Home > Risk > Risk reporting to the Board

Risk reporting to the Board

Jim DeLoach and I are friends that, I believe, share mutual respect but sometimes disagree[1]. I like to think our occasional disagreements are more about how we present and discuss topics than they are of substance. Nevertheless, I have made some less than positive comments on his and his firm’s work a few times in these pages.

Not so much today!

In March, Jim had Six Principles for Improving Board Risk Reporting published in NACD Directorship.

I would not argue with any of his principles:

  1. Focus on critical enterprise risks and emerging risks.
  2. Address ongoing business management risks on an outlier basis.
  3. Ensure risk reporting is linked to key business objectives.
  4. Use risk reporting to advance dialogues around risk appetite.
  5. Integrate risk reporting with performance reporting.
  6. Report on whether changes in the external environment affect the critical assumptions underlying the strategy.

I think the six are all principles that should be a focus of the board’s attention. Jim expands on them in the article.

I would change the order, putting the reporting of risk to objectives first.

My dialogues with board members over the last couple of years (including work with the NACD, where I would often see Jim) have told me that they want to receive information that is actionable.

Actionable information, when it comes to board members and top executives, will focus on the type of decisions that those individuals typically make: decisions relating to strategies, major projects, and so on. While they are concerned about management’s ability to make appropriate choices regarding significant risks, they will (and should) rarely get involved in tactical decisions.

  1. So, whether corporate objectives and strategies, which have been approved by the board, will be achieved should be their first concern.7. This brings me to two points that I would consider adding to Jim’s list:7. Consider and obtain assurance on the culture of the organization. The COSO ERM Exposure Draft makes culture a focus and I just posted (on the IIA site, where I have another blog) a discussion of a new research paper by the Chartered Institute of Internal Auditors.
  2. Assess whether the management team, including the CEO and CFO, have effectively integrated the consideration of risk into every business process and decision. Do they ‘embody[2]’ risk management at all times? As a secondary observation, does the board have full confidence in the chief risk officer and his or her ability to work effectively with the management team?

I welcome your comments.

[1] I was honored to have Jim as one of the reviewers of World-Class Risk Management.

[2] I emphasize the need for every executive to embody risk management in my book. Their actions drive the tone for and culture of the whole organization. They need not only to integrate risk into their decision-making processes but demand the same from their direct reports.

  1. Jim DeLoach
    June 26, 2016 at 6:10 PM

    Thank you, Norman.

  2. June 29, 2016 at 12:37 PM

    Yes a good set of principals. The key question I always tell people to ask themselves when preparing board reports is ,,’So what?” There is no point showing information just for the sake of it. What do you want from the board out of the report.
    Your point about reporting risk / objective we and performance all together is an excellent one but also very difficult to achieve in reality. Partly due to the interconnected nature of those items and also due to the current reporting lines and technologies.

  3. Antonio Salas
    June 29, 2016 at 3:18 PM

    Are boards capable to monitor companies? “Do we really expect that part-time directors who attend approximately 13 meetings a year are going to be able to understand GE’s businesses in such depth that they can vigilantly evaluate potential actions and determine which ones are good for shareholders?…” Please read: https://hbr.org/2016/05/boards-arent-the-right-way-to-monitor-companies
    I am really interested in your opinion.

  4. Kelley Ambrose
    June 30, 2016 at 5:43 PM

    Point 2 is very valid – focus on reporting critical enterprise and emerging risks rather than the day to day ones

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: