Reporting risk to leadership: Simple strategies for success part 2

Reporting risk to leadership requires understanding how to present complex risk information to the board, which is essential for more informed decisions and proactive risk management in any organization.

Having explored some foundational strategies for reporting risk to leadership in the first of our two-part series, we continue with further recommended tactics for communicating and reporting on risk in a way that informs and empowers decision-makers.

In a session at the Diligent Elevate 2024 customer conference, industry experts gathered to share their experiences and to discuss the topic. Our panelists included:

  • John Horn, Director, Cybersecurity Practice, Datos Insights
  • Derek Vadala, Chief Risk Officer, BitSight
  • Inna Barmash, Chief Legal Officer and Corporate Secretary, Amplify
  • Maurice L. Crescenzi, Jr., Industry Practice Leader, Moody’s

The importance of storytelling and visuals

Simplifying complex topics using visuals and metaphors can significantly enhance understanding and decision-making. Look at how you can convert these complex concepts into digestible images. This approach not only makes risk reports more engaging but also ensures that leadership can quickly grasp the key points and make informed decisions.

Storytelling can transform complex risk data into compelling narratives that resonate with your board. By illustrating real-world scenarios, you make the abstract concrete and easier to grasp. For instance, recounting how a competitor navigated a cyberattack can spotlight your own vulnerabilities and the steps needed to mitigate them.

Real-world stories provide a context that raw data alone can’t, making your case for risk management investments more persuasive and urgent. They help leadership visualize potential impacts, facilitating quicker, more informed decision-making.

Crescenzi suggested, “Keep the ERM program practically designed and not overly complex throughout the entire life cycle of the ERM process. Even at the very beginning, at the assessment phase where you’re identifying and prioritizing risks, high, medium and low may be good enough. You don’t need decimal points necessarily to evaluate risk.

And then later through the cycle as you’re reporting to the board, keep those presentations simple and use plain language, use graphics and case studies when you can and visuals.”

eBook banner for The 4 C's of effective ERM reporting - eBook Banner

Keeping the board and everyone in the risk management chain informed is imperative — but how can you deliver that information in a way that’s cost-effective, centralized and scalable? Our checklist “The 4 C’s of effective ERM reporting” offer helpful tips for taking your ERM reporting to the next level. Download the checklist here.

Staying ahead of the cyber risk curve

With the increasing sophistication of cyberattacks, risk managers must stay ahead of the curve. This involves continuous monitoring, regular updates to security protocols and proactive risk mitigation strategies. Cybersecurity was a central theme at Elevate 2024, with experts emphasizing its critical role in risk management.

However, Horn pointed out that when it comes to cyber, while the board wants to understand what they should be worried about and what the organization is doing about it, “It’s hard to get to that conversation, which ultimately results in establishing trust and credibility because we tend to bring a lot of data before we’ve established what to focus on. And that is certainly the case in cybersecurity where, due to its nature, its volatility, and its scale, there is a crush of data before establishing the guardrails of what to be worried about.

As though the board members could parse that data themselves or understand its context. I think technical people think that, well, if I can understand it and we’re under the gun, shouldn’t the board be able to understand that? But they have no chance of understanding some of these things because it’s just not their specialty.”

Vadala agreed, “I think the reality in cybersecurity is it’s pretty hard for even a single expert in cybersecurity to understand the full breadth of it… It is multifaceted.”

This complexity necessitates a comprehensive approach to cybersecurity risk management and reporting, involving collaboration across different departments and stakeholders.

It also underscores the need for clear, concise communication with leadership to ensure they grasp the risks and their potential impacts.

Address emerging risks like AI proactively

AI presents both opportunities and risks, making it essential to address these proactively. Implementing a structured framework for AI risk assessment is crucial. This means understanding how AI can impact your operations, identifying potential vulnerabilities, and putting measures in place to mitigate those risks.

Start by developing clear policies and guidelines on AI usage within your organization. Ensure these policies are communicated effectively and that staff are trained to follow them. Regularly update these guidelines to keep pace with rapid technological advancements.

Additionally, integrate AI risk management into your broader risk strategy. This holistic approach allows you to address AI risks in the context of other enterprise risks, ensuring a balanced and comprehensive risk management program. Being proactive today means fewer surprises tomorrow, making your organization more resilient and adaptive.

Vadala pointed out that, “There are dozens of ways in which AI can create opportunity and risks and it’s not one size fits all for all companies. On the one hand, we want to make sure our employees are not using publicly available AI tools and leaking intellectual property into models that might result in our loss of competitive advantage around key data sets that we own and have curated for many years.”

“Then, on the reverse side, we don’t want to be so risk averse as to not use some of these tools that we can’t figure out how to monetize that data more effectively using things like large language models. So, there is a balance and I think many directors are willing to take some risk until you figure out how to unlock that opportunity.”

Crescenzi explained that, “At Moody’s, when we talk to our customers, they’re thinking about AI from their own internal operations and how AI may pose a risk to them internally. We’re also talking to our customers about how we can leverage AI in our platforms and in our data to help them maximize compliance and reduce risks. So, within one conversation, we could be talking about AI in two different ways.

Even when it comes to regulatory risk, I can envision ways where AI can be helpful in achieving regulatory compliance, depending on what regulation we’re talking about. It comes down to contextualizing AI and what is it specifically that we’re talking about, and then addressing it as a risk or an opportunity.”

“It comes down to contextualizing AI and what is it specifically that we’re talking about, and then addressing it as a risk or an opportunity.” – Maurice L. Crescenzi, Jr., Industry Practice Leader, Moody’s

5 key takeaways for risk managers for reporting risk to leadership

  1. Establish credibility: Synthesize data into understandable formats that align with the board’s strategic objectives and risk appetite.
  2. Translate risks: Convert technical jargon into business-relevant language to ensure that leadership grasps the risks and their potential impacts.
  3. Simplify complex topics: Use visuals, metaphors, and practical tools like risk heat maps to make complex risks understandable to leadership.
  4. Collaborate across departments: Risk is multifaceted and requires a collaborative approach across the organization.
  5. Stay proactive: Continuously monitor and update security protocols to stay ahead of evolving online threats.

By adopting these strategies and staying focused on clear communication, risk managers can ensure that leadership is equipped with the knowledge necessary to navigate uncertainties confidently.

Stay ahead of risk with a centralized platform

To manage risks effectively, you need a consolidated view of governance, risk, and compliance across your organization.

The Diligent One platform centralizes your GRC data for a unified perspective on risks and impactful insights that guide better decision-making.

See how Diligent One can help you streamline your risk management processes. Schedule a demo today.

Contact us banner for getting in touch with one of GRC specialists
Share This