In order to make informed decisions, risk reporting must be of high quality. Managers need to be able to evaluate the suitability of the risk management methods they are employing to identify, assess, mitigate and monitor enterprise risks. Are these methods working? Do employees know when these methods are not working? What are the consequences of risk management failure? How can this risk management failure be resolved?
If the data used to identify and assess enterprise risks is flawed, regardless of how excellent the risk mitigation strategies are, the organization will just be wasting resources. One advantage of good regular enterprise risk reporting is that it helps management identify and evaluate the risk profile and risk strategy of the organization.
Poor enterprise risk reporting often leads to poor decision making and in the worst case scenario no decision making at all. Today, sources of risk data are vast. Managers need to know what to do with this data. They must be able to turn this huge amount of data into a strategic asset in the form of information and knowledge that can be used to make effective decisions capable of helping the organization mitigate risks, achieve its strategic objectives and drive business performance.
The problem so many managers make poor enterprise risk management decisions is because of basing their decisions on poor quality reports. There is little value in carrying out the processes in your enterprise risk management framework without good reporting. Thus when designing and building your enterprise risk reporting structure, it is important to ensure that the report:
- Is defined clearly: When defining the report it is important to consider the name of the report, objective(s) of the report, distribution list of the recipients, names of fields to be used, calculations required in each field, manual actions to be performed in each field and how the final report will be used. You should start considering design of the report only after the definition stage.
- Uses a common language understood throughout the organization: Employees normally have a different understanding of the true meaning of risk. It is therefore important to ensure that there is a common understanding of the terms used in the organization’s risk report. The terms used must be clear and mean the same thing to every employee who reads them. One way of achieving this involves managers running risk awareness programs/workshops or incorporating a glossary in the enterprise risk policy document.
- Highlights the important messages: Since managers have busy schedules, because of the limited time at their disposal, sometimes they just scan through the reports. It is therefore important that the produced risk report highlights the critical risk areas. The producer of the report need not assume that they possess equal enterprise risk management knowledge as the reader. By highlighting those critical risk areas that need management attention, for example through colour shades, managers will know where their focus is highly required and will therefore not spend much time in unimportant parts of the report.
- Integrates quantitative and qualitative information: Enterprise risk management generates both quantitative and qualitative data thus both sets of data must be interlinked in risk reports. Relying on one set of information to report risks leads to treating risks in isolation and in turn flawed decision making.
- Uses reliable quality data: The quality of data used in enterprise risk reporting is critical to making informed decisions. How reliable are your risk data sources? Failure to fully embed ERM throughout the organization leads to poor data quality as risk and control assessments are still not yet accepted. Continuously using data of poor quality to produce reports used by senior managers to make strategic decisions can cause them to make poor and loss-making decisions and this in turn affects buy-in of ERM throughout the organization.
- Guides effective decision-making: Are your reports stirring up action? Many at times managers receive reports that are useless. A lot of time and resources is spent producing these reports but they serve no purpose in aiding effective decision-making. In addition to highlighting values, a good risk report must guide managers in deciding whether or not action is required. If the produced reports fail to highlight the need for action or some form of decision, then their existence should be question.
- Is produced in a timely manner: Let us suppose that risk reporting is done on a monthly basis, chances are that values in the report will change monthly, there is no point in producing a risk report halfway through the month as the report would have relatively little value. It is therefore important to ensure that reports are produced in time to enable management make use of them and embed ERM throughout the organization.
- The report’s structure is evaluated continuously: In a constantly dynamic and volatile business environment, the organization’s risk profile, indicators and controls is also most likely to change. This therefore signals a need for change in the structure of the organization’s risk report. For example, if the risks confronting the organization increase in number, the risk report(s) can easily grow in both length and number. It is therefore important for the report producers to establish what information really matters to the audience for whom the report is intended.
- Enables risk ownership: Management need to take ownership of the information contained in the risk report. Thus a risk owner must be identified and this can either be an individual or a department or business line. A good risk report should enable the risk owner to take action when required to.
- Is integrated with other processes: Organizational risks do not happen in isolation. Other business processes play a part and these should be taken into account when reporting enterprise risks. For example, by taking into account audit conclusions, resources will not be wasted as a number of people seek to solve the same problem. Also, taking into account of other processes reduces confusion and chances of inaction as the report will indicate risk acceptable actions from the other processes.
Good reports are essential to good enterprise risk management. Thus a good risk report should be able to deliver information in such a way as to support informed business decisions on the organization’s risk profile.
What else would you say are the qualities of good enterprise risk reports?
I welcome your thoughts and comments.