What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Tuesday, January 5, 2016

Board Level Risk Reports Need To Change

One area where Enterprise Risk Management often fails is when it comes to reporting risks to the executive team of a company, its stakeholders or the board. In this posting, we are going to take a look at why risk managers go off the rails with this top level reporting requirement and how these flaws can be addressed.

Typical Risk Reporting
Perhaps the best place to begin our study into why risk reporting at a board level is busted so often is to observe common reporting practices today and we have been at this place before on this blog site.

Those in Enterprise Risk Management should be familiar with the Risk Heat Map where top level risks are inserted onto a matrix similar to the one shown below.  The Heat Map is nothing more than a matrix with an axis for likelihood and magnitude, often configured with the likelihood axis in a statistically abnormal x-axis fashion. Risks are then listed and scattered across the matrix depending on whether they are classified as low risk which lands them in the green zone or high risk for those threats found in the far right-hand corner of the matrix.  

Curtis & Carey Risk Heat Map | Deloitte & Touche [LINK] Click Image To Enlarge

The Curtis & Carey example displayed here is one of the better Risk Heat Maps I have stumbled across over the years but it fails in the same way all Risk Heat Maps do. Quite simply it doesn't represent the effect of risk on an objective.

Stakeholders are interested in objectives not just their risks and being able to choose the level of risk to take when chasing an objective can't be comprehended by looking at a Risk Heat Map in the traditional sense. Heat maps and risk registries only show us one side of the uncertainty equation under our objectives and this is unable to support a non-biased review of risk treatment responses. 

ISO 31000 defines risk as "The effect of uncertainty on objectives" but the Risk Heat Map isn't showing us this. At best, what it does shows us is each risk being singularly represented in a fashion no more sophisticated than glancing through a one-pixel lens that can only have a single frequency and one potential outcome of magnitude. Worse, displaying risk information to executive management in this manner doesn't support decision making, it doesn't help stakeholders understand what the true effects of risk may be on a company's bottom line.

I don't believe the Risk Heat Map can be fixed even though we have deliberated over that end before because it pitches risk management in the wrong context. By painting risk management as a tiresomely negative activity from the outset or worse, failing to talk boardroom language will land many risk managers on the back foot with their stakeholders.

Let's cast the Risk Heat Map finally into the historical bin of "keep it simple" in concept but it doesn't actually work in practice, nice idea but it's flawed and bung, consign it to room 101.

Integrated Risk Reporting
It's quite simple in life; if you want to appeal to someone, if you want to find their sweet spot, you need to talk their language at the very least and in the boardroom, the realm of finance has the upper hand. No one wants to be lectured on threats that may torture them, Heat Mapped or not when meeting strategic objectives is going to be what catches a stakeholder's attention.

Risk reports need to be integrated with those from finance, the silos between the finance department and the risk function need to be bridged so that risk management can be on the same page as finance rather than contesting it.

To do this we need to look at how finance flows through a company and how risk impacts or enriches that flow. There is definitely component entanglement between risk and finance information that needs to be understood before it can be reported and the schematic below is a Risk Effect Network for finance. This network tracks how risks in a portfolio of uncertainties (not threats) have implications on revenues, how risk treatments impact expenses and where the resulting outcome from all of this will modify a firm's operating margin.

The Risk Effect Network | Martin Davies [Click Image to Enlarge]

In the next week or so I am going to release a paper that describes how to enable this Risk Effect Network and alongside this work, I will release a spreadsheet that demonstrates a risk report which is pertinent and consequently useful to stakeholders. Risk reports need to assist stakeholders with their decision-making activities and they need to move away from being a tiresome list of unfastened negatives on a Heat Map or in a risk registry that everyone tries to avoid.


  1. Finally, anyone who understand Risk knows that the so called Heat Map is only a subjective vehicle to pass exposures at he stakeholders' expense that either can hinder the stakeholders'decision making activities or give false negatives (or positives) to the auditors.

  2. Martin - great article drawing the 2 sides of the same coin together! I look forward to your next post

  3. Finally, anyone who understand Risk knows that the so called Heat Map is only a subjective vehicle to pass exposures at he stakeholders' expense that either can hinder the stakeholders' decision making activities or give false negatives (or positives) to the auditors.

  4. Interesting article, food for thought; looking forward to the paper and spreadsheet.

  5. Great, Article, looking forward for the ways on which risk and finance will be integrated for objective reporting to the board.

  6. Great news. At least we can shift away from merely cataloguing risks and assigning random scores to a more relational risk management model. However, risk management requires looking in the distant far, the new model may be appropriate to short to medium. How shall it apply to the non financial/ quantifiable risk metrics? Lets wait for the next post.

  7. Thank you for the article. Very interesting. My company is already developing enterprise risk management. Many tools are considered to report the risks to the Board. We already have risk identification, by considering likelihood, impact (consequences), and effectiveness of controls. Do I have to prepare the report of risk map to the Board for the residual risks after control treatments or inherent risk before considering the controls? thanks

  8. Board level reports should show inherent and residual risk, control effectiveness, control gaps and recommended improvements that could be made to modify the prevailing risk profile the company is facing.

    It is important to note that there is rarely a place where zero risk can be found or in the context of control management, 100% control effectiveness. Risk managers should not be striving for 100% control effectiveness nor should they be setting these expectations.

    The big question here is, how to represent all this information in an easy to accommodate diagram. The report needs to show not just one risk but risks aggregated and it needs to assist managers form decisions on which course of action to take for a specific risk or portfolio of risks.

  9. Thanks, very interesting article and great solution/approach for board level reporting. I think many firms are not yet ready for the "Risk Effect Network"..

    Thanks again.