How to Create a Constructive Enterprise Risk Management Report?
By Mohammed Nasser Barakat
Consultancy Director at CAREweb Corporate Governance Consultancy
Enterprise Risk Management (ERM) has been in the limelight for some years now; but entrepreneurs have started perceiving ERM seriously only after the blighting economic crisis.
Decision making has never been easy for organization boards. If anything goes wrong, they take the full wrath of the public and stakeholders. That is why top-level executives begin to rely on ERM. Evidence-based decision making has helped them confront many hurdles and interrogations.
From the massive amounts of accumulated risk data, smart Risk Managers filter the right ERM information for their reports so as to make clear and definite choices.
As a senior manager, or Board member you need to ask yourself, does the Risk Management team check on the quality of risk reports? Are the risk management approaches (identify, assess, mitigate and monitor risks) functioning appropriately? Are the resulting decisions aligned with the organization’s objectives? Do ERM reports aid you in improving business performance? Have the reports helped you in mitigating risks or did they fail you? These are questions you need to ask before depending on your ERM reports completely.
Here are some key tips that will help create contructive ERM reports:
1. Communicate using the ‘risk’ language
A common risk language should be used across the organization to avoid any sort of miscommunication, misinterpretation or misunderstanding. Every entity of an organization should understand risks and risk terminologies.
This can be achieved by conducting enterprise-wide Risk Awareness training courses and programs.
2. Data quality
Data quality is a matter of serious importance for every organization. It determines how informed a strategic decision you can make.
Among the major challenges of enterprises is data inaccuracy and inadequacy. They can invite immense perils, leading to immense losses. It is painful for organizations to lose information in spite of investing in high-cost IT systems, just because data inaccuracy could not be addressed. Inferior data quality is also one of the factors that pushed companies into the recent financial crisis.
Getting your data right is important even if you have to invest in expensive technology.
That said, accurate data is just not enough. It has to be integrated well all across the organization to deliver consolidated reports. Risks can be inter-linked, such that if one risk occurs in one area of the business, it can trigger other risks across the organization.
3. Clear and holistic presentation
When managers look into the ERM report, they should get a clear picture of risks and threats at first glance.
The name, subject and purpose of the report must be stated clearly. Title the fields of the report precisely, define the field titles if required, and specify the technique used to carry out un-automated calculations and actions.
The mantra is – keep it simple.
4. Focus towards critical aspects of the reports
Managers may not have the same knowledge about risks as the report author. Managers are always on the move and short of time. Highlight key information and key risk areas to grab attention, even from those who might just skim the report.
5. Produce reports relevant to decision making
Often, the effort and resources spent on generating reports are simply wasted, as they are not relevant for decision making.
The object of a report is to provide key risk data to the management and to generate remedial action where required..
6. Compile the quantitative and qualitative data into one report
Relevant risk data involves quantitative and qualitative content. Both the data forms have to be combined and integrated when creating reports.
7. On-time delivery of reports
Timing matters a lot!
Late reports cripple the effectiveness of decision making. Report analysis is done differently in every organization. Some look into daily reports, some do it on a weekly basis and most of them carry out a monthly or quarterly review of the reports. Depending on the schedule, reports should be produced in real-time for the best results.
8. Constant review of the reporting system and report structure
Organizations are continuously evolving. Report delivery and structure should also be developed with respect to the changes in the organization.
Conduct regular checks on risk taxonomy, risk indicators, performance indicators, risk profiles and control measures, as they are susceptible to change, and reflect the changes on risk reports. Increasing the length of the risk report doesn’t matter, it is crisp and precise content that makes the difference.
9. Transparency in risk ownership
Every risk must have a risk owner who is responsible fo securing data integrity of the risk report. At the same time, an effective risk report serves the interests and obligations of risk owners. So it is advisable to have clear designations for them.
Remember, a constructive ERM report has a powerful influence on business decisions and acts as the true essence of risk management.
About The Author:-
Mohammed Nasser Barakat Consultancy Director at CAREweb Corporate Governance Consultancy offering Governance, Risk & Compliance (GRC) software used by the well known global business organizations. Nasser is Certified Control and Risk Self Assessment Practitioner (CCSA) and has 8 years experience in Internal audit solutions, Enterprise Risk Management and consultancy.
Further reading on Risk Management:
If you liked this page, feel free to recommend us!