Recent trends indicate that management is being consulted more than ever by executives and boards who are looking for information that can aid in decision making. This has moved the value of enterprise risk management (ERM) to the forefront, to give the board an overall view of the risks the company faces.
A report just released by RIMS, Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information, explores ERM and offers risk managers strategies to use to determine what they report to decision-makers.
According to the report:
“Without robust information about risk, directors cannot offer effective oversight. Therefore, management should carefully evaluate the format and purpose of board risk communication with consideration to risk governance responsibilities, risk appetite, and the intersection between risk and strategy. This process also ensures that the risk information is of value to the management team as well and not simply ‘paperwork.’”
In order to be proactive, boards have expressed the need for specific information, the authors noted, but with “understanding of risks” and “oversight of risk management” cited as the most important areas for board improvement, “risk managers need to be strategic in the way they disseminate information. What you pass along should be presented carefully so that an executive can easily understand and prepare to translate for stakeholders.”
The professional report highlights information from the National Association of Corporate Directors (NACD), the most recent COSO ERM Framework, and the Corporate Executive Board (now Gartner). Backed by that data, the authors discuss where ERM stands today and, by offering various engagement models and maps, provide suggestions and options for determining:
- Which executives should receive the information.
- How to craft the message.
- Delivery methods.
- Additional sources of key risk management information.
“In developing a system for delivering key risk information to the board, it must be stated that ERM is not a prescribed science,” the authors wrote. “No two organizations will have the same approach or process for determining what defines key risk information or how it should be delivered.”
The report is co-authored by Julie Cain, senior strategic advisor, information and technology risk management at the Educational Testing Service; Christine Novotny, ARM, RIMS-CRMP, manager risk and insurance for PeaceHealth; and David J. Young, lecturer at the Risk Management and Insurance Program, University of Colorado Denver Business School. The group also presented on this topic at RIMS 2018 Annual Conference & Exhibition in San Antonio.
Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information is available to RIMS members only for the first 60 days. After the introductory period, it will become available to the broader risk management community. You can download the report via Risk Knowledge.
Enterprise Risk Management’s Wakeup Call: 10 Years After is also available on Risk Knowledge. Complementary to Risk Communication to the C-Suite, it discusses the importance of integrating ERM into companies’ frameworks as they prepare for the possibility of another financial crisis or a new threat. Read more about the report here.