Administrators going through a “disruptive decade” want threat reporting that gives strategic intelligence quite than complete knowledge. Protiviti’s Jim DeLoach argues for threat communication that feeds off administration reporting, emphasizes vital enterprise and rising dangers and permits significant dialogue about strategic assumptions and market dynamics.
Twice earlier than, I’ve written on these pages about bettering board threat reporting. In my earlier writing, I shared some knowledge supplied by Rick Steinberg, a good friend of mine and well-respected member of the governance group. Whereas I initially proposed six rules in 2016, Rick’s considerate additions of 4 extra rules — addressing how boards and administration ought to consider threat communication high quality — helped create the extra complete framework I mentioned in my most up-to-date missive on the topic, which was revealed in 2017.
From the place I sit, eight years is a very long time in a quickly altering world. In immediately’s optics, firms face fixed disruption and the emergence of surprising challenges. Leaders should navigate “unknown unknowns” because the lifespans of company methods and enterprise fashions shorten. Improvements in workflows, services and products constantly reshape how individuals reside, work and play. Client preferences and experiences shift rapidly attributable to transformative applied sciences, whereas geopolitical volatility, regional conflicts, coverage shifts, fiscal deficits and central financial institution choices demand contemporary assessments of long-held assumptions. Then, after all, there’s the excitement over tariffs and their impression on international commerce and the economic system.
Good move-making requires staying in contact with market dynamics, because the previous provides little steerage for anticipating the longer term. One CEO analogized the extent of uncertainty to driving in a fog — typically you need to pull over to the aspect of the highway and pause till you possibly can see the place you’re going.
Because the 2020s maintain an ongoing pattern as a “disruptive decade,” govt leaders and boards should keep on prime of developments — each internationally and domestically — that might have an effect on their firm’s technique and threat profile. To that finish, administrators need assistance defining, understanding and prioritizing threat. Alignment between the board and the CEO and board-facing executives on key dangers and threat administration methods is essential for efficient company governance and organizational success. Thus, board threat reporting stays a well timed matter and can all the time be so in a dynamic world.
Given this state of play, I provide 10 interrelated rules underlying board threat reporting and engagement which might be up to date from those articulated eight years in the past.
1. Hyperlink threat stories to key enterprise targets
Relying on the character of the enterprise, the relevance of threat reporting needs to be assured by coupling it to enterprise plans and the vital targets and initiatives administration has communicated to the board. Some dangers might have an effect on a number of targets, whereas others might require particular actions to deal with altering inner and exterior circumstances to make sure achievement of targets, which in flip will increase the robustness of the technique itself.
In impact, threat reporting needs to be built-in with technique, enterprise targets and plans and efficiency administration. It’s much less efficient when it’s an afterthought to technique and an appendage to efficiency administration. Failure to outline dangers within the context of the group’s targets results in the inevitable “so what” questions.
2. Feed board reporting off administration reporting
If the 2 are aligned with the one distinction being depth and packaging of content material, the method is extra elegant and issues get simpler. If administration prepares threat data solely for the aim of reporting to the board, it strongly suggests to administrators that the stories they obtain should not meant to facilitate the group’s strategic administration of threat. The method is only when (1) the first threat house owners assume duty for managing the vital dangers, together with rising dangers, created by the actions for which they’re accountable, and (2) the danger administration self-discipline is built-in with efficiency administration.
3. Focus threat reporting on vital enterprise and rising dangers
Important enterprise dangers characterize these that may threaten the viability of the corporate’s technique, enterprise mannequin or repute. If agreed on with the board, they warrant probably the most consideration when contemplating the strategy-setting course of within the boardroom.
Accordingly, they need to be emphasised in threat reporting to the board. Additionally, board-facing executives and administrators needs to be aware of rising dangers triggered by unanticipated and probably disruptive occasions of various velocity, together with catastrophic occasions (e.g., a pandemic, main cyber assault or hurricane) and current dangers accelerated by exterior and/or inner elements in surprising methods (e.g., provide chain disruption, regional conflicts or disruptive trade improvements).
These two broad threat classes — vital enterprise dangers and rising dangers — present a context for the complete board and the varied board committees to contemplate when making certain the scope of threat reporting is sufficiently complete, forward-looking and targeted on the best dangers. Excessive-level updates on firm initiatives in these threat areas permit the board to know progress, or lack thereof, towards organizational agility and preparedness and have interaction in follow-up discussions.
4. Tackle day-to-day dangers on an outlier foundation and when reporting on completely different areas of the enterprise
Each enterprise has myriad operational, monetary and compliance dangers. If any of those are vital enterprise dangers, they warrant ongoing consideration from both the complete board or a delegated board committee. The remaining dangers characterize a separate class that needs to be communicated to the board as a part of periodic standing stories on line-of-business, product, geography, practical or program efficiency. Nonetheless, uncommon important and surprising issues associated to those day-to-day dangers needs to be escalated on a well timed foundation in line with established protocols. For instance, exceptions in opposition to established limits (i.e., restrict breaches) or a big breakdown, error, incident, loss (or misplaced alternative), shut name or near-miss in a vital space warrant escalation to the board.
5. Outline and talk who’s chargeable for threat administration
Administrators wish to know that somebody owns the dangers that matter. Danger possession duty rests with the CEO, their direct stories and so forth, cascading downward and throughout the group so that everybody with important obligations is accountable for the dangers sourced from their respective actions. To this finish, the chief threat officer (CRO), or equal govt, might function a catalyst in designing, implementing and offering wanted help to threat house owners in implementing the group’s threat administration framework. The board wants assurance that duty for managing threat is the place it must be — on the supply of threat — in order that unexpected developments will be acted upon well timed.
6. Require threat house owners to have interaction straight with the board on related dangers
When house owners of company, line-of-business, product, geography, practical or program targets and efficiency objectives report back to the board, they need to additionally disclose a very powerful dangers they face throughout the context of a standard framework and language. This linkage of alternative and threat is vital, because it permits every stakeholder reporting to the board to debate the:
- Underlying core assumptions and inherent dangers in executing these components of the technique for which the stakeholder is accountable.
- “Exhausting spots” and “tender spots” inherent within the marketing strategy and reaching the associated efficiency targets.
- Implications of adjustments within the exterior atmosphere on the core assumptions underpinning the technique and the suitable ranges of threat inherent within the technique.
Integrating threat with efficiency reporting engages the collective expertise of the board in addressing potential market developments and elevates confidence in administration’s threat consciousness and possession.
7. Report on whether or not adjustments within the exterior atmosphere are affecting vital strategic assumptions and limits
To assist tackle rising dangers, board reporting ought to provide insights concerning administration’s assumptions about markets, prospects, competitors, expertise, rules, commodity availability and different exterior elements and, extra importantly, whether or not these assumptions stay legitimate. Reporting ought to give attention to whether or not adjustments in these exterior elements have occurred or are occurring and, if that’s the case, whether or not such adjustments alter the basics underlying the enterprise mannequin.
Danger reporting ought to embody insights from each exterior and inner sources, in addition to from geopolitical and situation analyses to supply an early-warning crimson flag functionality. Proactive “actuality testing” that drives well timed, actionable follow-up engenders forward-looking confidence within the boardroom.
A successful technique exploits to a big extent the areas during which the group excels relative to its rivals. Usually, govt administration and the board conform to boundaries inside which the corporate executes that technique — the strategic, operational and monetary parameters round opportunity-seeking conduct. Accordingly, threat reporting ought to disclose when circumstances change in addition to when agreed-on parameters are approached or breached.
8. Present insights into how administration ensures an efficient threat administration course of
Along with understanding who’s chargeable for threat, administrators ought to have at the very least a high-level understanding of the danger administration course of itself — e.g., how the method is designed, the best way during which it’s carried out, the extent of buy-in and possession throughout the group, how the board’s position is delineated from administration’s and the way successfully the method is functioning — giving them confidence that administration is efficient in figuring out, sourcing, measuring, managing and monitoring the corporate’s dangers.
The overriding theme of contemplating the potential for and impression of serious unexpected developments needs to be emphasised when discussing who’s accountable, who’s accountable, who needs to be consulted and when and who needs to be knowledgeable in an open, “converse up” and clear tradition.
If the CRO and inner audit present assurance on the effectiveness of threat administration processes — together with the associated tabletop and situation planning workouts, market intelligence gathering processes, the reliability of threat metrics and efficacy of inner controls — the board’s confidence is additional enhanced.
9. Take note of administrators’ preferences
This self-evident precept suggests the significance of listening to administrators to align threat reporting extra intently with their preferences. Our discussions with administrators point out that many need the next:
- Plain language reporting and crisp displays. That is an crucial for boardroom success. Maintain displays quick and to the purpose. Keep away from acronyms and technical jargon. Addressing particular questions within the boardroom quite than making ready a complete presentation that anticipates each potential query results in targeted discussions and zeroes in on administrators’ actual issues.
- Extra insights and fewer element. Overwhelming administrators with knowledge mires them within the weeds and doesn’t contribute to strategic conversations. Give attention to the message and the actual points going through the corporate and finish with key takeaways and actionable conclusions. Sharing knowledge is productive if the dots are related with intention to help takeaways that educate the board on administration’s considering. If a deep dive is required in a selected space, take it offline, if potential.
- If there’s an ask, make it clear. Make clear the board’s meant actions or requested suggestions. Is it to agree on a call, approve a coverage or report, assessment efficiency, debate a problem, outline viable choices or allocate capital? If there isn’t an ask, point out that the data is meant to coach the administrators.
- Extra engagement and dialogue. Administrators worth productive threat discussions. For instance, threat assessments linked to the corporate’s strategic targets and efficiency objectives might be built-in into strategic boardroom discussions. Dangers associated to probably the most formidable obstacles to reaching the corporate’s targets and objectives can floor helpful insights requiring follow-up.
- Higher understanding of the uncertainty the corporate faces. Many administrators wish to know what administration is doing to enhance organizational resilience, agility and preparedness.
- A chance to look ahead, not backward. Boards need extra forward-looking insights (e.g., administration not solely tends to the knitting of executing the technique but in addition retains a watchful eye on the important indicators within the market that point out continued relevance of the technique and enterprise mannequin). For instance, evaluation of believable and excessive eventualities can contribute insights that result in significant response plans, motion triggers and determination prompts that can give the board confidence within the firm’s resilience in going through the surprising.
- Learnings from postmortems. When issues that weren’t anticipated go flawed — both within the firm or in one other group — an goal postmortem can present beneficial insights for each the board and CEO.
10. Repeatedly enhance board threat reporting by an iterative course of
Administration ought to apply the above interrelated rules with the intention of asking the board to supply suggestions. Whereas it’s true that administrators typically don’t know what they need particularly in the best way of threat reporting, steady enchancment is a two-way road. Begin with an method and enhance it constantly with iterative suggestions from administrators and the CEO.
The above interrelated rules should not meant to prescribe particular reporting practices however quite to supply sound path for govt administration and the board to enhance board threat stories and conversations which might be grounded in a strategic context.
There isn’t any one-size-fits-all method to board threat reporting. What works for one board might not for an additional. Each enterprise is completely different from a strategic, operational, cultural and organizational construction standpoint, which in flip drives completely different reporting to the board. Ultimately, administrators need an ongoing assessment of progress, a give attention to sensible and actionable takeaways and well timed forward-looking insights on what issues as markets evolve and unexpected developments happen.
Administrators going through a “disruptive decade” want threat reporting that gives strategic intelligence quite than complete knowledge. Protiviti’s Jim DeLoach argues for threat communication that feeds off administration reporting, emphasizes vital enterprise and rising dangers and permits significant dialogue about strategic assumptions and market dynamics.
Twice earlier than, I’ve written on these pages about bettering board threat reporting. In my earlier writing, I shared some knowledge supplied by Rick Steinberg, a good friend of mine and well-respected member of the governance group. Whereas I initially proposed six rules in 2016, Rick’s considerate additions of 4 extra rules — addressing how boards and administration ought to consider threat communication high quality — helped create the extra complete framework I mentioned in my most up-to-date missive on the topic, which was revealed in 2017.
From the place I sit, eight years is a very long time in a quickly altering world. In immediately’s optics, firms face fixed disruption and the emergence of surprising challenges. Leaders should navigate “unknown unknowns” because the lifespans of company methods and enterprise fashions shorten. Improvements in workflows, services and products constantly reshape how individuals reside, work and play. Client preferences and experiences shift rapidly attributable to transformative applied sciences, whereas geopolitical volatility, regional conflicts, coverage shifts, fiscal deficits and central financial institution choices demand contemporary assessments of long-held assumptions. Then, after all, there’s the excitement over tariffs and their impression on international commerce and the economic system.
Good move-making requires staying in contact with market dynamics, because the previous provides little steerage for anticipating the longer term. One CEO analogized the extent of uncertainty to driving in a fog — typically you need to pull over to the aspect of the highway and pause till you possibly can see the place you’re going.
Because the 2020s maintain an ongoing pattern as a “disruptive decade,” govt leaders and boards should keep on prime of developments — each internationally and domestically — that might have an effect on their firm’s technique and threat profile. To that finish, administrators need assistance defining, understanding and prioritizing threat. Alignment between the board and the CEO and board-facing executives on key dangers and threat administration methods is essential for efficient company governance and organizational success. Thus, board threat reporting stays a well timed matter and can all the time be so in a dynamic world.
Given this state of play, I provide 10 interrelated rules underlying board threat reporting and engagement which might be up to date from those articulated eight years in the past.
1. Hyperlink threat stories to key enterprise targets
Relying on the character of the enterprise, the relevance of threat reporting needs to be assured by coupling it to enterprise plans and the vital targets and initiatives administration has communicated to the board. Some dangers might have an effect on a number of targets, whereas others might require particular actions to deal with altering inner and exterior circumstances to make sure achievement of targets, which in flip will increase the robustness of the technique itself.
In impact, threat reporting needs to be built-in with technique, enterprise targets and plans and efficiency administration. It’s much less efficient when it’s an afterthought to technique and an appendage to efficiency administration. Failure to outline dangers within the context of the group’s targets results in the inevitable “so what” questions.
2. Feed board reporting off administration reporting
If the 2 are aligned with the one distinction being depth and packaging of content material, the method is extra elegant and issues get simpler. If administration prepares threat data solely for the aim of reporting to the board, it strongly suggests to administrators that the stories they obtain should not meant to facilitate the group’s strategic administration of threat. The method is only when (1) the first threat house owners assume duty for managing the vital dangers, together with rising dangers, created by the actions for which they’re accountable, and (2) the danger administration self-discipline is built-in with efficiency administration.
3. Focus threat reporting on vital enterprise and rising dangers
Important enterprise dangers characterize these that may threaten the viability of the corporate’s technique, enterprise mannequin or repute. If agreed on with the board, they warrant probably the most consideration when contemplating the strategy-setting course of within the boardroom.
Accordingly, they need to be emphasised in threat reporting to the board. Additionally, board-facing executives and administrators needs to be aware of rising dangers triggered by unanticipated and probably disruptive occasions of various velocity, together with catastrophic occasions (e.g., a pandemic, main cyber assault or hurricane) and current dangers accelerated by exterior and/or inner elements in surprising methods (e.g., provide chain disruption, regional conflicts or disruptive trade improvements).
These two broad threat classes — vital enterprise dangers and rising dangers — present a context for the complete board and the varied board committees to contemplate when making certain the scope of threat reporting is sufficiently complete, forward-looking and targeted on the best dangers. Excessive-level updates on firm initiatives in these threat areas permit the board to know progress, or lack thereof, towards organizational agility and preparedness and have interaction in follow-up discussions.
4. Tackle day-to-day dangers on an outlier foundation and when reporting on completely different areas of the enterprise
Each enterprise has myriad operational, monetary and compliance dangers. If any of those are vital enterprise dangers, they warrant ongoing consideration from both the complete board or a delegated board committee. The remaining dangers characterize a separate class that needs to be communicated to the board as a part of periodic standing stories on line-of-business, product, geography, practical or program efficiency. Nonetheless, uncommon important and surprising issues associated to those day-to-day dangers needs to be escalated on a well timed foundation in line with established protocols. For instance, exceptions in opposition to established limits (i.e., restrict breaches) or a big breakdown, error, incident, loss (or misplaced alternative), shut name or near-miss in a vital space warrant escalation to the board.
5. Outline and talk who’s chargeable for threat administration
Administrators wish to know that somebody owns the dangers that matter. Danger possession duty rests with the CEO, their direct stories and so forth, cascading downward and throughout the group so that everybody with important obligations is accountable for the dangers sourced from their respective actions. To this finish, the chief threat officer (CRO), or equal govt, might function a catalyst in designing, implementing and offering wanted help to threat house owners in implementing the group’s threat administration framework. The board wants assurance that duty for managing threat is the place it must be — on the supply of threat — in order that unexpected developments will be acted upon well timed.
6. Require threat house owners to have interaction straight with the board on related dangers
When house owners of company, line-of-business, product, geography, practical or program targets and efficiency objectives report back to the board, they need to additionally disclose a very powerful dangers they face throughout the context of a standard framework and language. This linkage of alternative and threat is vital, because it permits every stakeholder reporting to the board to debate the:
- Underlying core assumptions and inherent dangers in executing these components of the technique for which the stakeholder is accountable.
- “Exhausting spots” and “tender spots” inherent within the marketing strategy and reaching the associated efficiency targets.
- Implications of adjustments within the exterior atmosphere on the core assumptions underpinning the technique and the suitable ranges of threat inherent within the technique.
Integrating threat with efficiency reporting engages the collective expertise of the board in addressing potential market developments and elevates confidence in administration’s threat consciousness and possession.
7. Report on whether or not adjustments within the exterior atmosphere are affecting vital strategic assumptions and limits
To assist tackle rising dangers, board reporting ought to provide insights concerning administration’s assumptions about markets, prospects, competitors, expertise, rules, commodity availability and different exterior elements and, extra importantly, whether or not these assumptions stay legitimate. Reporting ought to give attention to whether or not adjustments in these exterior elements have occurred or are occurring and, if that’s the case, whether or not such adjustments alter the basics underlying the enterprise mannequin.
Danger reporting ought to embody insights from each exterior and inner sources, in addition to from geopolitical and situation analyses to supply an early-warning crimson flag functionality. Proactive “actuality testing” that drives well timed, actionable follow-up engenders forward-looking confidence within the boardroom.
A successful technique exploits to a big extent the areas during which the group excels relative to its rivals. Usually, govt administration and the board conform to boundaries inside which the corporate executes that technique — the strategic, operational and monetary parameters round opportunity-seeking conduct. Accordingly, threat reporting ought to disclose when circumstances change in addition to when agreed-on parameters are approached or breached.
8. Present insights into how administration ensures an efficient threat administration course of
Along with understanding who’s chargeable for threat, administrators ought to have at the very least a high-level understanding of the danger administration course of itself — e.g., how the method is designed, the best way during which it’s carried out, the extent of buy-in and possession throughout the group, how the board’s position is delineated from administration’s and the way successfully the method is functioning — giving them confidence that administration is efficient in figuring out, sourcing, measuring, managing and monitoring the corporate’s dangers.
The overriding theme of contemplating the potential for and impression of serious unexpected developments needs to be emphasised when discussing who’s accountable, who’s accountable, who needs to be consulted and when and who needs to be knowledgeable in an open, “converse up” and clear tradition.
If the CRO and inner audit present assurance on the effectiveness of threat administration processes — together with the associated tabletop and situation planning workouts, market intelligence gathering processes, the reliability of threat metrics and efficacy of inner controls — the board’s confidence is additional enhanced.
9. Take note of administrators’ preferences
This self-evident precept suggests the significance of listening to administrators to align threat reporting extra intently with their preferences. Our discussions with administrators point out that many need the next:
- Plain language reporting and crisp displays. That is an crucial for boardroom success. Maintain displays quick and to the purpose. Keep away from acronyms and technical jargon. Addressing particular questions within the boardroom quite than making ready a complete presentation that anticipates each potential query results in targeted discussions and zeroes in on administrators’ actual issues.
- Extra insights and fewer element. Overwhelming administrators with knowledge mires them within the weeds and doesn’t contribute to strategic conversations. Give attention to the message and the actual points going through the corporate and finish with key takeaways and actionable conclusions. Sharing knowledge is productive if the dots are related with intention to help takeaways that educate the board on administration’s considering. If a deep dive is required in a selected space, take it offline, if potential.
- If there’s an ask, make it clear. Make clear the board’s meant actions or requested suggestions. Is it to agree on a call, approve a coverage or report, assessment efficiency, debate a problem, outline viable choices or allocate capital? If there isn’t an ask, point out that the data is meant to coach the administrators.
- Extra engagement and dialogue. Administrators worth productive threat discussions. For instance, threat assessments linked to the corporate’s strategic targets and efficiency objectives might be built-in into strategic boardroom discussions. Dangers associated to probably the most formidable obstacles to reaching the corporate’s targets and objectives can floor helpful insights requiring follow-up.
- Higher understanding of the uncertainty the corporate faces. Many administrators wish to know what administration is doing to enhance organizational resilience, agility and preparedness.
- A chance to look ahead, not backward. Boards need extra forward-looking insights (e.g., administration not solely tends to the knitting of executing the technique but in addition retains a watchful eye on the important indicators within the market that point out continued relevance of the technique and enterprise mannequin). For instance, evaluation of believable and excessive eventualities can contribute insights that result in significant response plans, motion triggers and determination prompts that can give the board confidence within the firm’s resilience in going through the surprising.
- Learnings from postmortems. When issues that weren’t anticipated go flawed — both within the firm or in one other group — an goal postmortem can present beneficial insights for each the board and CEO.
10. Repeatedly enhance board threat reporting by an iterative course of
Administration ought to apply the above interrelated rules with the intention of asking the board to supply suggestions. Whereas it’s true that administrators typically don’t know what they need particularly in the best way of threat reporting, steady enchancment is a two-way road. Begin with an method and enhance it constantly with iterative suggestions from administrators and the CEO.
The above interrelated rules should not meant to prescribe particular reporting practices however quite to supply sound path for govt administration and the board to enhance board threat stories and conversations which might be grounded in a strategic context.
There isn’t any one-size-fits-all method to board threat reporting. What works for one board might not for an additional. Each enterprise is completely different from a strategic, operational, cultural and organizational construction standpoint, which in flip drives completely different reporting to the board. Ultimately, administrators need an ongoing assessment of progress, a give attention to sensible and actionable takeaways and well timed forward-looking insights on what issues as markets evolve and unexpected developments happen.
