Risk Reporting

Introduction:

A good risk management framework anticipates, detects, acknowledges and responds to changes and events in an appropriate and timely manner. Risk reporting provides a regular mechanism to direct updates to key stakeholders, ensuring the right information is given to the right people, at the right level, at the right time. As a minimum this is delivered by ‘Enterprise Risk Management’ teams on a quarterly basis to support an ongoing narrative of information. In doing so risk reporting enhances the quality of organizational decision-making, informs prioritization of activity, and strengthens organizational oversight.

The benefits of regular Risk reporting include:

1. Embedding a consistent understanding of principal and emerging risks, thereby reducing the uncertainty of outcomes within an organization
2. Monitoring progress in achieving or maintaining tolerable or optimal Risk Appetite positions across an organization.
3. Enabling an organization to understand the effectiveness of internal controls and take direct, timely and informed interventions as required.
4. Integrating risk, planning, performance and prioritization discussions to enable informed consequence-based decisions.
5. Providing assurance to stakeholders, including oversight bodies, that risks are understood and being effectively managed.
6. Providing oversight of business activities, enabling a dynamic response to unplanned events threatening delivery of priorities and strategic objectives.

Developing Risk Reporting:

The board, supported by the Audit and Risk Assurance Committee, should specify the nature, source, format and frequency of the information that it requires. This information should support the board to;

1. Assess whether any changes are required to strategy and objectives.
2. Assess whether decisions are being made within its risk appetite to successfully achieve objectives.
3. Review the adequacy and effectiveness of internal controls.
4. Revisit or change policies, reprioritize resources, improve controls, and/or alter their risk appetite.

Enterprise Risk teams should therefore develop and deliver clear, informative and useful reports or dashboards highlighting key information enabling effective management. This information should provide visibility against each principal risk, compare results against key performance/risk indicators, indicate whether these are within risk appetite, assess the effectiveness of key management actions and summarize the assurance information available. Reports should include qualitative and quantitative information where appropriate, show trends and support early warning indicators. Understanding and decision-making should be supported through the presentation of information in summary form and the use of graphics and visualization.

Scope of Risk Reporting:

Risk Reporting should provide analysis and insight on the strength and effectiveness of risk management activities. Risk reports should be framed around requirements set out by the commissioning parties. These commissions may include direction on the;

1. Cost, frequency and timeliness of reporting.
2. Integration with other matters, including planning and performance management processes.
3. Links to organizational objectives, priorities and decision-making.
4. Method and format of reporting.
5. Scope of principal risk updates.
6. Stakeholder requirements.

Commissioning bodies should scope reporting requirements that best support delivery of their roles and responsibilities. Expectations should be scaled against organizational maturity, and developed and improved over time, in line with the capacity and capability within the risk team.

To support oversight and governance arrangements, risk reports should also reflect pertinent information relating to Arm’s Length Bodies (ALBs). Effective relationships and partnership working between departments, ALBs and other delivery partners ensure a proportionate approach to monitoring and reporting risks.

Purpose of Risk Reporting:

Risk reporting should be focused on supporting organizational needs and will typically present updates to enable:

1. An assessment on the nature, status and trends across the risk profile.
2. Areas of concern across the organization, which may impair the delivery of objectives or priorities.
3. Consideration of factors which impact on or may be impacted by principal and emerging risks.
4. The review of information relating to interdependencies or macro environmental concerns.
5. Necessary decision-making and prioritization activity.
6. The identification and management of potential areas for improvements within risk management activities.
7. Progress updates in achieving optimal or tolerable risk positions.
8. An overview of risk management activities and outcomes across the organization.
9. The transmission of useful information that informs interaction with stakeholders, including those with responsibility and accountability for risk management activities.

Optimally, risk reporting should be delivered as an integrated product complementing pertinent planning and performance data. Integrated reporting better supports organizational governance, oversight and informed decision-making. Care should be taken not to duplicate information from other governance reporting; rather this should be signposted and aligned in risk reporting.