Many organizations struggle with effectively communicating information about key risk exposures to their boards in an efficient and robust manner. In a survey of ERM leaders at a number of large organizations, we found that, for most, the full board of directors receives an update on their organization’s top risks at least annually. Over two-thirds also indicated that the audit committee of their board receives such a report, and one-third noted that they have a separate board-level risk committee that is regularly updated.  

  Bruce Branson

Frequency of Reporting

  These reports, which are provided at least annually by most organizations, reflect a list or grouping of the top risks facing their organization. Nearly half told us that their reports are presented more frequently (quarterly or semi-annually), with none indicating a reporting frequency greater than quarterly. Numerous respondents stated that they reported to the risk and/or audit committees of the board more frequently (quarterly or semi-annually) in addition to an annual report provided to the full board. 

  When the report of top risks is presented to the full board, respondents indicated the discussion is typically led by the ERM lead. In some cases, the person responsible for ERM made the presentation to the audit or risk committee and then the chair of that committee was responsible for leading the discussion with the full board. In other responses, the CFO, CAE, and in a few cases, the CEO, were tasked with the actual presentation to the full board.

  In terms of board meeting agenda time typically allocated to the discussion of top risks, there was some interesting variation in responses — as little as 10 minutes in one case, 15 to 20 minutes in several cases, and most commonly, approximately 30 minutes is allocated to this discussion of key risk exposures.

Nature of the Reports 

  The number of key risks typically reported to the board varies to some degree. We found instances of as few as three to five risks and up to as many as 35 included in board materials for discussion. Most organizations, however, seem to report between ten and fifteen key risks to their boards. 

  Reported risks are typically prioritized by likelihood/impact, and where more risks are enumerated, separation by tiers is common. Top tier risks generally numbered in the 10 to 15 range, with tier two and tier three lists varying in number from 10 to 200. Numerous respondents indicated that only top-tier risks were presented to the full board, while lower-tier risks may be reported only to the audit committee or risk committee. This prioritization is most often presented graphically using a heat map or risk dashboard. 

  If you are interested in learning about ways in which organizations with mature ERM programs effectively report key risks to their boards, watch for our forthcoming thought paper, Reporting Key Risk Information to the Board of Directors: Top Risk Executives Share Their Practices , to be released in mid December. This forthcoming thought paper includes a number of examples of risk reports employed by companies represented on the ERM Initiative’s Advisory Board. This article and the soon-to-be released thought paper will be available for download on our ERM Initiative web site: www.erm.ncsu.edu.

  Bruce Branson, PhD
  Associate Director, NC State’s ERM Initiative

  As Associate Director of North Carolina State University’s ERM Initiative, Bruce Branson works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding. In this brief article, Bruce discusses the frequency of these reports, to whom these reports are delivered, and the normal format of the reports provided to the board and/or board committee. 

Read ERM articles as soon as we post them

Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.

Privacy Policy

ERM Enterprise Risk Management Initiative 2015-12-07