Drafting reports about organizational risks for senior executives to consider is one of the most important duties that chief compliance officers have. Effective risk reporting is fundamental to a strong compliance program—and, frankly, to a chief compliance officer’s career security. It’s something every compliance professional needs to understand and do well.
So today let’s step back and review the fundamentals: What is risk reporting, and how do you create an effective risk report?
What is a Risk Report?
A risk report imparts information about the company’s most pressing risks at the moment. Typically it will address critical risks, where consequences for the firm could be dire; as well as emerging risks that could cause larger trouble in the future if they’re not monitored carefully.
Moreover, the risk report should discuss how well the company is or isn’t managing those risks at that moment. So the report might also include material about which policies are insufficient, which controls aren’t working as well as expected, or what additional steps might be necessary to keep risk within the company’s tolerance levels.
Why Risk Reporting Is Important
Foremost, policies are insufficient is important because the board of directors’ job is to monitor the effectiveness of risk management systems—and the board (specifically the audit committee) can’t do that well without understanding what the company’s risks actually are. Audit committees that take a lackadaisical approach to oversight of risk management violate their fiduciary duties under the law and can face lawsuits in court. So it’s no surprise that audit committees like to see competent, effective risk reporting.
Risk reporting is also important because it helps the board to offer strategic advice. For example, your risk report might warn about a high risk of corruption should the company expand into emerging markets. That report might prompt the board to reconsider whether expansion is wise, or alternative pricing strategies, or some other move. Regardless, the risk report is the raw material the board uses to ponder those choices.
Meanwhile, the management team will rely on risk reports to understand how it might need to change operations to do business in a more risk-aware manner. Let’s say the board does decide that expansion into emerging markets is necessary. It then falls to management to decide how to achieve that objective. A thorough risk report will help senior executives understand how they might need to update policies about gifts and entertainment spending, or incentive compensation for hitting sales quotas, or due diligence systems to research overseas customers.
Effective risk reporting is also important to regulators. Should they ever visit your company to review its conduct or the compliance program and find a weak ability to report and discuss risks, nothing good comes of that. Consider this passage from the U.S. Justice Department’s guidance on evaluating compliance programs:
The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile…
A company can’t identify, assess, and define its risk profile if executives aren’t talking about what those risks are—and a risk report is fundamental to that discussion.
What a Risk Report Should Include
As we mentioned above, your risk report should address the most critical risks, as well as emerging risks.
Compliance officers will naturally tend to focus on critical or emerging regulatory compliance risks, and that’s a perfectly fine place to start. For example, your report might address data privacy rules as you’re expanding into new markets, or government contracting rules if you’re starting to bid on government contracts. Compliance officers will always worry about anti-corruption enforcement, too.
Think expansively here. Consider how changes in your company’s routine operations might change the nature of longstanding risks your company has always had. For example, one emerging and critical risk could be a shift to employees working from home—which could change your risks for fraud, cybersecurity, and harassment radically, without any change in the actual laws and regulations that govern those issues. Sometimes a shift in operations will leave existing policies and controls insufficient for the risks at hand, and that’s something to include in a risk report.
The work from home example calls out another important point: Are any external conditions changing, that challenge the assumptions in your risk management program?
For example, the work from home shift is happening because of the COVID-19 crisis. Along similar lines, new trade policies around the world could create sanctions risks; a merger might create antitrust risks. The more broadly you define possible emerging or critical risks, the better you’ll be able to identify the actual emerging or critical risks that should go into your report.
What a Risk Report Should Address
Every risk in the report should include a discussion of its potential impact. That’s what senior executives and board directors want to understand as they decide how the risk should be addressed.
We can define “impact” along several lines:
- Financial: monetary penalties as part of regulatory enforcement action; related manpower or equipment costs for that investigation (outside counsel, new technology, and so forth); lost revenue or profits
- Operational: whether a risk might lead to inventory that can’t be sold, factories that can’t be used, business processes that might not work when necessary, and so forth
- Strategic: whether a risk could thwart certain long-range options, such as leaving the company with too little cash to acquire merger targets or develop new products
- Reputational: could a risk damage the corporate reputation among customers, consumers, or business partners
Not every risk needs a full discussion of every point above, but compliance officers should at least consider these variables, and which ones are most relevant for the risk you’re discussing.
The report should explore how the compliance program is trying to address the risk in question. For example, state whether the company’s existing policies and controls are producing desired results; or what weaknesses exist in controls meant to govern the risk. The discussion should also include a timeline for action to resolve any control weaknesses you have, identify the owner of the risk, and ask for any guidance from the board or management if that’s necessary.
How to Create an Effective Risk Report?
Let’s assume your report has identified all the risks that truly should be included. At that point, the real threat is that the report presents too much information, in a way that leaves the reader overwhelmed or confused about what to do. An effective risk report is about focus and structure, in addition to content.
For example, the risk report should be easy to read and digest. That means an executive summary of the risks and why they’re included in the report, followed by in-depth discussions of each risk and your supporting data. The length of the summary can vary, but as a rule of thumb, any summary that goes above 10 pages is edging toward too long.
After that executive summary, you can dive into the details—which might be voluminous. This is where you can include supporting data (the more you use charts or graphics from data visualization tools, the better), audit reports, case histories, cost projections, and so forth. In electronic format, you can even structure your risk report with links to let the reader skip back and forth from the summary to in-depth discussion.
An effective report also clearly ties each risk to a stated business objective. After all, most people who read the risk report will hail from business operations or management functions, without much background in compliance or risk management. Connecting the risk to a business objective tells the reader why the risk matters, and is worth his or her attention.
Lastly, an effective report maps out a plan of action or poses questions that the board or senior management needs to answer. An effective report involves the reader, either by reassuring him or her that a plan exists to bring risk under control, or soliciting guidance about what to do next. A risk report captures the state of a company’s risk management challenges at the moment and charts potential ways forward.
What a risk report isn’t is an exercise unto itself. It is not a check-the-box exercise to show that the compliance function has done its job. It’s a tool to help senior leaders do their job of governing the company—and the more expertly you handle that tool, the more successful your compliance program will be.