Reporting internally
Different levels within an organisation have risk accountabilities and responsibilities and require different risk reporting and communication to and from the risk management process.
The Board of Directors or Trustees must:
- understand the critical risks of the organisation
- understand the potential impact of deviations from areas of expected performance on all stakeholders
- ensure adequate risk perception and awareness across the organisation
- know how the organisation is managing any specific risk
- understand the importance of stakeholders trusting the organisation
- know how to manage an effective risk-reporting communication strategy with stakeholders
- be sure that the risk management process is working effectively
- publish a clear risk management policy that reflects the philosophy and responsibilities of the risk management process
Organisation functions and departments shall:
- be aware of the risks that fall within their scope of responsibility, the potential impact they may have on others and the effect that others may have on them
- have performance indicators that allow them to identify and monitor critical business activities and progress towards, e.g. cost, etc
- have systems in place that risk report variations in schedule, costs, performance, health, safety, environmental impact, etc., and projections at the appropriate frequency so that action can be proactively taken
- systematically and promptly inform senior management of any new risks or perceived risks
Individuals with the business must:
- understand their responsibility for individually managing risk
- understand how they can continually improve their response to risk management, including engaging in the risk assessment process
- understand that risk management and communicating risk information are an essential part of the organisation’s culture, and good communication
- systematically and promptly inform senior management of any uncertainty or new risks perceived or failures of existing risk control and mitigating measures
Reporting Externally
Stakeholder communication
An entity should regularly inform its stakeholders about its risk management policies and their effectiveness in achieving its objectives.
Stakeholders also expect organisations to provide evidence of effective risk management of the organisation’s non-financial performance in community affairs, human rights, labour practices, regulatory compliance, health and safety, the environment, etc.
Corporate governance
Good corporate governance requires organisations to adopt a methodological approach to risk management that:
- protects the interests of its stakeholders
- ensures that Board decision-making fulfils its responsibilities to strategically align, add value and monitor the organisation’s performance
- ensures that management controls are in place and functioning properly
Formal risk reporting
Arrangements for formal risk reporting on risk management should be clearly defined and available to stakeholders. Formal risk reporting should take into account:
- risk control and mitigation methods, in particular, management responsibilities for risk management
- processes for identifying emerging risks and how effective risk management systems address them through informed decision-making and risk treatment options by risk control and risk mitigation actions
- primary control systems for managing potential risks
- monitoring and monitoring verification in force
- provide effective reporting and good effective communication to all stakeholders
All significant deficiencies identified by the system or itself should be reported, and measures should be taken to remedy them.