How to make risk reports more compelling
In our next series of blogs Tony and John talk about the importance of reporting and how to ensure that risk reports are read and understood by the business. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
There is little value in carrying out the processes in your risk framework without good reporting. Informed decision making flows from good risk reporting. Without it, poor decisions are far more likely or, even worse, result in no decision making at all. It can be all too easy to drown in risk data, and so be unable to produce information and reports which support effective action plans to improve your risk profile or protect your business.
Good risk reporting is more difficult than it looks. With the widespread use of Excel spreadsheets, everyone thinks that they can write good reports. However, little consideration is given to the fact that risk information is often complex and presenting it to a broad and diverse audience is not easy. The diagram below shows that in a typical risk framework reporting is the foundation of the framework providing a stable base from which good risk management is built.
Communicating key messages and other common issues
Communication of key messages
Report producers often assume that the reader has the same knowledge of risk as they do. This is rarely true. In addition, most senior management have considerably less time to read and digest a report than the producer of the report took to produce it. Attention must therefore be given to making sure that the report communicates the key messages. This can be done in a variety of ways, often by techniques such as highlighting or using colours, but take care not to overuse colours.
Risk reports may be directed at heads of departments, heads of business lines, risk committees or the board There are clearly differing needs in this broad church of users. At one extreme, the board will generally require a report giving headline risk information and highlighted exceptions and will assume, unless told otherwise, that the rest of the risk profile is acceptable (or at least not unacceptable). The board will not be interested in a report which details all the risk data available to the firm. However, it may well ask for specific and detailed information on a particular area. Indeed, such a request shows that the board is fully involved in the risk management of the firm and has read and digested the regular summary exception reports.
A CEO or head of business unit is likely to be interested in the business-level or process-level risks, risk management and risk and control self-assessments. Equally, the supervisor of a unit within a department will have an interest in detailed activity level risks. For a risk report to be of use, it must capture and report on risk, controls, indicators and losses which are pitched at the level of detail for the recipients of the report. Data must therefore be in a form in which it can be tailored and presented to answer the needs of a variety of audiences at any point in time.
Understanding of risk terms
Significant effort is needed to ensure that there is a common understanding of the terms used in a risk report. This will typically involve management awareness programmes, as well as a glossary in the risk policy document. Even with this done, it is advisable to make sure that the terms used in the reports are clear, in common use throughout the firm, and mean the same thing to everybody who reads them. For example, the term ‘severity’ may confuse a reader if ‘impact’ is the common term used in the firm.
Use of quantitative and qualitative information
As we have seen in previous blogs, risk management generates both quantitative and qualitative data. A particular challenge for risk reporting is, therefore, that of collecting, aggregating and interlinking both quantitative and qualitative data in reports. With a little bit of forethought and planning, it is possible to generate reports which enable this to happen naturally. Regrettably, most risk reports comprise only either quantitative or qualitative data; the interlinking challenge is conspicuous by its absence.
For example, it is very common to have a report which contains qualitative information about the risks and controls relevant to a particular business unit, without any reference to the quantitative information provided by key risk indicators and losses relating to the same unit. While the head of a department or business line may wish to know all his or her risks and controls, this is likely to be the only audience which requires that information in isolation. Other users will want information from all the key risk management processes, but only that which is relevant to them.
Data collection and quality
A common (but misplaced) view in risk management is that reports are not worth producing until the quality of the data is acceptable. Data quality may be poor because it has not all been collected (e.g. the complete collection of losses is notoriously difficult); or because risk management is not embedded in the firm (e.g. risk and control self-assessments may not yet have achieved acceptance).
Reports which contain data of suspect quality should be clearly annotated. They may still provide useful information, but they should also be used to show the advantages which would accrue if data were of better quality. While such an approach works up to a point, it should be treated with caution. By replaying poor quality data in reports to the producers of the data and their seniors, you are in serious danger of compromising acceptance of good and effective risk management throughout the firm.
In our next blog Tony and John explain the basic principles of operational risk management reporting.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com
