Reporting Risks to the Board (2) Page 1 of 6 Version 1.0 6/03/2007

APM Risk SiG Conference 26APM Risk SiG Conference 26APM Risk SiG Conference 26APM Risk SiG Conference 26thththth October 2006 October 2006 October 2006 October 2006

Reporting risks to the boardReporting risks to the boardReporting risks to the boardReporting risks to the board

PurposePurposePurposePurpose The purpose of this paper is to summarise the key points from the various presentations and knowledge sharing session held at the October meeting of the Risk SiG. It should provide a reminder for those at the event of the main issues, tips and suggestions for reporting risks to the board. It may also be useful for anyone not present who has an interest in this topic. This paper should be read in conjunction with the presentations which are available for viewing at http://www.apm.org.uk/riskmanagement/page.asp?categoryID=11&subCategoryID=&pageID=&action=viewArticle&category=75&uID=&ID=525

Scope The target audience for this paper is predominately project and programme managers. However others involved in

operational or business risk would find many of the ideas useful.

IntroductionIntroductionIntroductionIntroduction The presenters were asked to provide their views on reporting risks to the board. They were given a brief which highlighted 4 topics for consideration and were asked to reflect on those areas from as many perspectives as possible. After the main presentations the delegates split into 4 Knowledge Sharing Network (KSN) groups to discuss each topic. Whilst the body of this paper maintains that structure, many of the key points were identified several times in different areas. For simplicity each key point has been placed in its predominant section.

Reporting Risks to the Board (2) Page 2 of 6 Version 1.0 6/03/2007

GovernanceGovernanceGovernanceGovernance There were 5 key points identified in this topic:

� BodiesBodiesBodiesBodies It is necessary to have a clear understanding of which parts of the organisation are involved in the risk process. Both BT and Rolls Royce have a clear framework diagram that explained the groups involved and also how information flowed between them.

� StakeholdersStakeholdersStakeholdersStakeholders Stakeholders – a common theme is to ensure that stakeholders are identified and engaged as they offer a different perspective and a broader range of possible impacts. Some stakeholders will identify strategic risks which may need to be managed at the Project Sponsor level. Any

effective risk process should provide an identification of the widest range of risks and should have a contribution

from stakeholders.

� AppetiteAppetiteAppetiteAppetite One important prerequisite for helping to determine the level of detail required for risk reporting is to know the Board’s risk appetite. As Protiviti explained “establish the big rules including appetite and ask are the risks undertaken consistent with the organisation’s risk appetite?

� CultureCultureCultureCulture The term culture towards risk management is used a lot but without much detailed definition. For many it is the attitude to risk combined with the risk appetite that generates a culture. Clearly every individual on a board will have a different attitude to risk but collectively the board will promote a particular risk culture – either

consciously or subconsciously, tuning in to that culture is very important, especially if you want to try and change it.

� Common LanguageCommon LanguageCommon LanguageCommon Language When reporting risks to the board you must ensure that the terminology used will be clearly understood by the recipients. This implies that a common risk language be used across the business and this can be defined as part of the risk policy or the risk standards.

There were two additional points raised during the governance KSN. � The first was how to convince the Board that they own governance of risks. A comment was made that it is

active ownership that is needed. One suggestion for supporting the board was to offer a “Masterclass” in risk

management. It was also recommended that the board members be approached individually. � Some boards may not fully understand project and risk management – but can’t admit it. One suggestion for this

is to get them to actively manage a single risk with support.

5Governance of ERM Programme

Risk Committee

Risk Steering Committee

(min 2 times a year)

Tool (ARM)

Process

Risk Stakeholder Meeting

(monthly)Communication of status

Change Control Board

ARM Steering Committee

Risk Owner / Risk Champion Risk point of Contact

QuantificationSteering

Committee

* Risk ProcessCouncil

(quarterly)

Risk Systems & PoC 1-1s(fortnightly)

DoR (ERM)

Risk Executive

(monthly)

Assurance Sector Review Boards

Programme

DeliveryTeams

* Internal only at present

Reporting Risks to the Board (2) Page 3 of 6 Version 1.0 6/03/2007

ReceivingReceivingReceivingReceiving informationinformationinformationinformation There were 3 key points identified in this topic. This topic was slightly modified during the analysis to include any process related suggestions.

� Process Process Process Process –––– frequency frequency frequency frequency Everyone agreed that there should be a defined risk process, however the frequency of reporting to the board

was dependent on the industry and the organisation but should be at least every 6 months with some form of escalation in place for any new emerging or rapidly changing risks. Protiviti explained this clearly in their presentation:

Report Risk Information

Utilise reporting

process to communicate key risk information to

risk sources for accountability, responsibility and

action.

Aggregate

Risk

Information

11©Copyright 2004 Marsh U.S.A

Business Risk InventorySM

Business Interruption Environmental Product/Service Failure

Change Response Health and Safety Product/Service Pricing

Compliance Inventory Management Real Estate

Contract Commitment Knowledge Management Relationship Management

Customer Satisfaction Measurement Sourcing

Cycle Time Partnering Supply Chain

Delivery Channel Physical Security Strategy Implementation

Distribution Product Development Transaction Processing

Efficiency Product/Service Liability

Brand

Business Model

Business Portfolio

Intellectual Property

Location

Marketplace

Organizational

Structure

Planning

Product Life Cycle

Resource Allocation

Accountability

Change Readiness

Communications

Competencies/Skills

Empowerment

Employment Law Violation

Hir ing/ Retention

Leadership

Outsourcing

Performance Incentives

Succession Planning

Training/Development

Conflict of Interest

Employee Fraud

Ethical Decision

Making

Illegal Acts

Management Fraud

Third-Party Fraud

Unauthorized Acts

Access

Availability

Capacity

Data Integrity

e-Commerce

Information

Secur ity

Infrastructure

Relevance

Reliability

Technological

Innovation

Accounting Information

Budgeting and Forecasting

Completeness/Accuracy

Investment Evaluation

Pension Fund

Regulatory Reporting

Taxation

Cash Flow

Collateral

Commodities

Concentration

Counterparty

Credit

Default

Equity

Financial Instruments

Foreign Exchange

Interest Rate

Liquidity

Modeling

Opportunity Cost

Process

Strategic

Human Resources Integrity TechnologyManagement Information

Financial

EXTERNAL

INTERNAL

Operational

Capital Availability Economy Legal Shareholder Relations Terrorism

Competitor Financial Markets Natural Hazard/Catastrophe Social Responsibility

Customer Needs Industry Regulatory Sovereign/Political

Capture Risk

Information

from Multiple

Sources

Senior Management

Middle Management

Employees

Environment

Industry

Competitors

Consultants

Enterprise-wide Reporting

Cross-functional leaders and core

resources.• Aggregate data• Prioritise risks• Monitor action

Analyse and

Summarise Risks

Prioritise

Key Risks

Aware of all key risks and the

necessary action to manage/mitigate the risks.

Board Reporting

Validate Risk Profile communicating key risks to Executive Management and the Board.

Coordinated, Informed

Decision-making

� The majority of Boards meet 9~12 times per year and run for 3~4 hours

� The frequency with which you should Risk Report to the Board is dependent on:

� Volatility of the company and industry;

� Risk appetite of the company;

� Occurrence of significant risk event; and

� Identification of potential significant risk event.

� As a general guide:

� Formal reporting should occur quarterly

� Ad-hoc reporting channels should be established and used as necessary to report risks of strategic importance

Frequency of Reporting

Reporting Risks to the Board (2) Page 4 of 6 Version 1.0 6/03/2007

� Top down and bottom upTop down and bottom upTop down and bottom upTop down and bottom up

Must undertake bottom-up analysis and flow of risks as well as top-down. This was mentioned by most presenters and is succinctly demonstrated by this slide

6Embedded Risk Management

Project

Business

Sector

Corporate IMP

LE

ME

NT

ED

AC

TIO

NS

IDE

NT

IFIE

D R

ISK

S

Risk Register Hierarchy

The bottom-up is, of course, to capture those big or common risks. The top-down is to ensure that the lower

levels understand the risks which the higher levels are managing allowing them to help and see that their big risks haven’t been discounted. HVR explained “Strategic risks help structure risk identification at the lower level. You should be able to relate tactical risks to strategic risks.

� Concise top level with supporting documentationConcise top level with supporting documentationConcise top level with supporting documentationConcise top level with supporting documentation

It is important to ensure that an appropriate amount of information is presented at all levels and that means at the top-level you need to report the information in a simple, concise way.

Reporting of Risk Reporting of Risk Reporting of Risk Reporting of Risk The 5 key points were:-

� Understand what the Board require to help them make decisions

What does the board want? – Find out! The board may not know what they want. Use what we have got and try to anticipate what they want.

� Aligned with strategy and objectives.

What is the board strategy? Is it finance, or sales, or expansion, or customer satisfaction based? Risk must impact

on corporate strategy/objectives. Rolls Royce explained the risks need to be presented in financial terms and in how they impact on the strategic objectives. Thus Rolls Royce can target mitigation resources at key risks. BT explained “Enterprise threats are discussed at Board level and appear in the Annual Report. An example of a strategic risk is the pension fund is large compared with the size of the company.”

� Effective communication/ presentation sympathetic to the organisation’s culture.

� Present the few key (5/6) risks across the organisation.

� Right Information at the right time

Protiviti summed this up by:

Reporting Risks to the Board (2) Page 5 of 6 Version 1.0 6/03/2007

Board

Senior Management

Risk Managers

� Most significant risks (impact, likelihood)

� Most significant risk events

� Risks with strategic importance

� Have supporting documentation available if requested

Am

ou

nt

of

info

rma

tio

n r

eq

uir

ed

� Detailed analysis of significant risks

� Detailed analysis of significant risk events

� Understanding of risk impact on strategic objectives

� High level communication, understanding of lower level risks (process level)

� Detailed understanding of risk environment

� Detailed analysis of the significance, cause

and management action associated with risk

� Ongoing communications on risks

What risks to report?

Tools and TechniquesTools and TechniquesTools and TechniquesTools and Techniques One technique identified or referenced by most presenters was:

� Cause and effect – sensitivity graph (driver analysis)

This aspect came out in different ways in the presentations but they were saying overall that it is important to consider how the risks’ causes and effects are linked so that a model (e.g. quantitative) can be produced or

resources can be addressed at the key risk drivers in order to maximise return on effort managing risks. One aspect of this can be demonstrated by the below from one of Rolls Royce’s slides:

The large group of about 20 people in the KSN agreed that there were two additional key points: � Need a suite of tools which can operate at all levels (but these would depend on the maturity of the organisation)

BT explained that they use a collection of tools including one to produce their risk dashboard:-

Reporting Risks to the Board (2) Page 6 of 6 Version 1.0 6/03/2007

© British Telecommunications plc

20

40

60

Risk A

Risk H

Risk I

Risk E

Risk FRisk G

Risk B

Risk C

Risk D

(%)

Example of Board Report

Likelihood of risk impact at £Xm

80

20

40

60

80

Risk J

Risk K

Risk L

Rolls Royce are implementing an enterprise-wide tool (ARM). Many organisations use cheap tools, e.g. Excel, and can’t justify the expense of a heavyweight tool but still want the benefits of hierarchical risk management. The feeling was that this could be achieved.

� Need some consultancy to help the organisation to implement this,

This was so that the company can have a common language, education, expertise in the tools & techniques available and someone to drive the implementation. This could well be from within the company. Strategic

Thought said “Use a common terminology, categories that reflect the organisation.”

ConclusionConclusionConclusionConclusion Overall the conclusion is to ensure that the boards expectations of risk management are understood and that the reporting of risks is done in a way that provides valuable information at the right time to enable the boards to reduce surprises, to link operational risks with strategic decisions and recognise when their risk exposure or their risk appetite changes. It should be simple and clear although the supporting documentation should be available if needed.

AcknowledgementsAcknowledgementsAcknowledgementsAcknowledgements Thanks very much to all of the presenters who have made their material available. Larry Stone, BT Tom Teixeira, Rolls Royce Martin Hopkinson, HVR Karl Davey, Strategic Thought Jonathan Blackhurst, Protiviti Legal notice:Legal notice:Legal notice:Legal notice: Neither the Association for Project Management, nor any person acting on behalf of the Association, is responsible for the use which might be made of the information contained in this publication.