A year ago, I published an article in NACD Directorship summarizing six principles for improving board risk reporting. This remains a timely topic, as I continue to see senior management and risk executives focus on improving their risk reporting to their companies’ boards.
One thing is clear: there is no one-size-fits-all approach to board risk reporting. Taking stuff off the shelf rarely works. Every organization is different from a strategic, operational, cultural and organizational structure standpoint, which in turn drives different reporting to the board. However, the state of play in board reporting raises the question as to whether a principled approach might give directors and executives more direction on how to enhance board risk reporting. Thus, I came up with my article featuring the six principles.
After I published my article, it caught the eye of a good friend of mine, Rick Steinberg. Rick and I have been in the trenches together a few times. He was the principal author of the COSO Enterprise Risk Management Framework, published in 2004 after a three-year development project, during which I served on the COSO Advisory Board. Years ago, he and I collaborated on a major governance review of a high-profile company. We occasionally compare notes on topics and send things to each other for comment. We think a lot alike.
Rick is widely published and an active consultant and public speaker, always has something worthwhile to say and is well-respected by management and board communities. After reading my article, Rick thought to add four more principles to the list. His take is that the six principles I advanced focused attention on what corporate boards should be looking for from the CEO and the senior management team. The four principles he added reach beyond the risk information management reports to the board to address additional matters boards should consider to ensure quality communications on risk matters.
With his permission, I have taken the 10 principles and massaged them into the list provided below. I see these 10 board risk reporting principles as interrelated, with an emphasis on reporting that supports managing the business and focusing senior management and directors on the risks that truly matter, enabling them to bring to bear their knowledge, expertise and decision-making in ways that add enterprise value.
The above principles are not intended to prescribe specific reporting practices, but rather to offer sound direction for the board and management to pursue. Rick and I hope directors and executives reporting to the board will find them useful.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jim DeLoach has over 35 years of experience and is a member of Protiviti’s Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2016.