Keith Cureton shares insights about reporting risk information to executive teams and boards. Keith now serves a Director of Ethics and Compliance at Kamehameha Schools in Honolulu, Hawaii following his retirement from UPS in Atlanta where he was Vice President of Global Compliance and Ethics. In his role at UPS, Keith led the company’s ERM process and regularly reported risk information to top management and the board of directors.
Kinds of Information a Board Wants
When we think about the kinds of information boards want, we have to understand the perspective of individuals who serve on boards. They have tremendous business expertise, but they may not be experts in the details of an entity or its industry. As a result, they may not be as in tune with risks that may be impacting an entity or its industry to the extent management might be aware. Boards need management's help in understanding what the real risks are. They want information about the details of what is going on.
Management has the tendency to not want to share too much information with their boards. Sometimes management has a fear of being totally exposed if they share too much with the board. But, in reality it is helpful to management for the board to understand what is happening. Doing so, makes board members more helpful to management. If management wants a board to help and guide, management needs to be honest with the board.
Nature and Extent of Risk Information Provided to Boards
As management thinks about the nature and extent of information provided to the board, it is helpful to focus on transparency and simplicity. Being honest with the board by helping them understand the big picture without going too deep in the weeds helps the board understand issues, challenges, and problems the organization is facing so the board can advise on strategies. That provides the board context and a view of the big picture of what is going on. That positions the board to be able to substantively assist management in strategic decision making with insights about risks on the horizon.
Profile Summaries of Top Risks
A helpful tool in sharing information to boards is a risk profile summary. Preparing a risk profile summary about each top risk provides boards a high level overview of top risks. Profile summaries highlight answers to several “what” questions regarding a risk:
What is the risk?
What are the root causes that are driving the risk?
What are we doing to prevent the risk?
What are we doing if the risk begins to escalate?
What metrics are helping us keep an eye on the risk trending?
Summaries of this kind of information can become a catalyst for communication between boards and top management to help both engage in robust discussions about big risks on the horizon. Profile summaries are prepared for all the top risks (not all risks in the risk universe).
Leverage Board Insights About Risks
Robust conversations about risks with the board can help the board and management play to their strengths. Management looks at risks from an inside-the-company-looking-outward perspective while boards look at risks from an outside-looking-inward perspective. Both perspectives can lead to a more holistic understanding of the context surrounding a risk.
Pulling Boards into Risk Conversations
Boards are used to hearing good news – that is, they like hearing about all the things that are going well. They aren’t really used to hearing bad news. ERM gives management permission to share both the good and the bad with the board. Doing so can help the board and management come together to address top risk issues so that strategic goals and priorities are more likely to be achieved.
Subscribe to ERM Insights
The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.