

RISK TIP #12 – RISK REPORTING BACK

Over my career in risk management I have seen the most amazing array of reports submitted to Boards
and Executives. I am sure you have seen them all as well. Charts such as those shown below proliferate
risk reports:
Now at glance they look ‘sexy’ but there is one simple problem with these reports – they tell us abso-
lutely nothing about how the risks are being managed – they just provide a status.

A really useful report is focussed purely on those risks with the highest level consequence – regardless of
the likelihood and the overall risk score.

The rationale is simple: management should have visibility of the effectiveness of the control environ-
ment relative to the risks that, if they materialise, will have the highest consequences to the
organisation.

Now this approach to reporting is predicated on the assessment of the likelihood of a risk based on con-
trol effectiveness rather than time and frequency. I discussed this in Risk Tip #1 – Likelihood.

Let’s take the risk: Unauthorised access to and/or release of con dential information. Our rst report to
the Executive is shown below:
The organisation then conducts a full analysis of control effectiveness and the next report looks like this:

What we can see from this report is that the control environment is not at the effectiveness level in the
previous report and, as a result, the likelihood of the risk has increased which, in turn, increases the level
of the risk to a level above the risk appetite of the organisation. This then leaves the Executive with a
risk-informed decision to make – do we invest in the new rewall or do we accept the risk at the higher
level?

The message here is that a ‘traf c light’ report or a bunch of dials is not going to provide the opportunity
to make a risk-informed decision. Equally important is that the decisions will be made by those within
the organisation with the necessary level of authority (see Risk Tip #7 – Risk Ownership).

With reporting such as this the right decisions can be made on the right risks to get the right outcomes
at the right time– with not a traf c light or dial in sight.
COPYRIGHT © PALADIN RISK MANAGEMENT SERVICES 2017 PRIVACY POLICY | REFUND POLICY |
STATEMENT OF OWNERSHIP

RELATED COURSES
Advanced Diploma in Governance and Risk Compliance
Diploma of Risk Managment and Business Continuity
Certi cate IV in Risk Management Essentials

RECENT BLOG
Risk Tip 16 – Let us start at the very end

One of the areas that organisations nd dif cult is determining the effectiveness of controls, something I
have written about previously on how we measure effectiveness. The most signi cant challenge I have
noted is the development of performance measures for controls in order for effectiveness to be meas-
ured. The methodology I have developed to assist organisations […]

READ MORE

RECENT BLOG
Risk Tip # 9 – Describing Risk Treatments
I love reading risks treatments in risk registers – they are always so descriptive. Some of the treatments I
have taken from risk registers over time are shown below: better communication; training in contract
management; rolling fraud audit program; additional physical security; more management oversight and
action; better change management; and/or recruit additional staff. increased […]

READ MORE

Risk Tip # 8 – Capturing the right risks in your risk register

Lack of quali ed staff would have to be one of the risks that I see most often in risk registers. You may
even have it in yours. Other risks that I see on a regular basis in risk registers include: lack of funding;
failure to meet the Government’s reform agenda; project does not meet its […]

READ MORE

Quali cations issued by McMillan Staff Development

ASQA - 45173
