Risk Tip #12 – Risk Reporting
Over my career in risk management I have seen the most amazing array of reports submitted to Boards and Executives. I am sure you have seen them all as well. Charts such as those shown below proliferate risk reports:
Now at glance they look ‘sexy’ but there is one simple problem with these reports – they tell us absolutely nothing about how the risks are being managed – they just provide a status.
A really useful report is focussed purely on those risks with the highest level consequence – regardless of the likelihood and the overall risk score.
The rationale is simple: management should have visibility of the effectiveness of the control environment relative to the risks that, if they materialise, will have the highest consequences to the organisation.
Now this approach to reporting is predicated on the assessment of the likelihood of a risk based on control effectiveness rather than time and frequency. I discussed this in Risk Tip #1 – Likelihood.
Let’s take the risk: Unauthorised access to and/or release of confidential information. Our first report to the Executive is shown below:
The organisation then conducts a full analysis of control effectiveness and the next report looks like this:
What we can see from this report is that the control environment is not at the effectiveness level in the previous report and, as a result, the likelihood of the risk has increased which, in turn, increases the level of the risk to a level above the risk appetite of the organisation. This then leaves the Executive with a risk-informed decision to make – do we invest in the new firewall or do we accept the risk at the higher level?
The message here is that a ‘traffic light’ report or a bunch of dials is not going to provide the opportunity to make a risk-informed decision. Equally important is that the decisions will be made by those within the organisation with the necessary level of authority (see Risk Tip #7 – Risk Ownership).
With reporting such as this the right decisions can be made on the right risks to get the right outcomes at the right time– with not a traffic light or dial in sight.