Protiviti Inc.

10/09/2024 | News release | Distributed by Public on 10/10/2024 15:02

Board Risk Reporting in Disruptive Times

Breadcrumb

Board Risk Reporting in Disruptive Times

Risk reporting to the board may not be fit for purpose in these uncertain times. Directors are trending toward expecting more dialogue, engagement and forward-looking insights based on relevant data and information. A principled approach would help.

Boards and their companies face a constant and seemingly unending state of flux in the marketplace. Emergence of the unexpected is the norm. For boards, this highlights the importance of considering broadly unforeseen developments - both internationally and domestically - that could significantly impact a company's risk profile and strategy-setting and execution. Given this state of play, we offer 10 interrelated principles underlying board risk reporting and engagement.

(1) Link risk reports to key business objectives. Reporting relevance is assured when risks are tied to business plans, and the critical objectives and initiatives communicated to the board.

(2) Feed board reporting off of management reporting. If the two are aligned with the only difference being depth of content, the reporting process is more elegant, and things get easier.

(3) Focus risk reporting on critical enterprise risks and emerging risks. These two risk categories provide a context for considering whether the scope of risk reporting is sufficiently comprehensive, forward-looking and focused. High-level updates on company initiatives in these risk areas allow the board to understand progress, or lack thereof, toward organizational agility and preparedness.

(4) Address day-to-day risks on an outlier basis and when reporting on different areas of the business. Risks that are not critical enterprise risks represent a separate category of risks that should be communicated to the board as part of periodic status reports. However, unusual significant and unexpected matters related to these risks should be escalated timely.

(5) Define and communicate who is responsible for risk management. Directors want to know that someone owns the risks that matter.

(6) Require risk owners to engage directly with the board on relevant risks. When business and risk owners report to the board, they should also disclose the most important risks they face within the context of a common framework and language.

(7) Report on whether changes in the external environment are affecting critical strategic assumptions. Risk reporting should include insights from both external and internal sources as well as from geopolitical and scenario analyses to offer an "early warning" red flag capability.

(8) Provide insights on how management ensures an effective risk management process. Directors should have at least a high-level understanding of how management identifies, sources, measures, manages and monitors the company's risks.

(9) Pay attention to directors' preferences. Our discussions with directors indicate that many want plain language reporting, crisp presentations, more insights and less detail, and more engagement and dialogue, among other things.

(10) Continuously improve board risk reporting through an iterative process. Apply the above interrelated principles with the intention of asking the board to provide feedback. Continuous improvement is a two-way street.

The above interrelated principles are discussed in more depth in this issue of Board Perspectives. They are intended to provide sound direction for the board and management to improve board risk reports and conversations that are grounded in a strategic context. There is no one-size-fits-all approach to board risk reporting. But in the end, directors want an ongoing review of progress, a focus on practical and actionable takeaways, and timely forward-looking insights on what matters as markets evolve and unforeseen developments occur.

(Board Perspectives - Issue 180)

Listen to our Board's Perspectives podcasts, which provide practical insights and guidance for new and experienced board members alike.