What are some effective methods to report the status and/or results of ERM activities to management?
Question asked by
AFERM Experts Say...
Reporting will vary depending on leadership and how the audience best receives information. However, reporting will likely focus on the accomplishments of the ERM program, particularly as it relates to enabling an agency effectively managing risk tolerances at the goal and objective levels and risk appetite at the agency level. To accomplish this, agency leadership should view the risk tolerance of each objective and goal as a target measure of performance.
For example, an agency may leverage a risk tolerance scale of 1-10, with an objective risk tolerance determined to be a 4. The goal of the ERM program is to ensure that there is the least amount of deviation of risk associated with that goal from the established threshold. Further, consider a target with 10 rings, where the agency’s targeted risk tolerance is the fourth ring. The agency’s actual results can then be overlaid on the target to view any potential deviation. If the results are actually ranked at 5.5, the agency took on too much risk compared to its threshold; the risk response will need to be adjusted. If the ranking is actually at a 3, the agency expended too much energy reducing the risk and can shift resource use to another focus area. Ultimately, this representation allows for management to understand how well the ERM program is helping the organization in accomplishing its mission, goals, and objectives.
Additional methods used by agencies include storyboard or dashboard-style presentations capturing key risk metrics for a portfolio of risks, or at a more granular level by program or individual risk. This can be facilitated through user developed applications based on Microsoft Office Suite tools, or through more advanced governance, risk and compliance (GRC) automated solutions that have built in analytics and reporting capabilities. We have also seen other informative communication strategies where agencies use a newsletter campaign to broadly distribute important updates, useful tips, and planned implementation details to risk stakeholders on a frequent, recurring basis. The goal being to help make informed decisions and keep ERM on the forefront through proactive engagement.