VALUE-ADD TEMPLATES FOR REPORTING KEY RISKS & CONTROLS TO THE BUSINESS MANAGERS & LEADERS.

Part of the roles and responsibilities of the executive management, boards and board committees is to let the business managers and assurance providers know the type of items they want to see in the risk profile reports they are being provided with to support them perform on their corporate mandates. A few of the critical items top on their list of risk profile reports are the top key risk exposures, mitigating controls and the performance in controlling the risks to the ideal residual levels in line with the approved company risk appetite and tolerance levels. The top key risks and controls performance reports enhance insights on the big pictures, implications on the organizations and the effectiveness of the management responses in dealing with the root causes.

In addition. given that the risk management efforts at all levels (operations, management, governance and assurance levels) should be contributing to the achievement of the overall corporate goals and objectives, the business leaderships want to see how the risk management efforts are aligning with the corporate strategies, goals and objectives to strengthen their confidence and trust in making risk informed decisions and taking actions for the best interest of their organizations.

For many years now, descriptive, qualitative and quantitative Heat Maps or Matrices have been the most common templates for analyzing risks, determining risk sizes, control effectiveness and directional changes.

Risk sizes could be inherent or residual. The inherent risk size refers to the gross risk or risk severity and is largely driven by the interaction of many factors which primarily include probability of occurrence and potential impact. The residual risk size or net risk is determined primarily by the quality of controls designed and operating to mitigate the inherent risk sizes.

Current residual risk, target residual risk, current control effectiveness and target control effectives are further elements used to gauge risk and control directions and extent of deviations from the approved risk appetite and tolerance levels. Mitigating risks means to reduce the probability of risk occurrence or the potential risk impacts r both probability and impact. 

Using descriptive or qualitative heat maps or matrices alone to analyze risks, controls and the status reporting may appear easier when compared to other methods such as 100 basis points. However, the general perception is that using descriptive, qualitative and quantitative heat maps or matrices to analyses risks, controls and the status reporting tend to present vague results, relative size interpretation problems and visibility issues of the big picture view at a glance. It may require checking through many pages of presentation slides or documents to get the explanation notes and big picture view which may be time wasting for the end users of the reports

Consequently, use of 100 Basis Points and other approaches to analyze risk sizes, control effectiveness and the status reporting add strengths and advantage. They make it possible to present the computed values in percentages and visibility of the big picture view at a glance. This is because percentages appear to have universal understanding and interpretation of the relative sizes with ease,

Presented below are some of the templates users may consider for adopting in their risk and control reporting efforts. The templates are focused on the Key Business Performance Measurement Indicators (KPIs) and possible impact of the risk management efforts.

These templates will be helpful to the following categories: 

•  New risk managers who are confused on how to report risks and controls to their senior bosses. 
• Well experienced risk professionals seeking for different perspectives on how to improve their current risk and control reporting templates.
• Business leaders -management, board and regulators desiring greater    insights on the key risk exposures and control performance disclosures in the organizations.
• Students of business management and governance who are keen to acquire knowledge, experience and skills beyond their standard school curricular to enhance successful career choice and growth opportunities.
• and others who may find the post beneficial.

The business leaders – executive management, boards and board committees will find them refreshing and helpful while they can serve as good starting points for the new managers. The well experienced ones can use them to benchmark with their current reporting templates to identify gaps and improvement opportunities to embed the lesson learnt to building an improved risk and control reporting template. to support the decision support systems.

I anticipate that attempts to use these templates will help to incite interesting questions, needs, , open discussions and genuine demands from different levels. These will eventually lead to re-engineering and positive transformation of the status quo with all the business functions mounting pressures   for stronger and seamless internal collaborations, partnerships and synergy in delivering risk management and assurance engagements right from planning through execution, incident tracking and reporting to achieve more and move to greater levels. Hopefully, this will reinforce the organization to give serious thoughts toward adopting “Combined Assurance Model”.

The templates are available for download in PowerPoint or pdf format. To get a copy please, contact Sally on the contact details provided towards the end of this post.