Is Risk Reporting Just a Paper Fly?
Risk reporting helps provide information to key stakeholders to enable the flow of the right information to the right people at the right level at the right time.
Such reporting must be delivered regularly to support an ongoing flow of information.
The benefits of risk reporting include:
- Reducing the uncertainties of outcomes within the organisation.
- Monitoring the progress of maintaining the risks within tolerance limits.
- Understanding the effectiveness of internal control and taking timely action to mitigate the risk.
That’s why one of the key objectives of risk reporting is risk response, improvement plans, and recommendations.
Risk reporting aims to highlight the risks to the critical stakeholders to inform them of the likelihood and severity of the risk and take action to mitigate it.
It’s the last leg of the risk management process – identification, measurement, management, monitoring, and reporting. The process cycle starts again with the feed from the last leg of reported risks to help better identify the risk in the next iteration. This cycle in the actuarial world is referred to as the ‘Control Cycle’.
In all areas of risk management, the risk management process works similarly, and to get the optimum output from this process, it should follow the same process. Any break in the control cycle can create challenges, and risks may materialise. The purpose of highlighting the risk is that some actions are needed.
In their 18th Global Risk Report 2023,[2] the World Economic Forum (WEF), highlighted ‘geoeconomic confrontation’ as third in the top ten ‘short-term’ risks (that can occur within two years).
This trend has continued from 2017 to 2021 as WEF consistently highlights geopolitical risk as one of the top three risks based on impact, as shown below.
In the presence of these reports, two wars were triggered. In 2021, the war between Russia and Ukraine began, and later in 2023, fighting between Israel and Palestine began.
Since WEF has been reporting risks for the last 18 years, these reports should be utilised to mitigate the risks. In 2017, WEF highlighted geoeconomic confrontation as the top three risks and suggested actions on how it should be managed.
The next iteration cycle of risk identification should use the last reported risk to take the benefit. If mitigating actions are not taken, then does, such reports serve any purpose? These wars have led to worldwide impacts, including loss of human lives, infrastructure destruction, and an adverse impact on the global economy, leading to inflation.
Similarly, when the COVID-19 surfaced, many institutions’ risk management committees highlighted this risk as an emerging risk, but not enough mitigating actions were taken, which led to the loss of human lives, prolonged lockdown, economic turmoil, job losses and much more.
The human suffering from the COVID-19 could not be reduced by using the risk management process cycle where the reported risks were not used to manage them and improve risk identification in the next iteration. When risk fundamentals are missed, risks become severe crises, and we all have witnessed the impact.
Another example of risk reporting not being prioritised sufficiently is climate risk
In the above WEF risk reporting, climate risk is among the top five risks for the last five years. Experts in 2023 are already talking about ‘global boiling’ rather than ‘global warming’, and there is a risk of missing 2030 targets towards achieving net zero emissions by 2050.
This again, suggests that the proper action on the risk reports is not being taken. Even though the information reaches the stakeholders, there isn’t enough actions on how to control them. Climate risk will impact the world and if actions are delayed the damage could be either irreparable or permanent, leaving future generations questioning why we did not utilises the available techniques properly.
Before the crystallisation of any risks, risks are reported with emerging risks falling under this category. The purpose of reporting emerging risks is to keep an eye on them, notice their velocity, alert the key stakeholders and plan for action. The above examples suggest that the process is not working because large risks are materialised.
The role of the Chief Risk Officer (CRO) is to highlight the risk in Board and Executive Risk management committees, provide mitigation actions and offer accountability as to who owns what risk. The failure to mitigate the risk, despite being reported, is squarely on the shoulders of the respective management line. The purpose of the role of risk owners is to place responsibilities on those within areas of their expertise. These subject-matter experts are expected to manage the risks and use the information in the reported risks in the following risk management iteration, thereby providing better controls.
So, are risk reports only for academic interest because significant risks are materialising?
Risk management is a process that requires each of the five steps of risk management – risk identification, measurement, management, monitoring and reporting – to be performed with equal sanity.
Risk reporting is the last step for the stakeholders’ communication about risk management activities and, most importantly, the mitigating action.
It aims to protect the entities from the adverse impact of risk crystallisation either by reducing impact, likelihood of impact or both. However, if reported risks are not acted upon, the entire risk management cycle will break, causing risks to turn into crises.
The break of the risk management cycle indicates that there are challenges either in the risk management process, or in the risk management framework, or even in our mindset.
Theoretically, the most prevalent risk management standards, COSO and ISO31000, have a component of risk reporting adopted by many organisations globally. However, risks are still turning into reality. The challenge with these standards is that though they have components of risk reporting, like in the risk management process, but they do not necessitate action.
This requires enhancement in the risk management framework to fix the mitigating responsibilities to management under the direct supervision of the Board. If risks keep materialising, the process of risk management reporting turns out to be a paper fly.
What actions are required?
Considering risks turning into reality saw the creation of enterprise risk management (ERM).
ERM intends to reduce some of the shortcomings of silo risk management but despite the adoption of ERM, various global crises have indicated that they are gaps in either in the process, the framework or the mindset.
To combat this gap, actions can be taken to create a more interactive and potent reporting tool. Firstly, there is a need to educate the Board and executive members on the importance of risk reports, as before the message trickles down to employees, management should understand its importance and what it means.
Secondly, there is a need to enhance the risk management framework, to better define the responsibilities in fixing and mitigating actions to management. No risk report should be presented to the risk committee without outlining who is responsible for managing. This will help create a trigger system that when the velocity of risks is near crystallisation, the alarms are heard.
Thirdly, all risks, their mitigation actions and the responsible management should be public. If there is any bailout, it is at the cost of taxpayers’ money. That’s why anyone who is invested in the company must know the quarterly risks, its mitigation plan, and those responsible for managing these risks.
The last leg
Risk reporting is the last leg of the risk management process, which is also recommended by all risk management standards. The purpose is to inform the stakeholders about the risk status and take mitigating actions.
Over the last two decades, the way risks are materialised, it seems that enough oversight is not given on the reported risks. Whether the risks are from any organisation or for any country or even at a global level, there should be ownership of the risk so that people can come to know who has missed the risks.
Such ownership of the risks is made public to fix the responsibilities. In the risk management process, the actions are in the hands of risk owners, so the role of risk owners is paramount.
References:
[1] https://assets.publishing.service.gov.uk/media/611642cfe90e070541075731/Good_Practice_Guide_Risk_Reporting_Final.pdf
[2] https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.