An important element in Enterprise Risk Management is risk reporting. Throughout the risk management process there are continuous feedback loops such as within the risk assessment, whilst risks are being monitored and when an internal audit takes place. The aim with risk management is to ensure compliance with policies, laws and regulations; to provide assurance to the board that significant risks have been identified and are being managed within set risk appetite; and to provide details to inform decisions.
Different Levels of Reporting
Reporting takes place at different stages and at different levels. At an operational level, at the first line of defence, reporting is detailed and frequent, and usually carried out in isolation from other operational areas or functions.
Within the second line of defence, the Risk Management function is interested in categorising and aggregating the risks from different departments and functions. The reports are used for monitoring compliance and to obtain assurance that sufficient controls are in place. Reporting of incidents are of great importance in the second line of defence. Higher up in the organisational hierarchy at board level the reports will require less detail and provide aggregated views on movements and trends as well as overall results from risk and controls self assessments.
The detailed and the high level reports will be useful for the third line of defence, the internal audit. This will enable them to check that assigned actions have been duly followed up after breaches. The reports can also serve as a basis for testing of controls to ensure that they are sufficient and that the risk management process is effective.
Choice of systems for risk management
To be fully effective, reporting needs to be integrated into normal operating procedures. Needless to say, resources also need to be allocated. Producing reports on spreadsheets and stand alone documents can be sufficient and it is how most companies start off when they begin to report on risk. This tends to be time consuming, especially if there are requirements of an accompanying dashboard. Another down side is that it is difficult to obtain an audit trail of changes that have been made. It can also be challenging to keep track of versions.
The solution may be to implement a software system or a tool, usually referred to as GRC reporting tool (which stands for Governance, Risk and Compliance). Some come available as more or less “off-the-shelf” products that require some tweaking to fit in with the specifies of the Company, and some providers offer more custom made solutions. However, it does not matter how good the tool is if the information that goes into it is rubbish! Remember the acronym from the eighties: GIGO, Garbage In, Garbage out. The more organised and logical a paper system is, the less effort will be needed at implementation stage of a GRC tool. Implementing a GRC tool can be a cumbersome task and there will be costs involved. First there needs to be an initial investment in getting organised, cleaning and sorting the information that needs to go into the system, then training and any IT systems requirements, followed by fees relating to set up and licences. Once set up, most providers will charge a licence fee per user per year. It is therefore important that a benefit cost analysis is carried out.
A risk management tool can in the long run save a lot of time and effort, but it is important to understand that it does not replace the risk manager. The oversight, communication between department and functions, the understanding of how risks aggregate, or not, and taking the responsibility of the function still remain fully relevant.
Contact us to see how we can help:
Risk Management London
12 Dunster Court
Office +44 (0)208 2070 452
Help Line +44 (0)7775 900 333