Risk Managers: What should you report to the board?

Board members are under more pressure than ever before to prove their organizations have effective risk management programs in place. This leads to internal pressure for you, the risk manager, because the board is now more incentivized to come to you for the necessary reports.

We’ll get to reporting best practices in just a moment, but first it is important to understand what the Board is facing.

A few elements have contributed to this external pressure:

• SEC Proxy Disclosure Enhancements: This amendment holds boards personally responsible for their company’s risk management efforts. It was designed “to enhance the information provided to shareholders” and requires, among other things, that companies reveal the “board’s role in risk oversight.”
• FINRA Priority Letters: The Financial Industry Regulatory Authority (FINRA) – itself regulated by the SEC – releases annual letters outlining its upcoming priorities for the year. These letters are valuable resources for many companies, including securities firms, mutual funds, and other financial institutions, because they help identify organizational areas that need improvement. In recent years, ERM has been one of FINRA’s top enforcement priorities.
• Dodd-Frank and DFAST 2015: Dodd-Frank, which was passed in 2010, was mainly designed to increase accountability and disclosure in the financial industry (to a much broader degree than the SEC’s enhancements). The Dodd-Frank Act Stress Test 2015 adds an additional pressure, requiring banks and bank holding companies (BHCs) to perform “company-run stress tests” in addition to a mandatory (annual) evaluation performed by the Federal Reserve.

Back in 2010, when both the SEC enhancements and Dodd-Frank materialized, the change was understandably jarring. Nearly seven years after these updates, however, companies are still suffering regulatory trouble for insufficient risk management practices.

Recent discussion topics in this blog are evidence enough of failed risk management; consider Plains All American Pipeline, Chipotle, Volkswagen (the board’s ignorance of the emissions deceit does not exonerate it), and Dwolla. Your board has likely come knocking on your door for a briefing on the effectiveness of enterprise risk management, and probably will again.

ERM Reporting: What Should You Present to the Board?

The short answer: present the larger picture of risk, with a direct connection to the corresponding front line activities. As you know, the board makes strategic decisions by viewing your organization from a 35,000-foot perspective. They aren’t interested in a list of hundreds of risk details, and the top 10 operational risks, without context to how they are related to the board’s concerns, provide little guidance for resource allocation and action.

Your board needs to understand the sources of uncertainty that could impair operations or otherwise prevent your organization from achieving its strategic goals. The risk is not the occurrence of a lawsuit, but rather the uncertainty that employees are appropriately following a specific policy that the board needs to know about. It’s not the event of supply chain disruption, but rather the uncertainty of preparedness for changes in weather patterns. The board needs to understand the larger risk picture on uncertainties against the commitments they have endorsed in order to plan and allocate resources effectively.

Sounds simple enough, so how do you assemble this information?

You need to take these big picture issues one by one, and connect them to the real activities that materially contribute to each issue.

How to connect operational risks to strategic goals: 

1. Choose one of the board’s strategic imperatives.
2. Identify the business processes that contribute to that goal.
3. Assess the root causeof risk for each corresponding process.
4. Connect the corresponding identified and assessed risk to that strategic goal.
5. Identify and assess the quality of risk mitigation action plans over these risks.
6. Repeat steps 1 through 4 for each of the board’s strategic goals.
7. Report the impact of risk on each strategic goal to the board.