All too often boards and audit committees are presented with an array of risk information that is too detailed and does not provide a succinct summary of the status of risk in the organisation.

The key purpose of risk reporting to boards or audit committees is to provide a summarised indicator of the level of risk within the organisation. ‘Dashboard’ reporting is now very common amongst organisation, and the analogy is a useful way to explain what is required in a board risk report.

Just as the driver of a motor vehicle has to monitor certain key indicators of the vehicle when driving so does a organisation need to monitor its performance.

As a driver we need to be able to constantly monitor functions like speed, revs, fuel and engine temperature. It is not necessary for the driver to see all the mechanical and electrical workings of the vehicle, all that is needed is oversight of the indicators. This could be compared to ‘performance reporting’ – how is the organisation tracking against their established targets.

Dashboards also have an array of indicators (typically red or orange) that indicate warnings for oil, battery, the park brake, hazard lights etc. These flag critical or urgent warnings in relation to our driving progress. The Dashboard indicators display ‘exception’ flagging where there has been a deviation that has the potential to impact on our ability to progress, allowing the driver to take action.

Similarly, Dashboard-style risk performance reporting should provide a board or audit committee with sufficient succinct information to guide the organisation’s progress forward.

Sample dashboard risk performance reporting QRMC

The Dashboard-style risk indicators should display both status over time (i.e. graphed changes in the organisational risk profile) and ‘exception’ flagging. Indications of ‘by exception’ information is especially valuable to the board or audit committee on the following types of issues:

  • Risks that have gained high or extreme status since last report
  • Progress on the implementation of risk treatments for these risks
  • Emerging organisation or industry risks.

Please contact QRMC for more information.