risk management report

Reporting internally

Different levels within an organisation have risk accountabilities and responsibilities and require different risk reporting and communication to and from the risk management process.

The Board of Directors or Trustees must:

  • understand the critical risks of the organisation
  • understand the potential impact of deviations from areas of expected performance on all stakeholders
  • ensure adequate risk perception and awareness across the organisation
  • know how the organisation is managing any specific risk
  • understand the importance of stakeholders trusting the organisation
  • know how to manage an effective risk reporting communication strategy with stakeholders
  • be sure that the risk management process is working effectively
  • publish a clear risk management policy that reflects the philosophy and responsibilities of the risk management process

Organisation functions and departments shall:

  • be aware of the risks that fall within their scope of responsibility, the potential impact they may have on others and the effect that others may have on them
  • have performance indicators that allow them to identify and monitor critical business activities and progress towards, e.g. cost, etc
  • have systems in place that risk report variations in schedule, costs, performance, health, safety, environmental impact, etc., and projections at the appropriate frequency so that action can be proactively taken
  • systematically and promptly inform senior management of any new risks or perceived risks

Individuals with the business must:

  • understand their responsibility for individually managing risk
  • understand how they can continually improve their response to risk management, including engaging in the risk assessment process
  • understand that risk management and communicating risk information are an essential part of the organisation’s culture and good communication
  • systematically and promptly inform senior management of any uncertainty or new risks perceived or failures of existing risk control and mitigating measures

Reporting Externally

Stakeholder communication

An entity should regularly inform its stakeholders about its risk management policies and the effectiveness in achieving its objectives.

Stakeholders also expect organisations to provide evidence of effective risk management of the organisation’s non-financial performance in community affairs, human rights, labour practices, health and safety, the environment, etc.

Corporate governance

Good corporate governance requires organisations to adopt a methodological approach to risk management that:

  • protects the interests of its stakeholders
  • ensures that Board decision making fulfils its responsibilities to strategically align, add value and monitor the organisation’s performance
  • ensures that management controls are in place and functioning properly

Formal risk reporting

Arrangements for formal risk reporting on risk management should be clearly defined and available to stakeholders. Formal risk reporting should take into account:

  • risk control and mitigation methods, in particular, management responsibilities for risk management
  • processes for identifying emerging risks and how effective risk management systems address them through informed decision making, and risk treatment options by risk control and risk mitigation actions
  • primary control systems for managing potential risks
  • monitoring and monitoring verification in force
  • provide effective reporting and good effective communication to all stakeholders

All significant deficiencies identified by the system or the system itself should be reported, and measures are taken to remedy them.


IRM risk management standard