risk management report

Reporting internally

Different levels within an organisation have risk accountabilities and responsibilities and require different risk reporting and communication to and from the risk management process.

The Board of Directors or Trustees must:

Organisation functions and departments shall:

  • be aware of the risks that fall within their scope of responsibility, the potential impact they may have on others and the effect that others may have on them
  • have performance indicators that allow them to identify and monitor critical business activities and progress towards, e.g. cost, etc
  • have systems in place that risk report variations in schedule, costs, performance, health, safety, environmental impact, etc., and projections at the appropriate frequency so that action can be proactively taken
  • systematically and promptly inform senior management of any new risks or perceived risks

Individuals with the business must:

  • understand their responsibility for individually managing risk
  • understand how they can continually improve their response to risk management, including engaging in the risk assessment process
  • understand that risk management and communicating risk information are an essential part of the organisation’s culture, and good communication
  • systematically and promptly inform senior management of any uncertainty or new risks perceived or failures of existing risk control and mitigating measures

Reporting Externally

Stakeholder communication

An entity should regularly inform its stakeholders about its risk management policies and their effectiveness in achieving its objectives.

Stakeholders also expect organisations to provide evidence of effective risk management of the organisation’s non-financial performance in community affairs, human rights, labour practices, regulatory compliance, health and safety, the environment, etc.

Corporate governance

Good corporate governance requires organisations to adopt a methodological approach to risk management that:

  • protects the interests of its stakeholders
  • ensures that Board decision-making fulfils its responsibilities to strategically align, add value and monitor the organisation’s performance
  • ensures that management controls are in place and functioning properly

Formal risk reporting

Arrangements for formal risk reporting on risk management should be clearly defined and available to stakeholders. Formal risk reporting should take into account:

  • risk control and mitigation methods, in particular, management responsibilities for risk management
  • processes for identifying emerging risks and how effective risk management systems address them through informed decision-making and risk treatment options by risk control and risk mitigation actions
  • primary control systems for managing potential risks
  • monitoring and monitoring verification in force
  • provide effective reporting and good effective communication to all stakeholders

All significant deficiencies identified by the system or itself should be reported, and measures should be taken to remedy them.


IRM risk management standard