Reporting risk to leadership: Simple strategies part 1
Organizations that excel in managing risk see substantial performance improvements, often outperforming others by a significant margin. In fact, organizations with strong risk management and security practices tend to perform four times better than those without when reporting risk to leadership.
In a session at the Diligent Elevate 2024 customer conference, industry experts gathered to share their experiences and to discuss practical strategies for reporting risk to leadership. Our panel of experts included:
- John Horn, Director, Cybersecurity Practice, Datos Insights
- Derek Vadala, Chief Risk Officer, Bitsight Technologies
- Inna Barmash, Chief Legal Officer and Corporate Secretary, Amplify
- Maurice L. Crescenzi, Jr., Industry Practice Leader, Moody’s
During the session, panelists also shared key insights and actionable advice aimed at helping risk managers navigate the task of reporting to the board. In this two-part series, we explore some of the key themes that the discussion covered, along with practical tips and tactics for better ways of reporting risk to leadership.
Fostering open dialogue and trust
Building trust with leadership is essential for effective risk communication. Encourage open dialogue and be transparent about the challenges and uncertainties. This approach not only builds credibility but also enables leaders to make informed decisions. When trust is established, leadership is more likely to support risk management initiatives and integrate them into broader business strategies.
Effective communication starts with being proactive. Don’t wait for leadership to come to you with questions. Provide regular updates and be forthcoming about any emerging risks or changes in the risk landscape. This proactive stance shows that you’re on top of your game and committed to safeguarding the organization.
Encouraging open dialogue is equally important. Invite leaders and board members to ask questions and express their concerns. Make it clear that their input is valued and that you’re committed to addressing any issues they raise. This two-way communication can lead to more robust risk management practices and a more resilient organization.
By fostering an environment of openness and trust, you’ll not only enhance your risk reporting but also create a culture where risk management is a shared responsibility, leading to more informed and strategic decision-making across the board.
Crescenzi advised that “Part of building trust and laying the foundation for understanding risk is using plain language. Most companies organize enterprise risk into four buckets:
- Strategic risk
- Operational risk
- Financial risk
- Regulatory compliance risk
Keep it practical in updates to the board. It’s easy to get lost in the data, so instead, talk about the top three or four or five risks in very simplified ways.”
Establishing clear definitions and terms
A major hurdle in reporting risks is unclear definitions. Without a common language, communication breaks down. Begin by defining what risk means for your organization.
Are you discussing operational risks, financial risks, or reputational risks? Clarify these terms to ensure everyone, from the board to the team on the ground, is on the same page. This alignment fosters more focused and effective discussions.
It’s crucial to standardize the terminology used in risk reports, making it easier for everyone to understand the severity and implications. Whether you’re dealing with supply chain vulnerabilities or regulatory compliance issues, precise definitions help in identifying, assessing and mitigating risks more effectively. This step is foundational; it sets the stage for all subsequent risk management activities and ensures that your communication is clear and actionable.
Barmash suggested that risk managers “calibrate with the management team, the participants in the risk assessment and the board. It’s very important to define risks precisely and also align on what we mean by high-priority risks, low-priority risks, etc., to really talk about impact and likelihood. That both stimulates a good conversation and also a more robust risk assessment.”
“Calibrate with the management team, the participants in the risk assessment and the board. It’s very important to define risks precisely and also align on what we mean by high priority risks, low priority risks, etc., to really talk about impact and likelihood. That both stimulates a good conversation and also a more robust risk assessment” – Inna Barmash, Chief Legal Officer and Corporate Secretary, Amplify
Translating risks for the board
A key takeaway from the discussion was the importance of simplifying complex topics. Synthesizing data into understandable formats for board members is essential for effective risk reporting.
Vadala pointed out, “What happens is people tend to go into the boardroom with metrics and stats and very elaborate slides about what’s going on in the organization and what people should be worried about. You really have to synthesize that into understanding the mindset of the board and the context of risk management.”
This involves not only presenting data but also interpreting it in a way that aligns with the board’s strategic objectives and risk appetite.
Translating technical risks into business-relevant language is also crucial for effective communication with board members.
Risk managers must bridge the gap between technical jargon and business implications to ensure that leadership understands the risks and can make informed decisions.
As Horn put it, “GRC (governance, risk, and compliance) is just a translation exercise, a very complicated, ongoing translation exercise.”
Vadala advised trying to make a particular discussion about a risk relatable to at least some portion of the board’s prior experience: “Do the right biographical research on board members to really understand where they’re coming from, what types of stories are relatable to them. We tend to just use narratives that are relatable to ourselves. That’s often not a great way to get people to engage in what you’re trying to tell them.
If you make it relatable to them and their prior experience, you tend to get more buy-in, engagement, and credibility. So, if you have a board member that came from the supply and logistics industry or from healthcare, being able to contextualize that into areas that they have spent a lot of time intends to be much more effective.”
Keeping the board and everyone in the risk management chain informed is imperative — but how can you deliver that information in a way that’s cost-effective, centralized and scalable? Our checklist “The 4 C’s of effective ERM reporting” offer helpful tips for taking your ERM reporting to the next level. Download the checklist here.
Using practical tools for reporting risk management
The panel highlighted the use of simple, practical tools like risk heat maps and scenario planning. These tools help visualize risks and their potential impacts, making it easier for leadership to understand and prioritize risk mitigation efforts.
Barmash described how heat maps had helped switch on the proverbial light bulb for her board, “Everyone had their own idea of risk. So, we worked on an assessment and an internal calibration effort to really educate people on impact and likelihood and what we really mean and what are the implications of the word risk. And the first presentation to the board was, well, here are some risks.
And it really wasn’t until we presented a heat map that I literally felt a sigh of relief in the boardroom at the recognition. A heat map is really a conversation tool in terms of communicating and going back to storytelling. Once you find your story, it’s really important to find a platform for telling the story.”
Vadala discussed scenario-oriented planning, saying it’s important to ask, “What are the things that are potentially going to cause impact damage to your organization? Are you focused on the right ones? Do they feel plausible even if they are unlikely or very infrequent? But are they things that a reasonable person with reasonable knowledge of the business could believe could happen?
And how do you then put that into a context that the board can help prioritize and understand and not just sort of have this long list of potential risks on a risk register, but really link those back to compromise of protected health information about customers due to a ransomware event.”
Risk management is evolving rapidly
As the digital landscape and threats continue to evolve, so must our approach to risk management. By staying proactive, collaborative, and focused on clear communication, risk managers can ensure that leadership is well-informed and equipped to make data-driven decisions that help protect the organization from risks.
To keep up and stay ahead of risks, you need a consolidated view of governance, risk and compliance across your organization. (Head to part two here for more practical tips and tactics for better ways of reporting risk to leadership)
The Diligent One platform centralizes your GRC data for a unified perspective on risks and impactful insights that guide better decision-making.
See how Diligent One can help you streamline your risk management processes. Schedule a demo today.