Reporting and data Featured

Communicating the status of material risks: three common approaches and three alternatives

Liam Donovan
by Liam Donovan
6 min read
Nov 14, 2023

How do you talk with your board and executive committee about material risk? For many risk leaders, finding effective ways to communicate with their senior leaders about the status of risks represents a major challenge.

In order to respond to this particular priority, raised by members, we undertook a benchmark of nine organisations to identify common and alternative approaches to discussing material risk with the board and executives.

communicating the status
New benchmark: 9 approaches to communicating the status of material risk
9 large listed companies discuss the terms and thresholds they use to discuss material risk with the board and executive committee.
Download now

Below is a high-level summary of six approaches in the benchmark:

Three common approaches

Although the nine companies in the benchmark detailed different approaches to communicating material risk, a clear majority monitor material risk exposure against appetite:

Communicating risk blog graphics

1. Appetite anchored to top risks; risks outside appetite accepted

Risks that sit outside of appetite are accepted where remediation isn't possible

i.e. where more or less risk is being taken than the business would like
Risks that sit outside of appetite are accepted where remediation isn't possible

If risks outside appetite are possible to remediate, they will be treated

It is only if remediation is impossible (or more likely, inefficient) that no action is taken.
If risks outside appetite are possible to remediate, they will be treated

Risks outside appetite do need to be within tolerance limits if they are to be accepted.

Risks outside appetite do need to be within tolerance limits if they are to be accepted.


2. Appetite anchored to top risks; risks outside appetite discussed

If risks are within appetite, no action needs to be taken

They're on target and existing controls are effective.
If risks are within appetite, no action needs to be taken

When risks are outside of appetite, these need to be reduced through mitigation (or taking more risk)

 i.e. they're not on target; controls are ineffective
When risks are outside of appetite, these need to be reduced through mitigation (or taking more risk)

For those risks that are marginally out of appetite (but still within tollerance), a qualitative discussion is had to decide what action to take

Factors that influence this decision include looking at what the risk is tracking; for example, is it going to move outside of tolerance if nothing is done?

For those risks that are marginally out of appetite (but still within tollerance), a qualitative discussion is had to decide what action to take

Where do these insights come from?

To help a Risk Leadership Network member who wanted to find more effective ways to communicate with their senior leaders about the status of material, we produced a bespoke benchmark report.

communicating the status

To prepare this benchmark, Communicating the status of material risks: 9 approaches in brief, we conducted a short survey of nine large, listed companies. As part of the survey, they shared the terms and thresholds they use to discuss material risk. We then followed this up by facilitating a series of 1-to-1 bespoke meetings so that the member could dig deep with risk leaders who had implemented an effective approach. 

Risk Leadership Network produces bespoke research and reports across a range of risk topics that address specific member needs and priorities. 

Take a look at more of our tailored solutions to address member priorities in our case studies.


3. Appetite anchored to top risks; all risks must be reduced within range

Any risks outside appetite must be reduced within range

The risk must be either treated/reduced.
Any risks outside appetite must be reduced within range

The board may need to revisit (and even update) the company's risk appetite statement

If the board decides to accept a higher level of risk for a specific risk that is outside appetite.

The board may need to revisit (and even update) the company's risk appetite statement

One company that takes this broad approach has a specific escalation plan they use in the event of breaches:

“If a risk falls outside of appetite, it is immediately escalated to the audit and risk committee (ARC), who discuss how to reduce that risk within appetite. However, if a risk is within appetite, but looks like it could move outside in the near future, it can be escalated to the executive leadership team.”
Untitled design (1)
CRO

FTSE-listed organisation

Three alternative approaches

You may want to consider three alternative approaches, used by risk leaders at large listed organisations, in our benchmark:

Alternative approaches

1. Appetite anchored to objectives

Tie appetite to business and strategic objectives

Instead of anchoring appetite to the company's set of principal risks. Appetite is measured using both KPIs (to monitor business activity) and KRIs (to monitor risk levels).
Tie appetite to business and strategic objectives

When a risk is outside of appetite, it needs to be treated and prevented from happening again (or, if it is an upside risk, pursued if appropriate)

A risk is outside of appetite when performance is outside of agreed DPI and KRI ranges.
When a risk is outside of appetite, it needs to be treated and prevented from happening again (or, if it is an upside risk, pursued if appropriate)

If a risk is within tolerance, then efforts are made to address these issues with performance and, in doing so, minimise exposure

A risk is within tolerance if performanec is inside KPI and KRI ranges, but not meeting targets.

If a risk is within tolerance, then efforts are made to address these issues with performance and, in doing so, minimise exposure
Who is driving development
How to create standout risk reports that demonstrate the real value of Risk
Take a look at our in-depth feature, collating insights from peer-to-peer knowledge sharing
Read now


2. Appetite anchored to risk categories

Appetite is set for categories of risk

As opposed to specific risks
Appetite is set for categories of risk

Any appetite statement is formed as a professional judgement and not totally objective

Although metrics like KRIs, risk assessments and incident data will inform the decision.
Any appetite statement is formed as a professional judgement and not totally objective

A risk only moves outside of appetite when the level of risk exposure is not in the KRI target range

And the residual risk is "very high" (and showing an increasing trend) or "extreme".

A risk only moves outside of appetite when the level of risk exposure is not in the KRI target range

3. Risk status for material risks rather than appetite

Risk status and action rating over appetite

Instead of communicating about risk through an appetite lens, risk status, as well as action rating is used (although appetite is assigned to risks).

Risk status and action rating over appetite

If a risk is well controlled, a 'no action' or 'low action' rating is assigned.

"Well controlled" means that controls are effective at minimising likelihood and reducing impact.

If a risk is well controlled, a 'no action' or 'low action' rating is assigned.

If a risk requires some improvement, a 'low' or 'medium action' rating is assigned.

"Requires some improvement" means that the risk is not well controlled but likelihood or impact are not meaningfully increased as a result.

If a risk requires some improvement, a 'low' or 'medium action' rating is assigned.

If a risk requires significant improvement, a 'high action' rating is assigned

This means the risk is not well controlled and this meaningfully increases likelihood or impact.
If a risk requires significant improvement, a 'high action' rating is assigned

A 'low action' rating for this particular organisation means the risk should be resolved within 12 months, a 'medium action' rating is six months, and a 'high action' rating is just three.

While members found value in validating their approach against other risk leaders through this benchmark, there was a lot of discussion in the subsequent 1-to-1 meetings about the implementation of alternative approaches. This enabled the CROs and heads of risk involved in this collaboration to introduce new approaches equipped with lessons learned by other risk leaders.

This is just one of the many collaborations that we've facilitated this month to help our members address their biggest priorities and challenges. Take a look at the other member priorities we're working on now, and find out more about how to get involved with membership here.
Previous post
← Lean team, bigger impact: three ways to optimise risk resourcing and planning
Next post
Top emerging risks in the technology sector →
Reporting risks in smarter ways - our Risk Reporting Comparison Tool
Reporting and data

Reporting risks in smarter ways - our Risk Reporting Comparison Tool

Aug 3, 2021 3 min read
Three steps to develop organisation-wide assurance
Featured

Three steps to develop organisation-wide assurance

Aug 9, 2024 5 min read
How to create standout risk reports that demonstrate the real value of Risk
Reporting and data

How to create standout risk reports that demonstrate the real value of Risk

Apr 25, 2023 24 min read

Get new posts by email