One of the saddest things to watch or experience is something being wasted after putting in a ton of effort.
But it’s happened to all of us in one way or another.
The best everyday example is losing a document you’ve worked long and hard to write…all because you didn’t click ‘save’ or you accidentally clicked a wrong button. This has happened to me more than once over the years, and it’s frustrating and demoralizing all at the same time.
In the case of ERM, not being diligent in reporting results from risk monitoring can result in the same outcome; that is, all of the effort up to this point goes to waste.
However, there’s only so much time in the day for both you and decision-makers. It’s easy to get overwhelmed – both as a ‘producer’ of risk reports and a ‘consumer’ of them, which is why prioritizing what you report is so important.
Another reason for prioritizing the content of your reports is to ensure any reports are valuable for decision-making and not useless fluff or things executives already know. Roughly 25% respondents to NC State’s most recent State of Risk Oversight Report indicates they are ‘completely’ or ‘mostly satisfied’ with the quality of reports they receive. Talk about sad.
You can relax – I am not going to suggest that you add yet another item to your never-ending to-do list.
Today’s article is an outline or guide on how to prioritize the reporting of risks your company is monitoring.
The answer of how often do results from monitoring need to be reported is like so many questions – it depends.
That probably isn’t the answer you were hoping for, but like I’ve discussed before, every organization is different and not all risks are created equally.
It’s also not something as simple as preparing reports or updates monthly, quarterly, or yearly. There are nuances to the frequency of reporting monitoring updates to meet the conditions mentioned above and to ‘tell the story right.’
Reporting your monitoring results, or rather the triggers of when executive leaders and the Board should be receiving reports, can be broken down based on the following four levels or hierarchies.
#1. Action Plans
This is the most granular level as these typically will not affect the organization at the highest level. The company is monitoring specific risks that have an action plan based on a response decision. Each action plan should have key milestones at which point ERM will check-in with the risk owner for a status update. If the risk owner is struggling to implement the action plan, further investigation can be done to identify obstacles and concerns to determine if any extra resources are needed.
This type of conversation is the trigger to communicate or report these issues to management for a decision.
If everything is going better than expected, then a report is not needed unless management needs information to redirect resources.
Once an action plan for a risk is complete, the new mitigations and controls will be included as part of the next assessment. Any substantial changes to the mitigations and/or controls could warrant a report so executives have the information they need to decide about the next steps.
#2. Risks
Next up the hierarchy are risks themselves, which can be broken into four different buckets: urgent decision, decision, monitor, or accept. Which of these buckets a specific risk falls into will depend on its impact, likelihood, and possibly other metrics like velocity.
When it comes to close monitoring, only the first two buckets will be relevant as these are the risks that could impact the company in a drastic way. This is where key risk indicators (KRIs) enter the picture.
Part of identifying a KRI for a risk will involve setting various triggers – targets for where you want the metric to be, threshold for what will make leaders nervous, and limits to indicate what number is considered ‘no man’s land.’
A key element when discussing the KRI to use for a risk is the frequency the metric is available for updates. If the metric is only updated 2x a year or annually, find another metric to use. The monitoring activities associated with the KRIs will follow the metric frequency. If a pre-determined threshold on one of those high-level risks is breached, a report may be warranted to obtain guidance on how executive leaders want to proceed.
#3. Objectives
We say with increasing regularity that every risk needs to be linked to an objective, whether business or strategic. In the end, objectives are ways of describing what your company needs to achieve and what company leaders really care about. They are not going to be concerned about a low-level risk, but instead those things that could help or hinder the achievement of objectives.
Key performance indicators, or KPIs, are metrics companies can use to determine if they are achieving their goals. Like our risks, there should be targets, thresholds, and limits that will need to be set as part of the planning process. Just like with the KRI, a key element when discussing the KPI to use for an objective is the frequency the metric is available for updates. If the metric is only updated 2x a year or annually, find another metric to use. The monitoring activities associated with the KPIs will follow the metric frequency. When these thresholds are nearly breached, further investigation, analysis, planning, and subsequent reporting is appropriate.
The monitoring and reporting of objectives carries the greatest significance since any change at this level can impact both the company’s strategy and its overall mission.
#4. Context
Overlaying action plans, risks, and objectives is context, or the company’s internal and external environment surrounding the objective, the risk, and the action plan. Monitoring context means conducting an environmental scan to identify (inevitable) changes that will affect the areas above.
Internal ‘context’ can consist of understanding how adopting a new technology, changing a business process, or a turnover in corporate leadership can change a risk.
On the external side, things like the economy, legislation, or geopolitical events can affect a company’s objectives and risks.
Monitoring changes to internal and external context should trigger additional conversations and possibly reports on how they will impact objectives and risks.
Can you spot the one common thread between each of these areas when it comes to reporting?
It’s change – change in some sort of indicator, metric, or threshold.
It’s not a certain time interval or providing a pre-determined list to executives. Taking this type of approach, which is what many legacy ERM resources suggest, simply isn’t compatible to the needs, much less the busy schedules, of today’s executives.
Only if and when there is a change do any reports need to be prepared, and even then, they need to be tailored to the specific situation and recipient.
Any other approach can lead to the negative impression that ERM is a check-the-box activity with no real value for ensuring the company’s success.
What triggers you to report on action plans, risks, and objectives?
I’m interested in hearing your thoughts on this dynamic topic, which you can share here on LinkedIn.
If your company is struggling to determine how to best prepare reports for maximum value to decision-makers, please reach out to me to discuss your current state and potential path(s) forward.
