Relevant information, properly and timeously communicated to relevant stakeholders, is essential in order to equip such stakeholders to identify, assess and respond to risks.
It is important that risk reporting demonstrates that the Institution is managing its key risks. This requires an Institution to define and communicate risk reporting arrangements to all stakeholders. A clearly defined risk reporting structure is essential to facilitate effective communication among stakeholders in the risk management process.
Used effectively, risk reporting pinpoints areas of the Institution where controls are excessive and where they may be reduced to enable deviation of resources to areas where controls may be less adequate. Common language, consistent form of reporting and collaboration among stakeholders (Committees, Management, Chief Risk Officer, etc) are critical to ensuring that risk reports are effectively utilised to drive Institutional performance. It is also crucial that risk reporting is not only a bottom up approach. While risk reporting is meant to aid Managers to make risk-based decisions, it is equally important for such information and decisions to be communicated to operational staff and/or relevant officials in an Institution.
Effective information and communication is intended to support enhanced decision making and accountability through:
· Relevant, timely, accurate and complete information;
· Communicating responsibilities and actions.
When deciding on information and communication protocols, the following aspects should be considered:
· Understanding clearly the needs and requirements of each stakeholder group. This would include agreeing with them the manner, content and form in which the information should be communicated and the frequency of reporting;
· To what extent existing reporting channels can be utilised to transmit the required information rather than creating new channels.
Various sources of internal and external information could be used to source data for reporting. Furthermore, this information could be in quantitative and qualitative form. The challenge for Management is to process and refine large volumes of data into relevant and actionable information, and to keep historical records of analysis, trends and decisions. This challenge can be overcome by implementing an information system to source, capture, process, analyse and report relevant information.
3. Implementing a risk management reporting system
The use of the risk management software will enable management to obtain "real time" information for decision making. This will also enhance monitoring activities. Technology may provide the necessary audit trail that could be used by risk owners and assurance providers to determine whether controls are working effectively, including whether target dates for action plans are being fully complied with. Although technology may provide value to risk reporting, it is important that processes around risk reporting are properly designed before implementation of technology is considered.
Whether or not automated or manual processes are used it is advisable to have customised reports as an early warning system. A risk dashboard can be used to expedite the flow of critical information to enhance decision-making. Supplementary information can be included in more detailed reports such as: progress with risk management implementation, incident reports, and emerging risk reports.
Click here to view an example of a risk dashboard.
4. Incident reporting system
Incident reporting is another means of risk monitoring and reviewing the effectiveness of controls. The principle of real-time incident reporting for key processes is growing in prominence globally. Certain disciplines such as Safety, Health, Environmental and Quality may already have in place incident reporting systems. Such reporting systems should be integrated into the broader risk management incident reporting systems in order to avoid duplication of effort.
Click here to see an incident reporting template.
5. Emerging risk warning system
Emerging risks are previously unrecognised risks that may be an imminent threat. Such risks may emanate through changes in the regulatory environment, external events, internal changes or social trends.
Effective risk management will incorporate a process of identifying emerging trends, which could pose threats and risks. The frequency with which emerging risks are deliberately interrogated will be influenced by the rate of change and dynamism the Institution is confronted with.
Click here to see an example of an emerging risks reporting template.