Home > Risk > What are good risk reports?

What are good risk reports?

November 27, 2023 Leave a comment Go to comments

Alexei Sidorenko[1] asked “what should an awesome risk report look like?” It’s an excellent question.

He wisely says:

If we wanted to really make a difference to decision makers we would switch from risk reporting to risk-adjusted performance reporting instead. Risk managers always have a choice: generate own risk reports or use the outputs of risk analysis to improve existing performance and management reports instead. To me the choice is clear. Integrating risk information into existing management reporting is the future.

I think about it this way.

  1. Leaders of the organization in management and on the board work towards enterprise objectives (or goals). In most organizations, their compensation depends largely on that, and the success of the organization is measured based on the achievement of those goals and objectives.
  2. Investors and analysts base their investment decisions (and whether they will vote to re-elect board members) on the published enterprise objectives, goals, plans, forecasts, outlook, etc.
  3. Leaders need to know whether they are likely to achieve those goals and objectives, and what might affect their achievement: risks and opportunities, ‘what might happen’.
  4. Management reporting should be based on an appreciation of all the risks to each enterprise objective.
  5. They need to be able to determine whether the likelihood of achieving each of their enterprise objectives is acceptable, and if not what to do about it.
  6. They need management reporting to deliver that information in a way that is easily understood and acted upon.
  7. It’s less about ‘risk reporting’ than it is about ‘strategy and performance reporting’.
  8. It’s less about ‘risk-adjusted’ reporting, and more about considering risk (and opportunity) when preparing forecasts and other performance reports.
  9. It’s very much less about managing or mitigating risk (especially as you need to take risk – not just accept it – to achieve objectives), and much more about managing the business.
  10. Heat maps, risk registers, risk profiles, and reports of actual levels of risk vs. risk appetite, don’t cut it.

As Alex says:

A useful metric that risk managers should communicate to decision makers is the probability of meeting/achieving an objective or target. Think of it as achievability given the risks. If your performance report has targets or objectives, then risk managers can measure and report how achievable they are and whether they are more achievable today than last month. Norman Marks calls this likelihood of success and Tim Leech calls objective centric. I provide a step by the step guide how to do it here.  This can be represented as a single number (70% probability of achieving business plan objective) or as bands (forecasted performs falls within acceptable range). Separate likelihood of success needs to be reported for each significant objective.

I provide an example of the management reports that are possible in Risk Management for Success.

In the book, I go on to say:

There is also value in identifying for periodic reporting, review, and ongoing monitoring the more significant risks and opportunities that merit individual attention.

The report might include risks that:

  • Can affect multiple objectives to an extent that is unacceptable. For example, a cyber breach is likely to affect both revenue targets and the ability to ensure compliance with trade regulations. While one effect may be sustainable and acceptable, the combination may be considered too much.

But it is very important to ensure that the discussion of something like cyber is with a business perspective, paying attention to how a breach could affect the business, rather than on the fact that multiple information assets are at high risk.

  • Have drawn the attention of regulators or the media. Current examples might be diversity in management or the level of sexual discrimination. Another is where a significant deficiency or even a material weakness in financial reporting has been identified by management or the auditor.
  • Are especially significant in terms of their magnitude and impact on the organization. For example, when I was the CAE and CRO of Business Objects, SAP agreed to buy us. This was by far the largest acquisition SAP had ever made and the ability to preserve and grow the revenue stream was of prime importance. My team worked with management to ensure that both risks to revenue were addressed and opportunities to leverage the larger SAP customer base were made possible.
  • The board has identified for discussion and monitoring. This might include completion of a major project such as the next generation of the company’s products.

This list of individual risks (or groups of risks) would supplement the report shown above (rather than being the prime risk report as it is in most traditional risk management programs).

In the majority of cases, these risks and opportunities will also be identified through the review of factors inhibiting or enabling successful achievement of objectives.

However, when something has been identified for special attention but does not seem to have a significant impact on objectives, management and the board should question whether it truly deserves that attention.

The underlying point is that management and the board need to receive reports that provide the information they need to do their jobs.

They should not be given reports that include unnecessary content or detail. That makes it more difficult for them to see the critical nuggets of information they need to know and address.

Give them what they need and no more. Don’t waste their time! It only minimizes your value to them.

It is critical to recognize that different decision-makers need different information, possibly in different ways and formats, at different times.

One size certainly doesn’t fit all.

Understand what they need, given that it may change all the time, and make sure they get it when they need it.

Help them run the business. Help them by ensuring they get the reports on performance, considering risk, that help them make the right decisions, take the right level of the right risks, and achieve personal, team, and enterprise success.

Does your organization provide leaders on the board and in management with the ‘risk reports’ they need?

By the way, have you seen the short videos on my YouTube channel?

====================================================================

[1] I highly recommend Alex’s blog at https://riskacademy.blog/, and subscribing to his Risk Awareness Week 2023 virtual conference.

  1. No comments yet.
  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.