How to create standout risk reports that demonstrate the real value of Risk
Risk management - and the risk team itself - can gain greater traction with senior leaders and the board if risk reports centre around a few key principles; know your audience, make it relevant, hone the narrative, visualise your risk, and provide a future outlook. From examples contributed by our membership, we've aggregated the core components that make up effective risk reporting.
As risk leaders look for a way to advance their risk reporting frameworks and better engage the business on risk, the next step for many risk teams is finding a way to add demonstrable value to the business through reporting.
With this in mind, we have distilled key insights shared by risk leaders in our membership to produce this article. It provides a high-level overview as to why risk reporting is important, how risk teams can effectively report risk to senior leaders, and how businesses report risks to the wider world.
It also underlines the importance of evolving your risk reporting process so that it remains relevant and continues to meet the needs of business leaders, as well as the wider pool of external stakeholders who keep a watchful eye over how the organisation is managing its risks.
1. What is risk reporting and why is it important?
a. Risk reporting definition |
a. Risk reporting definition
It is not enough for the risk team to identify threats and opportunities to the business and monitor them in a silo. Ultimately, the purpose of the risk management function is to support the rest of the business to manage its risks better. This is where risk reporting comes in.
Through the risk reporting line, risk teams typically feed information up to the audit and risk committee and/or the executive board to raise awareness of any new risks to the business, provide updates on the status of existing risks, and potentially get senior leaders' buy-in for risk projects (read more on common risk reporting lines).
With this information, senior leaders (especially risk owners) can cascade responsibility for the steps that need to be taken to the relevant parts of the business. For instance, if the risk team had determined that health and safety risks have become more probable based on indicators, the risk owner (with the support of the risk function) can work with parts of the business to strengthen controls and mitigate the potential risk.
b. What's the difference between internal and external risk reporting?
Reporting to who?
- Internal risk reporting is delivered by the risk team to their direct report - which in some cases is the board itself.
- External risk reporting is conducted by the business on a yearly basis via the organisation's annual report. This lets external stakeholders, such as investors, know what risks the business is monitoring and how they are being managed.
What frequency?
- Internal risk reporting tends to happen on a more frequent basis for the business to be agile enough to anticipate and respond to risks.
- External risk reporting is less frequent, as it's produced for the company annual report.
How does the content differ?
- Internal risk reporting has greater depth than what is covered in a typical risk section of a company annual report. With more detail and no mandated requirements, the report is tailored to the needs of the business, focusing on action points.
- External risk reporting is a more brief, high-level overview of the risks the business is focusing on. The contents is often dictated by the mandates of the jurisdiction the company is in. These require listed businesses to include certain information in their reports (e.g. since April 2022, the UK has required listed businesses to report on their climate-related financial disclosures).
c. When and how often should companies generate risk reports?
According to two benchmark studies we've conducted recently:
- It is most common for risk reports to be generated quarterly, regardless of the company's risk operating model. This is because, for most companies, the CRO or direct report of the risk team (for example, the chief financial officer) reports to the audit and risk committee (ARC) or the board once a quarter. This places a requirement on the centralised or decentralised group risk function to review their risk registers, indicators and other data sources and prepare their report on a regular basis.
- When risk teams report directly to the board, 48% of businesses generate and deliver risk reports on a biannual basis.
- 69% of companies report quarterly into the audit and risk committee.
Two risk reporting benchmarksTo help members of Risk Leadership Network with their risk priorities, we've recently conducted two benchmark studies on risk reporting: 1. Risk reporting to the ARC and board
This ongoing survey benchmarks the processes, content and formats of risk reporting for 120+ leading companies from around the world. Take the self-assessment and you'll instantly get a bespoke benchmark report that compares your (anonymous) answers against the latest data. 2. Risk operating models - the market benchmark
This extensive report highlights trends in risk operating models, reporting lines and risk responsibilities. We've aggregated data and insights from over 50 multinational companies from around the world spanning 15 sectors, mixing extensive quantitative data with in-depth one-on-one interviews. Download the full benchmark report or read some key learnings from the benchmark in our most recent analysis. |
d. How can risk reporting add value to a business?
It is one thing to improve the quality of different aspects of your risk reporting, but the key question risk leaders are asking themselves is, how can risk reporting add value to the business? Having the answer to this question is what will get you noticed by senior stakeholders and business decision-makers.
Three ways risk reporting can add value to a business
|
2. How do risk teams report on risk to the business?
|
a. Most common risk reporting lines used by businesses
A typical risk reporting structure at most businesses will see the risk team report information up to senior management and the board. However, the risk reporting lines that sit beneath this broad structure tend to differ from company to company.
Based on research we have conducted with a range of practising risk managers across multiple sectors in our global benchmark on risk operating models, two risk reporting lines stand out:
- For companies with a 'head of risk' the most common reporting line is to the organisation's chief financial officer (CFO), who would be responsible for providing feedback on risk at board-level management committees.
- For companies that have a chief risk officer (CRO), approximately half of them have a direct reporting line into the CEO and the board on risk. This is a particular trend amongst heavily regulated organisations, such as financial institutions.
While these two reporting lines stand out from the rest, the graphic below highlights the diversity of risk reporting lines currently being used by organisations - many heads of risk report into general counsel, while the number of risk teams who report into a chief strategy officer is on the rise, indicating a movement towards integrating risk with strategy at many organisations.
There are many variables at play that may influence the risk reporting lines certain cohorts of businesses have in place. Companies within particular sectors may be more likely to have a specific type of risk reporting line, while geography is also a factor - for instance, European-based companies tend to have a CRO who reports into the board. Download the benchmark for more trends and analysis.
b. Create an effective risk reporting template
In order to standardise risk reporting and ensure consistency, most risk teams use a template to structure their risk reporting. When preparing their risk reporting template, risk leaders should consider who the audience will be and factor this in when deciding what details (and how much) to include.
If the answer is a member (or members) of the executive committee, several of whom may be risk owners, you may want to include more practical information to help them understand how to manage these risks better. However, if the report is going to the board, it may be better to keep information high level so that they are not overwhelmed with the specifics and are more likely to engage.
Our Risk reporting to the ARC and board benchmark highlights divergences between the reports delivered to these two entities - for example:
- 55% of those contributing to the benchmark agree that ARC and board reports required different content.
- 30% of companies comment that their board reports are more strategic, while 20% note that ARC reports focus more on the short-term impact of risks.
What almost all risk leaders agree on is that risk reporting should be used to anticipate and answer questions before the audience asks them - this is a key part of building trust with the board. How do you get buy-in from the board and ARC?
So, what might you include in your risk reporting template?
Based on our discussions with risk leaders, here are some common sections featured in businesses' risk reports:
|
Risk reporting models for the ARC and board
This analysis takes a deep-dive into the key reporting models used by over 50 multinational organisations using data from our benchmark.
Download here.
c. Source information by using the right indicators
According to risk leaders, the main challenge when it comes to sourcing data for your risk report is identifying a single source of truth, especially if there are multiple legacy systems to combine and different processes across the business for collecting risk information. The latter is a particular obstacle for large, multinational organisations with a decentralised governance structure.
Ultimately, to have confidence in your risk reporting, you need to have confidence in your key risk indicators (KRIs). Many risk leaders define a set of relevant and manageable KRIs by adopting a quality-over-quantity mindset, focusing on indicators that i) actually matter to the organisation and ii) are not too complex to monitor and update regularly.
To make these KRIs reliable, it is important to establish clear ownership for gathering and inputting information. In most cases, this will mean risk owners taking responsibility for their risk registers and checking that tasks have been completed consistently and at the right time. Many risk teams also remain on hand to support risk owners and challenge the data provided when necessary.
In addition, indicators are most useful when they have a dual purpose: to monitor an increase (or decrease) in the likelihood of any given risk, and provide an insight into the potential impact and appetite of the risk.
Examples of key risk indicators across three key sectors:Health, safety and security
IT
People
|
Connecting your suite of indicators to risk appetite will help to keep the threat and opportunity aspects of risk in balance. While it is vital to wave the red flag to executives and the board when too much risk is being taken, not taking enough risk should also be highlighted in risk reports.
d. Engage stakeholders with visual risk reporting
When preparing a risk report, risk teams have to consider what will engage senior leaders - an overabundance of narrative and text, or visuals that communicate ideas simply and efficiently.
For most companies, a visual representation of how the business' principal/material risks are developing - most commonly displayed in the form of a heatmap - is the preferred method. But risk leaders at organisations in our network are taking their risk reporting to the next level with their visualisations.
e. Get buy-in from the board and ARC
While using visuals is one effective method to boost engagement from senior leaders during the risk reporting process, there are many other ways to get buy-in from the board and ARC that risk leaders in our membership are implementing.
Firstly, it's crucial to tell a story during risk reporting and provide context to your audience: don't just tell them what is happening, but why it is happening. For instance, one risk leader in the network uses a visual moodboard of risks to tie the business' principal/material risks to events developing in the organisation's external environment:
Some risk teams are working with guest contributors to add credibility and weight to their risk reporting. Using a subject matter expert voice from within the business to add credence to your argument - whether it be a quote in a risk report or attending a meeting with the board in person - can get senior leaders to take notice and place more importance on suggested actions.
Moreover, deviating from the status quo every so often can prove effective so that the content of your risk reporting doesn't become stale or boring - if business leaders feel like risk reporting is a repetitive process that rarely develops or changes, this may cause certain risks to be overlooked.
Ultimately, engaging with executives and the board requires you to know your audience: what concerns them, and how can risk management impact this in a positive way. If the board cares about the long-term success and viability of the business, framing risk through a strategic lens is a good way to get their attention.
f. Link risk to strategy and objectives
Risk leaders in the network have shared, from experience, that compiling a risk report from the default position of "what could go wrong" can leave you with a list of risks that feels disconnected from the business itself. Instead, asking first "what matters to the business" can help you to achieve greater stakeholder engagement from the outset.
In order to focus on what matters to the business, it can help to overlay risks onto the company's strategic objectives - in other words, how will risks impact, for better or worse, the ability of the business to achieve its goals? An easy way to visualise this relationship is employing a Venn diagram:
Where there are overlaps between risks and objectives, you can signal to business leaders that threats or opportunities should be prioritised.
Furthermore, drawing a clear link between strategy in your reporting can help to embed risk within the strategic mindset of the business and get Risk a regular role in strategy conversations. While it is useful for the risk team to highlight areas where risks may affect the business' existing strategy, the next evolution of this is for Risk to guide the development of new goals and strategies. Once again, this will allow risk management to add value.
g. Create a radar of risks for emerging risk reporting
Outer layer
Emerging threats and opportunities the business should be aware of, even if no actions are required at this point.
Middle ring
Contains what some risk leaders refer to as 'Tier 2 risks' - those risks that the executive leadership team (including risk owners) should be monitoring.
Innermost circle
'Tier 1 risks' - the priority risks that need to be escalated to the board.
3. How are companies reporting on risks externally?
|
a. What are the key features of a risk section in an annual report?
Most businesses, especially listed companies in jurisdictions where there are specific reporting requirements, will include a risk section in their annual report, although the content of these sections, as well as the amount of detail given, varies between companies.
Risk Reporting Comparison ToolTo enable our members to validate their approach to external reporting, we created an interactive database of the information included in the external reports of 190+ company reports.
|
Using data from the Risk Reporting Comparison Tool, there are some clear trends around the risk section of an annual report:
- On average the risk section of a company's annual report takes up about 5% of the overall document, highlighting that it is not an insignificant part of the overall reporting process.
- Rounded to the nearest whole number, the average number of principal / material risks shared by businesses is 12; usually, a company's list of principal or material risks only varies slightly year-on-year.
- Most risk sections will include reference to the trend of individual risks (65%) - in other words, is the risk increasing, stable or decreasing - and how each risk links to strategy (56%).
- Although the majority of companies do not categorise principal/material risks as part of their annual report, a significant number of businesses (43%) do organise their risks under a few key headings (e.g. financial, operational, strategic etc.).
- Just 16% of companies mention their appetite for each risk in their annual reporting and even fewer (5%) refer to opportunities in the risk section.
- In terms of emerging risks, 35% of companies list these specifically in the risk section of their annual report, although a much larger proportion will acknowledge that they conduct horizon scanning for threats and opportunities to the business.
These figures are based on data in the Risk Reporting Comparison Tool, as of February 2023.
b. What are the top principal and emerging risks companies currently report?
Unsurprisingly, the leading principal/material risks reported by companies vary by sector. For example, while Cyber Security and Digital Transformation are top risks for computer software companies, businesses in other industries are focusing more on other kinds of threats and opportunities.
Here are a few trends based on a cross-sector analysis of companies across all industries based on data from our Risk Reporting Comparison Tool:
- Talent was the most reported risk category in 2022 and 2023, with the number of mentions increasing year on year.
- Climate Change and Environment and Sustainability account for over 7% of principal/material risks reported in company annual reports.
- Cyber Security is the second-most reported risk category, accounting for 6.49% of principal/material risks reported in 2023 (compared to 6.13% in 2022).
As for emerging risks, Regulation remains the most mentioned emerging risk , accounting for almost 9% of the emerging risks mentioned in external reports.
Going into 2024, we've noticed a significant rise in geopolitical emerging risks, with trade disputes, East-West divide, Russia-Ukraine war, East-West divide being cited by companies as examples of those risks.
c. What do companies include in TCFD disclosures?
The purpose and content of annual reports continue to evolve as companies adapt to changing regulations and investor demands.
In April 2022, it became a requirement for FTSE-listed businesses in the UK to include a TCFD disclosure in their annual report. It seems likely that the requirement will soon be imposed on listed businesses in other markets, which raises the question: what should you include in your TCFD disclosure?
TCFD Reporting Comparison ToolTo save our members time in researching what other organisations are including in their TCFD disclosure, we created a new tool.
|
Based on data from our TCFD Reporting Comparison Tool, trends are starting to emerge:
- The most common aspects of a TCFD disclosure are risks (and opportunities), targets and scenarios, all of which are covered in over 75% of the reports we have analysed.
- While the different climate-related risks are essentially split into two categories - physical and transition - there is a wide variety of scenarios and targets that businesses are reporting against. For example, many companies have a short-term emissions target to 2025, though some organisations also have set goals (e.g. net-zero emissions) up to 2030, 2040 and even 2050.
TCFD Reporting 2021 vs 2022As more companies include a TCFD disclosure in their annual report for the first time, it is also clear how they are evolving their reporting of climate risks in annual reports:
|
4. How do you maintain relevant and effective risk reporting?
|
a. Ensure the risk reporting process is fit for purpose
In order to validate your risk reporting approach and identify areas for improvement, it's worth considering how (and where) you can build in opportunities for feedback into your risk report. This is especially important when it comes to engaging the board - is there a communication channel in place for them to ask the risk team questions if they are confused, or provide a healthy amount of challenge if they disagree with aspects of the risk report?
Ultimately, the only way you can be sure that your risk reporting process is fit for purpose is to understand business leaders' response to it. Below we have highlighted some key questions a risk team may want to ask themselves before delivering their latest risk report.
b. Monitor the effectiveness of risk reports
Given the process-driven nature of risk reporting, it's easy to understand how this activity can become a repetitive exercise that disengages people around the business - especially leaders to whom risk reports are presented. For this reason, it's important to observe how effective your latest risk report is, in terms of provoking action and contributing to decision making.
The simplest way to test whether your risk report is actually having a meaningful impact on the business is to include key follow-on actions and monitor whether the organisation is putting these into motion from the top-down. If not, and in the absence of any communication as to why, it's evident that risk reporting has become a token exercise that senior leaders are all too willing to ignore.”
Risk Leadership Network member
Of course, these actions may be a result of disengagement, lack of awareness or lack of motivation at the business unit level - in this case, it's important for the risk team to work together with risk owners and champions to cultivate the right kind of culture.
One way to gauge how risk reports resonate with senior leads is to push for a more active role in presenting this information. While handing an executive and/or member of the board a document might not get much of a response, presenting your risk report in person will enable you to engage directly with the intended audience and discover what does, and does not, resonate with them.
This is a popular option: according to our Risk reporting to the ARC and board benchmark, 80% of businesses state that their most senior risk resources presents both the board and ARC report entirely face-to-face or with some element of face-to-face interaction.
c. Update your risk reporting template
If you want the board, ARC and other leaders around the business to continue engaging with your risk reports, it's vital to keep reporting fresh and add new layers of insight over time. You don't want to overwhelm the business by presenting a vastly expanded risk report with too much detail - however, incremental shifts in reporting may be greeted with a warmer response.
Risk leaders across the network are taking steps to update and advance their risk reporting process by incorporating elements such as appetite and culture if these are not already being reported on separately.
Interestingly, less than 50% of the companies in our Risk reporting to the ARC and board benchmark have risk appetite as a standalone section or agenda item in their report, suggesting that there is an opportunity for companies to add this particular lens to their risk reporting process.
According to one of our members who does include appetite in their report, they feature a colour-coded dashboard that links risk appetite to the business' key risk indicators.
If parts of this dashboard have turned red, this means that certain risks are starting to push either the upper or lower limit of risk appetite, constituting a threat to the business that must be addressed. This is designed to trigger action from senior leaders.
On the matter of culture, risk leaders note that persistent reporting on risk culture provides a record of an organisation's work in this area, signalling how the business has already evolved and ways for it to develop further. By at least including a reference to culture in your risk reporting, you may be able to prompt better discussion about the topic with the wider business.
More on risk reporting at Risk Leadership Network
Risk Leadership Network empowers risk leaders to implement better risk practice by facilitating practical knowledge sharing between peers. Through bespoke and tailored network assistance, we facilitate the specific collaborations that enable our members to solve challenges quickly.
This guide is an overview of some of the key lessons shared by risk leaders in our network on risk reporting. There are far more case studies, templates, tools and bespoke opportunities to collaborate with practising risk leaders with membership to Risk Leadership Network. Meanwhile, here are all the resources and opportunities to get involved mentioned in this article.
General resources/opportunities to get involved:
Internal risk reporting:
External risk reporting:
Extra risk reporting resources2. Risk Reporting Comparison Tool |