The ‘So What?’ Problem With Board Risk Reporting

Twice before, I have written on these pages about improving board risk reporting. In my previous writing, I shared some wisdom offered by Rick Steinberg, a friend of mine and well-respected member of the governance community. While I initially proposed six principles in 2016, Rick’s thoughtful additions of four more principles — addressing how boards and management should evaluate risk communication quality — helped create the more comprehensive framework I discussed in my most recent missive on the subject, which was published in 2017. 

From where I sit, eight years is a long time in a rapidly changing world. In today’s optics, companies face constant disruption and the emergence of unexpected challenges. Leaders must navigate “unknown unknowns” as the lifespans of corporate strategies and business models shorten. Innovations in workflows, products and services continuously reshape how people live, work and play. Consumer preferences and experiences shift quickly due to transformative technologies, while geopolitical volatility, regional conflicts, policy shifts, fiscal deficits and central bank decisions demand fresh assessments of long-held assumptions. Then, of course, there’s the buzz over tariffs and their impact on global trade and the economy. 

Smart decision-making requires staying in touch with market dynamics, as the past offers little guidance for anticipating the future. One CEO analogized the level of uncertainty to driving in a fog — sometimes you have to pull over to the side of the road and pause until you can see where you’re going. 

As the 2020s sustain an ongoing trend as a “disruptive decade,” executive leaders and boards must stay on top of developments — both internationally and domestically — that could affect their company’s strategy and risk profile. To that end, directors need help defining, understanding and prioritizing risk. Alignment between the board and the CEO and board-facing executives on key risks and risk management strategies is crucial for effective corporate governance and organizational success. Thus, board risk reporting remains a timely topic and will always be so in a dynamic world.

Given this state of play, I offer 10 interrelated principles underlying board risk reporting and engagement that are updated from the ones articulated eight years ago.

1. Link risk reports to key business objectives

Depending on the nature of the business, the relevance of risk reporting should be assured by coupling it to business plans and the critical objectives and initiatives management has communicated to the board. Some risks may affect multiple objectives, while others may require specific actions to address changing internal and external conditions to ensure achievement of objectives, which in turn increases the robustness of the strategy itself. 

In effect, risk reporting should be integrated with strategy, business objectives and plans and performance management. It is less effective when it is an afterthought to strategy and an appendage to performance management. Failure to define risks in the context of the organization’s objectives leads to the inevitable “so what” questions.

2. Feed board reporting off management reporting

If the two are aligned with the only difference being depth and packaging of content, the process is more elegant and things get easier. If management prepares risk information solely for the purpose of reporting to the board, it strongly suggests to directors that the reports they receive are not intended to facilitate the organization’s strategic management of risk. The process is most effective when (1) the primary risk owners assume responsibility for managing the critical risks, including emerging risks, created by the activities for which they are accountable, and (2) the risk management discipline is integrated with performance management.

3. Focus risk reporting on critical enterprise and emerging risks

Critical enterprise risks represent those that can threaten the viability of the company’s strategy, business model or reputation. If agreed on with the board, they warrant the most attention when considering the strategy-setting process in the boardroom. 

Accordingly, they should be emphasized in risk reporting to the board. Also, board-facing executives and directors should be mindful of emerging risks triggered by unanticipated and potentially disruptive events of varying velocity, including catastrophic events (e.g., a pandemic, major cyber attack or hurricane) and existing risks accelerated by external and/or internal factors in unexpected ways (e.g., supply chain disruption, regional conflicts or disruptive industry innovations).

These two broad risk categories — critical enterprise risks and emerging risks — provide a context for the full board and the various board committees to consider when ensuring the scope of risk reporting is sufficiently comprehensive, forward-looking and focused on the right risks. High-level updates on company initiatives in these risk areas allow the board to understand progress, or lack thereof, toward organizational agility and preparedness and engage in follow-up discussions.

Governance

Post-Merger Priorities: How Boards Like Kroger’s Can Lead Through Market Uncertainty

by Conor Johnston

June 9, 2025

Failed mergers often trigger talent exodus and shareholder fury, but strategic refocusing on core competencies can turn regulatory setbacks into competitive advantages

Read moreDetails

4. Address day-to-day risks on an outlier basis and when reporting on different areas of the business

Every business has myriad operational, financial and compliance risks. If any of these are critical enterprise risks, they warrant ongoing attention from either the full board or a designated board committee. The remaining risks represent a separate category that should be communicated to the board as part of periodic status reports on line-of-business, product, geography, functional or program performance. However, unusual significant and unexpected matters related to these day-to-day risks should be escalated on a timely basis according to established protocols. For example,  exceptions against established limits (i.e., limit breaches) or a significant breakdown, error, incident, loss (or lost opportunity), close call or near-miss in a critical area warrant escalation to the board.

5. Define and communicate who is responsible for risk management

Directors want to know that someone owns the risks that matter. Risk ownership responsibility rests with the CEO, their direct reports and so on, cascading downward and across the organization so that everyone with significant responsibilities is accountable for the risks sourced from their respective activities. To this end, the chief risk officer (CRO), or equivalent executive, may serve as a catalyst in designing, implementing and providing needed support to risk owners in implementing the organization’s risk management framework. The board needs assurance that responsibility for managing risk is where it needs to be — at the source of risk — so that unforeseen developments can be acted upon timely.

6. Require risk owners to engage directly with the board on relevant risks

When owners of corporate, line-of-business, product, geography, functional or program objectives and performance goals report to the board, they should also disclose the most important risks they face within the context of a common framework and language. This linkage of opportunity and risk is important, as it enables each stakeholder reporting to the board to discuss the:

• Underlying core assumptions and inherent risks in executing those elements of the strategy for which the stakeholder is responsible.
• “Hard spots” and “soft spots” inherent in the business plan and achieving the related performance targets.
• Implications of changes in the external environment on the core assumptions underpinning the strategy and the acceptable levels of risk inherent in the strategy.

Integrating risk with performance reporting engages the collective experience of the board in addressing potential market developments and elevates confidence in management’s risk awareness and ownership.

7. Report on whether changes in the external environment are affecting critical strategic assumptions and boundaries

To help address emerging risks, board reporting should offer insights regarding management’s assumptions about markets, customers, competition, technology, regulations, commodity availability and other external factors and, more importantly, whether those assumptions remain valid. Reporting should focus on whether changes in these external factors have occurred or are occurring and, if so, whether such changes alter the fundamentals underlying the business model. 

Risk reporting should include insights from both external and internal sources, as well as from geopolitical and scenario analyses to offer an early-warning red flag capability. Proactive “reality testing” that drives timely, actionable follow-up engenders forward-looking confidence in the boardroom.

A winning strategy exploits to a significant extent the areas in which the organization excels relative to its competitors. Often, executive management and the board agree to boundaries within which the company executes that strategy — the strategic, operational and financial parameters around opportunity-seeking behavior. Accordingly, risk reporting should disclose when conditions change as well as when agreed-on parameters are approached or breached.

8. Provide insights into how management ensures an effective risk management process

In addition to understanding who is responsible for risk, directors should have at least a high-level understanding of the risk management process itself — e.g., how the process is designed, the way in which it is implemented, the extent of buy-in and ownership across the organization, how the board’s role is delineated from management’s and how effectively the process is functioning — giving them confidence that management is effective in identifying, sourcing, measuring, managing and monitoring the company’s risks.

The overriding theme of considering the potential for and impact of significant unforeseen developments should be emphasized when discussing who is responsible, who is accountable, who should be consulted and when and who should be informed in an open, “speak up” and transparent culture. 

If the CRO and internal audit provide assurance on the effectiveness of risk management processes — including the related tabletop and scenario planning exercises, market intelligence gathering processes, the reliability of risk metrics and efficacy of internal controls — the board’s confidence is further enhanced.

9. Pay attention to directors’ preferences

This self-evident principle suggests the importance of listening to directors to align risk reporting more closely with their preferences. Our discussions with directors indicate that many want the following:

• Plain language reporting and crisp presentations. This is an imperative for boardroom success. Keep presentations short and to the point. Avoid acronyms and technical jargon. Addressing specific questions in the boardroom rather than preparing a comprehensive presentation that anticipates every possible question leads to focused discussions and zeroes in on directors’ real concerns.
• More insights and less detail. Overwhelming directors with data mires them in the weeds and does not contribute to strategic conversations. Focus on the message and the real issues facing the company and end with key takeaways and actionable conclusions. Sharing data is productive if the dots are connected with intention to support takeaways that educate the board on management’s thinking. If a deep dive is needed in a particular area, take it offline, if possible.
• If there is an ask, make it clear. Clarify the board’s intended actions or requested feedback. Is it to agree on a decision, approve a policy or report, review performance, debate an issue, define viable options or allocate capital? If there isn’t an ask, indicate that the information is intended to educate the directors.   
• More engagement and dialogue. Directors value productive risk discussions. For example, risk assessments linked to the company’s strategic objectives and performance goals could be integrated into strategic boardroom discussions. Risks related to the most formidable obstacles to achieving the company’s objectives and goals can surface useful insights requiring follow-up.
• Better understanding of the uncertainty the company faces. Many directors want to know what management is doing to improve organizational resilience, agility and preparedness.
• An opportunity to look forward, not backward. Boards want more forward-looking insights (e.g., management not only tends to the knitting of executing the strategy but also keeps a watchful eye on the vital signs in the marketplace that indicate continued relevance of the strategy and business model). For example, analysis of plausible and extreme scenarios can contribute insights that lead to meaningful response plans, action triggers and decision prompts that will give the board confidence in the company’s resilience in facing the unexpected.
• Learnings from postmortems. When things that weren’t anticipated go wrong — either in the company or in another organization — an objective postmortem can provide valuable insights for both the board and CEO.

10. Continuously improve board risk reporting through an iterative process

Management should apply the above interrelated principles with the intention of asking the board to provide feedback. While it is true that directors often don’t know what they want specifically in the way of risk reporting, continuous improvement is a two-way street. Start with an approach and improve it continuously with iterative feedback from directors and the CEO.

The above interrelated principles are not intended to prescribe specific reporting practices but rather to offer sound direction for executive management and the board to improve board risk reports and conversations that are grounded in a strategic context. 

There is no one-size-fits-all approach to board risk reporting. What works for one board may not for another. Every enterprise is different from a strategic, operational, cultural and organizational structure standpoint, which in turn drives different reporting to the board. In the end, directors want an ongoing review of progress, a focus on practical and actionable takeaways and timely forward-looking insights on what matters as markets evolve and unforeseen developments occur.