Reporting ERM to the board can be a kabuki dance that needs lots of stage direction.
Boards of directors for some time now have had a very high level of interest in enterprise risk management, even though ERM tends to be low on numbers and high on qualitative data. But while boards may be interested, their actions sometimes seem to suggest something along the lines of, “Sure, we’re interested, but, whoa! not that interested.”
At a May meeting of the NeuGroup’s Corporate ERM Group, one member walked the group through the board reporting process at his company.
Give ‘em what they want.
The company has two reporting periods in a year, first reporting to the audit committee in June and then to the board in December. The key objective, this VP and risk manager said, seems obvious enough – it is to report what these audiences want to see.
The reporting package is a standard 10-page template covering seven topics such as a graphics-based risk list, risk themes, as well as external learnings based on research and evolving risks. Here’s a brief description of how this company does it.
- The risk list. The risk list prioritizes the top 10 risks. It is the first means of identifying these risks and seeks to show where they lie in severity and likelihood. The list also acts as a radar in that it addresses the movement of the risks, specifically what risks have come on, gone off, and been carried forward since the last report, as well as the management accountabilities for each. The board is particularly interested in where they might free up resources from the “green” risks (low priority) and reallocate to the “red” risks (high priority).
- Risks and themes. This section covers market themes which are geographically focused, business themes that are operationally focused and common themes between them that might be strategic in nature.
- External research. The manager and his team conduct research into the risks of related companies and reports on differentiators between their risk management activities, how execution has been successful and unsuccessful, and how this is all relevant to the company.
- Global risk list. This portion of the report addresses those outside sources of risk beyond the company’s control and what their impact might be if they were to happen.
- Evolving risks. This report includes a section on those risks are the next tier down below the top 10 that are the most significant.
- Key risk indicators. This part of the template, which is still being refined, will report those factors that inform on risk levels for environmental, operational, financial, strategic and internal governance risks.
- Risk profile. This section, also being better refined, will compare the current risk profile of the five categories cited above with potential events that will alter that profile and the estimated trajectory of that profile over the coming 12 – 18 months.
More input needed.
The risk manager said that despite his team’s efforts, it still need to tease out board feedback on its views on items such as risk appetite, risk profiles and the specific risks that most concern them. This led to a discussion amongst the members about their different experiences dealing with recalcitrant boards.
That recalcitrance stems partly from fear that permeates many ERM programs, both top (board) and bottom (ERM practitioners): that if you bring it up, it must be covered and reported; and if it can be reported, it can be held against you or the company if it’s missed or mismanaged. Subsequently, management is generally hesitant to develop new and additional metrics that are ERM-specific that would be used to measure performance at the board level outside of what it already has given and is expected to review.
Still, ERMs keep pushing. One member prepares specific questions ahead of the meeting, which draws on the directors’ experiences. Another member interviews each board member to get their views on risks and the ERM program. Another member said his group takes the view that management actually owns the risk and the board just provides oversight. Therefore, the focus should be more with management.
This back and forth between ERM and management must be done, as uncomfortable as it is. The more risks that are covered and the more that managers and board are aware, the more effective the program.