Reporting should be incidental to any risk management process. As the last year has been quite the rollercoaster ride, it’s time to review your risk reports to ensure that your Board is seeing its latest state of risk, including ‘emerging risks’ and gaps in control measures, in order to be more effective looking ahead.
With so many internal and external variables, companies must take the time to review and report on existing and emerging risks as well as their risk management process, so that all bases are covered and they can remain as resilient as possible. The coronavirus pandemic may not have been something that many saw coming, but it's introduced significant changes as to how businesses are run as well as imposed long-term consequences. Through evaluating and reporting on your risk data and process, you can put your organisation in a better position to recover. There are three reports in particular we recommend producing: a risk profile report, a changes in risk report and a risk performance report.
Risk Profile Report
Usually organisations record about twenty or so risks to ensure that their risk register is robustly capturing key risks and enabling preparedness of the company to control any risks. Directors often like to see risks based on their potential impact (i.e. inherent risks) and how controls in place can help alleviate them rather than a ‘residual risk rating’ (i.e. the amount of risk remaining once control measures are applied). In other words, it's preferred to report on risks and control measure effectiveness more so than the level of residual risk.
A risk profile report that is sent to management generally should address:
- What are the most significant risks and why
- How these are being controlled
- Any particular control gaps and how these are proposed to be filled
Your risk profile report and risk registers should already report on risks, control measures and their effectiveness, so if you use a software system like RiskWare, you can automatically generate a report with this information.
Changes in Risk Report
Especially when we've had a year like this one, there are changes in internal or external environments that have most likely caused your existing risks register to be a bit dated. As a result, for the upcoming Board meeting or summary email that needs to be sent out, it might be required that you have a ‘change in risks report’ generated so you can share the new information that previous registers didn’t capture.
Considering the times we’re in, it’s important to assess the changes in key risks, how that affects financial performance and also highlight key reasons that these risks might happen.
Government or market forces are external forces that might cause the need to note ‘emerging risks’. These should be added to the report to highlight the effect of recent changes and how they've impacted usual business operations.
Example Change in Risk Report
|Risk||Change in Risk Rating||Change in RCE||Change in PE ($m)||Reason for Change|
|Legislation changes alters our market||↑||↔||↑||We expect new legislation after the current state elections.|
|Global warming reduces our client base||↑||↑||↑||We have discovered that we are much more vulnerable to global warming than we expected. We have few valid controls in place.|
|Because of competitive pressures we are unable to attract and retain staff||↔||↑||↔||A recent audit showed that our current staff retention strategies are deficient.|
|Interest rates rise and this threatens our growth plans||↓||↔||↔||Although we are highly geared, the reserve bank is not expected to raise rates in the near future.|
|Our competitors develop a cheaper product that undermines our market||↑||↔||↑||The market is getting bigger but we are maintaining our product development program.|
Risk Performance Report
Governance requires that the quality and maturity of the risk management process be assessed frequently. According to the ASX Governance Guidelines, the Board will need to assess that the risk management process is ‘operating efficiently and effectively in all material aspects’, which brings us to a risk performance report.
A Risk Performance Report normally contains:
- The up-to-date risk management plan for the company, division or area;
- A description of the progress in implementing the risk management plan since the last report;
- An objective and structured assessment of the level of risk management maturity and the change since the last report;
- Performance against risk management performance indicators where these are used.
These three reports will ensure that the recovery process from the pandemic is well thought out and there are measures in place to control risks (even emerging ones) and that you have a system prepared for thriving.
If your organisation is looking to improve its enterprise risk management, software like RiskWare can provide the structure and support you need. Our team always has time for a conversation. Don't hesitate to get in touch!