Improving Board Risk Reporting

10 Principles for the Board and Senior Management

Following last year’s Principles for Improving Board Risk Reporting comes an updated list. This expanded set of principles comes from Protiviti’s Jim DeLoach and Rick Steinberg, CEO of Steinberg Governance Advisors. While the original six principles focused primarily on what corporate boards should be looking for, the additional four address communications around risk matters.

A year ago, I published an article in NACD Directorship summarizing six principles for improving board risk reporting. This remains a timely topic, as I continue to see senior management and risk executives focus on improving their risk reporting to their companies’ boards.

One thing is clear: there is no one-size-fits-all approach to board risk reporting. Taking stuff off the shelf rarely works. Every organization is different from a strategic, operational, cultural and organizational structure standpoint, which in turn drives different reporting to the board. However, the state of play in board reporting raises the question as to whether a principled approach might give directors and executives more direction on how to enhance board risk reporting. Thus, I came up with my article featuring the six principles.

After I published my article, it caught the eye of a good friend of mine, Rick Steinberg. Rick and I have been in the trenches together a few times. He was the principal author of the COSO Enterprise Risk Management Framework, published in 2004 after a three-year development project, during which I served on the COSO Advisory Board. Years ago, he and I collaborated on a major governance review of a high-profile company. We occasionally compare notes on topics and send things to each other for comment. We think a lot alike.

Rick is widely published and an active consultant and public speaker, always has something worthwhile to say and is well-respected by management and board communities. After reading my article, Rick thought to add four more principles to the list. His take is that the six principles I advanced focused attention on what corporate boards should be looking for from the CEO and the senior management team. The four principles he added reach beyond the risk information management reports to the board to address additional matters boards should consider to ensure quality communications on risk matters.

With his permission, I have taken the 10 principles and massaged them into the list provided below. I see these 10 board risk reporting principles as interrelated, with an emphasis on reporting that supports managing the business and focusing senior management and directors on the risks that truly matter, enabling them to bring to bear their knowledge, expertise and decision-making in ways that add enterprise value.

1. Avoid reporting to the board being the primary objective – Everyone agrees the board needs information related to the more significant risk the company faces to support the risk oversight process. But executive and operating management needs this information, as well. If the risk management process is designed with the sole purpose of reporting to the board, it is suboptimal, because it is not designed or executed with the intention of better managing the business. Risk management is most effective when the primary risk owners assume responsibility for managing the critical risks, including emerging risks, created by the activities for which they are accountable.

2. Focus the lion’s share of risk reporting on critical enterprise risks and emerging risks – Critical enterprise risks represent the top risks that can threaten the company’s strategy, business model or viability. These risks warrant the most attention from the board’s risk oversight process. In addition, the board needs to be mindful of emerging risks that are triggered by unanticipated and potentially disruptive events of varying velocity, ranging from catastrophic events (e.g., a pandemic or hurricane) to existing risks accelerated by external and/or internal factors in unexpected ways (e.g., the impact of deterioration in underwriting standards, cheap money and demand for an endless supply of mortgage-backed securities on the subprime market leading up to the financial crisis). These two categories of risk (including interrelated risks) provide a useful context for the full board and/or specific board committees to consider to ensure the scope of risk reporting is sufficiently comprehensive, forward-looking and focused on the risks warranting the most attention.

3. Address ongoing business management risks on an outlier basis and as an integral part of reporting for different areas of the business – Every business has myriad operational, financial and compliance risks. If any of these risks are critical enterprise risks, they warrant the full board’s attention with ongoing oversight by either the full board or a designated board committee. If not, risk reporting should focus on communicating these risk exposures to the board through periodic status reports on line of business, product, geography, functional or program performance, as well as escalate unusual matters requiring the board’s immediate attention. For example, if there are exceptions against established limits (i.e., limit breaches) or a significant breakdown, error, incident, loss (or lost opportunity), close call or near miss in a critical area, this could warrant escalation to the board. The point is that reporting on day-to-day risks should not be as frequent as doing so on the critical enterprise and emerging risks.

4. Ensure risk reporting is linked to key business objectives – Realistic and measurable objectives support the organization’s overall strategy and business plan. The relevancy of risk reporting is more firmly established with directors when it is closely tied to business plans and the critical objectives and initiatives management has communicated to them. Some risks may affect multiple objectives, whereas others may require specific actions to address changing conditions to ensure achievement of objectives. In effect, risk reporting should be integrated with strategy, business objectives, business plans and performance management. It is less effective when it is an afterthought to strategy and an appendage to performance management.

5. Use risk reporting to advance management’s risk appetite dialogue with the board – A winning strategy exploits to a significant extent the areas in which the organization excels relative to its competitors. While the risk appetite dialogue has advanced at the board level over the last five years, there is still plenty of room for improvement. Once executive management and the board agree on the drivers of – and strategic, operational and financial parameters around – opportunity-seeking behavior, the resulting risk appetite statement is a reminder of the core risk strategy arising from the strategy-setting process. Risk reporting should disclose when conditions change and the agreed-upon parameters are approached or breached. The risk appetite statement should serve as a guidepost when a new market opportunity or significant risk emerges. Ideally, risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of creating value and achieving key objectives and whether risk levels are consistent with risk appetite.

6. Integrate risk reporting with performance management – As noted earlier, when stakeholders (e.g., owners of corporate, line of business, product, geography, functional or program performance goals) report on performance to the board, they should also disclose the related key risks. This linkage of opportunity and risk is important, as it enables each stakeholder reporting to the board to engage in a dialogue with directors on (a) the underlying risks and assumptions inherent in executing the strategy and achieving performance targets, (b) the “hard spots” and “soft spots” inherent in the performance plan and (c) the implications of changes in the business environment on the core assumptions and desired risk levels underlying the strategy. The key is to avoid risk reporting being an appendage to performance reporting because, if it is, risk would be more likely to receive limited board agenda time.

7. Report on whether changes in the external environment are affecting critical assumptions underlying the strategy – Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices and other external factors continue to remain valid. Reporting should focus on whether changes in these factors in the external environment have occurred that could alter the fundamentals underlying the business model. Thus, board risk reporting should focus on more than performance. It should use nontraditional information and data from both management and external sources that may offer directors a contrarian view. Boards place high value on “early warning” capability.

8. Provide insights on how management ensures an effective risk management process – In addition to knowing what the company’s risks are, the board wants to know how they are being managed. The board must get to the fundamentals of the risk management process – how it is designed, the way in which it is implemented and how effectively it is working. Yes, receiving information on risks is very important. But unless the board knows that management has an effective process for identifying, sourcing, measuring, managing and monitoring risks, its risk oversight is based on an incomplete picture. In effect, the board needs to have confidence that the risk management process is in place and functioning effectively.

9. Clarify who is really responsible for risk management – The risk reporting process needs to help the board understand the owners of the risks that matter. Risk ownership responsibility should rest with the chief executive officer, his or her direct reports and so on, cascading downward and across the organization so that everyone with significant responsibilities is accountable for the risks sourced from their respective activities. To this end, placing primary responsibility for risk with the chief risk officer (or equivalent executive) is not effective. The chief risk officer may serve as a critical catalyst in designing, implementing and providing needed support to the management hierarchy in implementing the organization’s risk management framework, but the board needs to be assured that responsibility for risk management is where it needs to be: at the source of risk.

10. Ensure that the organization’s communication channels are effective – Risk reporting should provide the board with insights as to how senior management is communicating expectations for identifying, analyzing and managing emerging and ongoing risks throughout the organization, as well as how senior management is holding managers at every level accountable for reviewing risk-related decisions and reaching agreement on how risks are to be managed. Communication channels need to be open and free-flowing, where personnel identify relevant risks in business decision-making and discuss them with the people to whom they have a direct reporting line. This is a vital part of the risk management process. Breakdowns in communication channels are not uncommon, too often resulting in bad decision-making and related losses of enterprise value. All too often, we read reports in the media of companies behaving badly, unethically or just flat out violating laws and regulations.

The above principles are not intended to prescribe specific reporting practices, but rather to offer sound direction for the board and management to pursue. Rick and I hope directors and executives reporting to the board will find them useful.