5 Tips to Making Board Risk Reports Meaningful Tools for Decision-Making

The year is flying by as we’re well into the second quarter already. Q1 board risk reports should be done, assuming your company prepares one quarterly, and you are likely getting ready to prepare a midyear update.

As I discuss in The Ultimate Primer for Effective Risk Reporting, board risk reports serve a dual purpose…

On one hand, they provide the Board with assurance that management understands risks to objectives and is taking steps to address them…to “take stock” as Norman Marks puts it in his book World-Class Risk Management.

On the other, as these scenarios show, boards are increasingly expected or even required to play an active risk oversight role. No longer can they claim they were unaware. To illustrate this emphasis, consider how:

  • The latest iteration of the COSO standard lists “reporting” as a core component, including a lengthy section specific to board risk reports.
  • Legislation passed in the wake of the 08/09 financial crisis (…commonly known as Dodd-Frank) requires bank holding companies with more than $10 billion in assets to have a separate board-level risk committee.
  • Risk oversight is one of four pillars institutional investor Vanguard Group uses to evaluate corporate governance practices and the stability of companies the firm invests in. Standard & Poor’s also carefully evaluates overall risk controls and oversight before assigning a credit rating. As this open letter to Boards from Vanguard explains:

Risk and opportunity shape every business. Shareholders rely on a strong board to oversee the strategy for realizing opportunities and mitigating risks. Thorough disclosure of relevant and material risks – a key board responsibility – enables share prices to fully reflect all significant known (and reasonably foreseeable) risks and opportunities.

Despite this obligation and the increasing significance of robust board oversight of risks, many companies struggle with developing board risk reports that deliver actionable information in an easy-to-digest way.

According to NC State’s annual State of Risk Oversight report from 2020, many companies do report risks to the Board regularly, but close to two-thirds of respondents either have ad-hoc reporting or no structural process and minimal reporting. The level of satisfaction is rather low as well, with over 40% of respondents claiming they are “not at all” or “minimally” satisfied with the quality of reports they receive. (Personally, I feel an obligation to see that satisfaction in the quality of reports increases…and fast!)

Developing risk reports that Boards find helpful for oversight and decision-making…

The original article on risk reporting includes many general tips for developing reports regardless of the audience. For example, many organizations will use very technical terms in their reports that only risk managers will really know the meaning of. Instead, you should be careful and only use language the enterprise uses already.

One point I mention in the risk reporting article and want to reiterate – how board risk reports are put together will vary from one company to the next, so it’s impossible to provide a specific outline, or as COSO puts it:

Management provides any information that helps the board fulfill its oversight responsibilities concerning risk. There is no single correct method for communicating with the board…

However, there are five general tips for developing effective board risk reports, including:

  1. Keep reports high-level – board risk reports should be general in nature and only include top risks impacting objectives. They should prompt discussion on how to proceed, whether through mitigation measures, additional risk taking, or a change in the strategy.
  1. Don’t copy/paste top risk reports – many companies will simply relay information found in top risk reports from the World Economic Forum, NC State, or industry-specific surveys. It’s okay to refer to reports like this, but you should refer the Board to the most relevant risks to the organization. In other words, you can use those surveys and reports as a comparison tool, but don’t make the assumption that if a risk is on the survey, it has to be a major risk for your organization.
  1. Outline what actions are being taken already – with the relevant risks in hand, discuss at a high-level what the company is already doing and compare it against what similar organizations are doing. This benchmarking activity helps the Board understand where the company currently stands and what it needs to focus on.
  1. Highlight priorities going forward – the benchmarking activity helps the Board see where things stand as it is, but they will still need direction on actions and priorities for dealing with top risks and opportunities. If your company’s experience is similar to those of your peers, then priorities will be the same, but if your experience is more unique, priorities will be much different. 
  1. Utilize visuals – in order to make information on slides more digestible, use visuals when possible. As I discuss in this article, surveys show that 65% of people are visual learners. Keep in mind that, instead of packing as much text as possible into one slide, that it’s okay to have more slides if it helps the audience better and more quickly comprehend the information.

When recently helping a mid-sized medical device client develop a risk report for their board, we didn’t refer much to global reports like those from the World Economic Forum. Instead, we focused more on manufacturing outlooks, other industry-specific information, and reports for comparable sized companies, comparing that information against where the company currently stood.

What we discovered was that actions the company took in 2019 and early 2020 helped it better weather last year’s storm, so its priorities going forward didn’t particularly align with competitors.

The Board was able to understand this clearly from the report and use the information to ask management targeted follow-up questions.

How frequently do you produce board risk reports? How does your company’s Board use these reports to better understand risks and help ensure management is handling them adequately?

As NC State’s annual survey shows, many companies struggle to develop actionable board risk reports. Improving this is critical to ensuring ERM is viewed as a helpful tool for guaranteeing the company’s success and not just another check-the-box exercise. To share your perspective, please leave a comment below or join the conversation on LinkedIn.

And if your company is struggling to develop board risk reports that are helpful for decision-making, reach out to me to discuss specific weak spots, needs, and potential options. 

Featured image courtesy of Benjamin Child via Unsplash.com

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More