Home > Risk > The reality of risk reporting

The reality of risk reporting

October 5, 2023 Leave a comment Go to comments

My thanks to Resilience for an image that captures my view of most risk reporting:

Funny cyber image

While this focuses on cyber risk, I think it is appropriate for most risk reporting to the board and top management.

Risk practitioners need to provide decision-makers with the information they need, when they need it, in a form and language that informs and enables intelligent decisions by them – information they understand and can use effectively.

Decision-makers need to understand all the risks (and opportunities) relevant to their decision so they can take the right level of the right risks.

Not one at a time, but together.

They need to be able to balance the potentials for (downside) risk and (upside) reward. That requires that upsides and downsides are assessed similarly, so they can be aggregated and compared.

If decision-makers consider each risk one at a time, especially if separated from the consideration of reward, they will almost certainly make a poor decision.

Information about risk and reward needs to be reported in a way that enables informed and intelligent decisions, so these are 100% not useful for decision-makers:

  • Heat maps that show each source of risk separately and as a point instead of a range.
  • Risk registers and other lists of risks such as risk profiles.
  • Assessments of individual risks as high, medium, or low.
  • Quantification of risks to information assets.

As Carol Williams recently said in a post, practitioners have to deliver what management needs and wants.

ERM needs to be transformed from something you have to do (check the box) to something management wants, because it helps them and the organization succeed.

In my books, I have suggested this risk reporting:

  1. Integrated risk and performance reporting that shows, for each enterprise objective, the likelihood of achieving, under-achieving, or exceeding it – considering the current state and all the things that might happen (risks and opportunities). Boards and CEOs love this.
  2. Reporting of those few risks that merit individual and continuing attention, typically because they (a) are likely to have a major effect, and (b) are likely to affect multiple objectives.
  3. Tailored reporting for each strategic and major tactical decision – the information the decision-maker needs.

What does your risk reporting and communication look like? Does it enable informed and intelligent decisions? Does it provide leaders with useful and timely information on whether enterprise objectives will be achieved? Does it enable decision-makers to take the right level of the right risks for success?

I welcome your thoughts.

  1. Anonymous
    October 6, 2023 at 8:44 AM
    Reply

    Spot on

  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.