Guide to Risk and Risk Reporting

Business risk is the level of exposure to uncertainties that the enterprise must understand and effectively manage as it achieves its objectives and creates value. It is not just about threats; there is an upside as well as a downside. Risk is not about a single point estimate—time frame is an important factor when evaluating risk, and exposure and uncertainty are important factors.

Points to Consider

• Risk is a fact of life; life is constantly changing and is uncertain.
• Today’s economy requires companies to identify and respond more quickly to changing risk profiles.
• All management is essentially risk management.
• Many risk management activities are well-defined and accountability has been assigned. For risks that have not been defined/assigned, risks can “slip between the cracks” and/or be managed inconsistently due to individual perceptions of the significance of the risk.

Here is Protiviti’s Business Risk Model, which outlines some types of business risk:

In order to prioritize business risk, you must consider the following:

• Significance: How big of an impact would this risk have if it were to occur? Impact could be in many areas, including financial, reputation, human resources, stock valuation, etc.
• Likelihood: Consider how likely it is that this risk would actually occur given the inherent uncertainties in your business. Don’t consider the mitigating effects of internal controls.

Board Members’ View of Risk Reporting: Room for Improvement

A strong majority reports that boards are not executing mature or robust risk oversight processes. In the absence of routine risk appetite dialogue, risk appetite may not always get driven down into the business to set risk tolerances. Processes for monitoring and reporting of risks should be enhanced.

Richness of Risk Data is a Challenge for Top Management

Over time, organizations have become rich in risk data, but volume or quality of risk analysis is low. Executives receive 200-300 pages of risk-related data quarterly or monthly. Despite the abundance of data, quality analysis to steer recipients to the most salient points is often missing.

A number of times executives find it hard to analyze the data due to its complexity. Often they are unable to answer 2 basic questions:

• Is the organization riskier today than it was yesterday?
• Is the organization likely to become riskier tomorrow than it is today?

Risk Index

A risk index is designed to capture, calculate and evaluate a large volume of complex risk data and reduce it to a single number. This calculation is applied in a customized manner to address the unique business strategies and risks within each individual company.

A risk index can be run at an enterprise level, a divisional level, an individual business-unit level or within specific geographic regions. This feature, in particular, demonstrates how a company-specific risk index differs from other related indicators and methodologies.

Risk reporting is a top priority, but significant issues include lack of focus, too little analysis and too much information.

Stakeholders value these characteristics:

• Simplicity – A single number that can be used as a quick risk reference
• Versatility & Scalability – May be tailored to the enterprise, business unit, function, product or geography
• Real-time – Updated as often as needed
• Strategic – Captures the most important risk drivers that directly impact achievement of strategic and operating objectives
• Leading – Provides early warning signals that allow management to focus resources aimed at preventing/mitigating additional risks from arising within a defined tolerance level
• Credibility – Makes intuitive sense and has buy-in at all levels of the institution

A Typical Risk Index Methodology

Components of a Risk Index

1. Index components should allow for “drill down” capabilities. Core components should be derived from risks and specific metrics aligned to the firm’s strategy.
2. The metrics should be a mix of leading and lagging measurement indicators. Certain risk metrics, such as talent attrition, can serve as both leading and lagging measurement indicators.

Need for a Risk Index

Traditional methods of risk measurement tend to generate information that is difficult to aggregate and interpret across multiple types of risks. Transparency is not to satisfaction despite:

1. Independent risk functions
2. Investment of millions of dollars
3. Internally and externally audited
4. Heavy and increasing regulation
5. Heightened scrutiny by rating agencies, equity analysts and others
6. Expansive 10-K reports

Risk information is generally not meeting expectations of the board, senior management, shareholders and regulators.

Developing a Risk Index

Linking Risk to Performance to Strategy

A Risk Index

Approach

In summary, a risk report should be simple, highly scalable, understandable and flexible. That is, it must be a straightforward concept with leading-edge thinking, applicable from departments to the enterprise level, resonate well with senior management and board members, and as rudimentary or sophisticated as needed.