RL Expert managing partner Leesa Soulodre regularly helps companies report risk to the board. Here are her top tips to give boards the confidence that risk management is transparent and thorough

Leesa Soulodre

Reporting risk to the board has never been more challenging. Companies and their executives are judged not only on what they do, but who they are. Access to information and oversight are a director’s fiduciary responsibility, and boards are more concerned with risk than ever before.

1. What risk information should the CRO report?

Critical enterprise-wide risks, strategic risk categories and business performance risk should be mapped to the full board. A board is usually presented with the top 10-15 risks: those that pose a threat to the company’s viability and sustainability. Other risk categories requiring specific functional expertise should also be mapped to the relevant board committees for oversight. These are tier-two and three risks.

2. The chief engages the committee. The committee chair engages the board

Knowing your stakeholders and their internal owners is critical to engagement. The chief risk officer, chief audit executive and VP strategy usually lead the engagement with the group reputation risk committee and the group risk, group compliance and group audit committees. The chair of each leads discussions with the board. Standard practice is for the governance committee to review committee and board risk oversight responsibilities at each board meeting.

3. Lifecycle risk management is now internal licence to operate

Annual ‘point in time’ board reporting is dead. A single point-in-time remediation plan leaves the organisation exposed in a changing legal, regulatory and stakeholder landscape. CROs should effect life-cycle risk management. Establishing a cross- disciplinary reputation risk committee comprised of board and senior leadership representatives who work to connect the risk register to the board on a monthly basis, complemented by quarterly board risk reporting, is best practice.

4. Know your LEADS

Mike Love, former communications director to Microsoft, BT and McDonald’s, states: “When assessing risks, know your LEADS.”

  • Is it Legal (locally and internationally),
  • Is it Ethical (in stakeholders’ view),
  • Is it Acceptable (by most who matter),
  • Is it Defensible (if it’s front-page news),
  • Is it Sensible (does it still make good business sense)?

5. Address the unique needs of your audience

• Make it visual: Much of the data CROs rely on is lagging. It is also heavily reliant on manual inputs from internal staff. By transforming the company’s institutional knowledge into real-time analytics, leveraging ‘inside-out’ and ‘outside-in’ data, a CRO can better enable decision- making by the board. Risk dashboards using heat maps provide a single view.

• Make it actionable insight-rich: Pre-read executive summary documents are the most effective approach. They can also serve as the foundations for discussion between the board and CRO. There should be a one to two-page executive summary for each top risk, using bullet points, narrative, and graphs, with supporting appendices. Include what actions you want to achieve from this board meeting.

6. Content is king

A board’s risk deck is broken down into:

  • Purpose and overview
  • Organisational success drivers
  • Key enterprise risk categories
  • Significant risk drivers
  • Key mitigation strategies
  • Dashboard and heat map
  • Exposure and trajectory

Each risk’s executive summary should include:

  • Risk definition
  • Context
  • Board oversight responsibility
  • Impact/likelihood
  • Velocity
  • Risk owner
  • Key controls/mitigation
  • Risk response
  • Key risk indicator status

7. Factor for context and opportunity

Heat maps are prioritised using an impact and likelihood score. This does not factor for context and opportunity. A traditional risk assessment also fails to capture both the internal and external lens. Context should include any internal and external factors that can have an influence on the company’s viability and activities: consider global legal constraints, compliance impacts, sensitive environmental, social or governance topics.

8. Value the board’s time.

The average time allotted typically runs from 30-60 minutes.