody’ risk management at all times? As a secondary observation, does the board have full confidence in the chief risk officer and his or her ability to work effectively with the management team?
I welcome your comments.
 I emphasize the need for every executive to embody risk management in my book. Their actions drive the tone for and culture of the whole organization. They need not only to integrate risk into their decision-making processes but demand the same from their direct reports.