Risk leaders in our network spend nearly a third of their time preparing reports. What’s more, risk reports are commonly viewed by the board as a proxy for the risk function’s overall performance, only emphasising their importance.
It’s no surprise, then, that we’ve facilitated hundreds of bespoke collaborations for risk leaders in our network in 2024 around risk reporting - and here are some key trends from the year:
1. Thematic reporting
Many risk leaders in our network share an ambition to change the focus of risk reporting, from a review of the overall risk register to an analysis of “risk themes”.
According to members, this can stimulate a more purposeful and engaging discussion with the board around risks that impact the achievement of strategic objectives.
This includes emerging risks. According to our recent benchmark, Emerging risk - risk leader approaches, around 60% of risk leaders now incorporate emerging risks into strategic planning and decision-making processes.
In terms of how overarching risk themes are identified, some organisations use a custom risk taxonomy. This can be developed by mapping risks to the organisation’s value chain, aligning with guidelines (e.g., ISO/COSO) or aggregating risks from the bottom-up.
Bespoke benchmarks on risk reportingIn response to the priorities raised by specific members, we regularly produce bespoke benchmark reports. Recent reports include:
Book a discovery call to find out more about bespoke benchmarking through Risk Leadership Network membership. |
2. Aggregation of risks
According to risk leaders, aggregating your risk ecosystem can be an effective way to optimise time and engagement with the board, which is often limited. Why is this?
As risk leaders ponder how to monitor, manage and report on cross-functional risks that span multiple parts of the business, risk interconnectivity has emerged as another growing trend in risk reporting.
Discussions on the topic of risk interconnectivity also focus on the potential applications of risk data and technology. With so many related risks across a business’ ecosystem, understanding the connections and deriving insights from this will require technological solutions, including artificial intelligence.
4. Risk effectiveness vs performance
One question is still being considered by risk leaders in our network: should risk reports focus on “risk effectiveness” or “risk performance”?
While performance reports present a more traditional view of risks across an organisation, risk effectiveness reports tend to be shorter and more focused. Their purpose is to give the board and committees comfort that risks are being managed in line with the established framework and processes, without specific detail on how they are actually being addressed.
Furthermore, risk effectiveness reporting might also track a range of metrics to give leadership teams a broad perspective of how well risks are being managed. These include:
- Number of actions completed in an improvement plan
- Number of priority risks without controls
- Number of controls not assured
Based on collaborations we have facilitated, this type of reporting is often popular at companies undergoing a risk maturity uplift, where the board is focused on capability building.
Effectiveness reporting is also preferred by some mature organisations, where a few pages on control effectiveness are accompanied by exception-based performance reporting. In this case, further detail is only provided around top risks that are outside of appetite or failing to meet key effectiveness criteria.
What's next?
If you would like to find out how we can support you with a specific challenge or priority you're facing, please book an introductory call.
Share this
Communicating the status of material risks: three common approaches and three alternatives
How to create standout risk reports that demonstrate the real value of Risk
