Home > Risk > Reporting on Risk to the Board

Reporting on Risk to the Board

My good friend, Jim DeLoach of Protiviti, seems to be everywhere. He writes about risk management (and was an advisor to COSO for its 2017 ERM update), internal audit (I last saw him at the recent IIA General Audit Management Conference), and governance. He works closely with board members, often participating in meetings of the National Association of Corporate Directors.

He has a great perspective, as you might expect from a veteran who is familiar with all of these areas.

Most of the time, we agree – but disagree on how concepts should be communicated.

His latest piece, Communicating Critical Enterprise Risks to the Board, is an example of how we differ.

While it focuses on risk assessment, it has some general comments which are excellent. But I believe it misses some key points as well.

For example, he says (emphasis added):

Certain risks require directors and executive management to have sufficient information in advance to prepare them for discussions about risks and how they are managed. For example, the critical enterprise risks are the ones that threaten the company’s strategy and the viability of its business model – such as credit risk to a financial institution, supply chain risk to a manufacturer, commodity price risk to a power company, country risk to an oil exploration company, research and development risk to a pharmaceutical company or unique risks that make a company an outlier among its competitors. Often, these risks require full board engagement because they are strategic in nature.

Paring a company’s risks down to the ones that really matter maximizes the value of the board’s risk oversight input and effectiveness of the executive team’s risk focus.

He continues by suggesting 8 principles.

The first, with which I agree, is “Begin with the end in mind”. As he says:

Risks require a context provided by the enterprise’s business objectives and strategy. Strategic objectives are high-level goals aligned with the organization’s mission, vision and core values. These objectives reflect the management team’s choice as to how they intend to create stakeholder value. These choices almost always entail risk-reward trade-offs.

That is fine.

But I don’t think he has defined (at least to my satisfaction) what the “end” is that we should “keep in mind”.

The “end” we should “keep in mind” is not reporting to the board. It is enabling the board to be effective.

We should tell them what they need to know to help the organization succeed. That is not the same as providing a list of risks, even critical enterprise risks (however defined). It is certainly not limiting them to the review of a list of top risks – “enterprise list management”, in Jim’s own words.

Those charged with reporting on risk to the board and to the executive team should understand:

  • What are they trying to achieve?
  • What information do they need to be successful?
  • How can we help?

The board should NOT be trying to “manage” or “provide oversight” on the management of risk.


It should be trying to manage the setting and achievement of objectives, providing oversight on how management does that.

Along the way, they will need assurance that management understands and is addressing what might happen (risk).

Risks are important only in so far as they might affect (both positively and negatively) the achievement of enterprise objectives and the strategies employed to do so.

So, it is essential for the success of the organization and of the board’s contribution to that success to start by answering these questions:

  • How likely are we to achieve our objectives?
  • Is that likelihood acceptable?
  • Can we improve it?
  • Can we also improve the extent of success?
  • What might happen that would have a significant effect on our success?
  • Are we doing enough about that – both the upside and downside?

This may be unfair (sorry, Jim), but I see the risk identification and assessment processes employed by most, and apparently supported in Jim’s article, as a “bottoms-up approach”.

It answers the questions of (a) what might happen (risk), and (b) how those risks would affect our objectives.

That is useful, but what is missing is a top-down approach.

For each objective, what might happen (at least reasonably likely) that would have a significant effect on the achievement of objectives?

Now, assess those risks – individually and collectively.

What is the likelihood and extent of success given all the things that might happen?

In my experience, you will identify some different sources of risk when you take the top-down approach.

Both the top-down and bottoms-up approach should be used and information provided to the board and the top management team so they can see how all these sources of risk (what might happen) when taken together might affect each enterprise objective.

Jim closes with three questions for executives and directors.

I suggest changing them to these four:

  • Is there a process for considering, for each enterprise objectives, its current achievement level (KPI), what might happen (KRI), and the projected likelihood and level of achievement?
  • Is that process reliable?
  • Are the board and executive team satisfied with the reporting they receive periodically regarding each of the enterprise objectives?
  • Are the board and executive team satisfied that decisions made across the enterprise are informed and intelligent, resulting in taking the right level of the right risk – so that both the creation and preservation of value are optimized?

What do you think?

Are you helping the board and management team “manage risk” or manage the enterprise to success?

I welcome your comments.

  1. April 13, 2018 at 9:45 AM

    Really good points, Norman

  2. Glenn Daly
    April 13, 2018 at 3:09 PM

    Boards can have varying requirements for what they are trying to achieve from a risk report. All what you say is great in theory but may not be consistent with what a particular board wants in practice. If you fail to meet what they want you risk getting dismissed. This is the reality. Now many boards simply view risk reporting from a “whats the minimum I need to do to meet the perceived corporate governance requirements/perceived best practice standards to protect myself as a director”…whether this is consistent with being a significant value add to the organisation is of lesser concern….reasoning for such a perspective being is because of the perception other reports from management often address many if not some or all of the aspects you raise. Duplication of information being reported to the board…you encourage this?. Reports to boards (rightly or wrongly) need to look and feel a bit different otherwise there is no point…is there?.

    • Norman Marks
      April 13, 2018 at 3:13 PM

      Glenn, how about giving them both the traditional, this is what you have always got, report AND a report by objectives?

      In my experience, the smart people in leadership will see the value.

  3. Helene Bibiane NGOKA
    April 15, 2018 at 9:35 PM

    Very insightful approach to report risk at board level. The most important thing for me is to answer to the question, “what do the Board and top Management could do to respond to risks and ensure the achievement of business objectives?”. KRI and KPI become elements to measure the successfulness of actions taken

  4. Hennie van der Watt
    April 19, 2018 at 1:52 PM

    Yup. Probably one of the key reasons (there are others) why senior leaders and others around businesses don’t see value in ERM, is because it’s fallen into a spiral of ELM that’s divorced from BAU reality. When you have conversations with leaders about what they’re trying to achieve and help them manage the likelihood of achieving those objectives (and impact if they don’t), they sit up and listen. Ultimately, that’s what they get measured on. Delivery of strategy. What we need to do is help them figure out how to address the issues that could cause a decline in the likelihood of achieving objectives, or the increase in the impact of not achieving those objectives. That is called Risk.

  5. October 11, 2018 at 3:30 AM

    @Norman, by ‘end’, @Jim meant the company’s strategic objectives, which also makes this process top-down.

  1. April 17, 2018 at 3:34 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: