Skip to main content
Risk Monitoring and Communications

Communicating Risk Insights to Boards of Directors

David Hughes

David Hughes, Assistant VP and Head of ERM at HCA Healthcare shares insights with Bruce Branson, Associate Director of the NC State ERM Initiative about the methods and tools he has developed to effectively convey risk information and key insights to the HCA leadership team and Board of Directors.

How to Provide Risk Details

HCA’s board receives over 100 pages of material from the ERM program in advance of their annual risk conversation. This far exceeds the average “pre-read” package that we see across most organizations. Dave discusses how his board is receptive to this level of detailed risk information and wants to continue receiving the depth of information that they have grown accustomed to. The materials include HCAs “top ten” risk exposures overall and by a large number of subgroups (which is possible due to the 500+ individuals who contribute to the risk identification and assessment process at HCA. In addition, the ERM annual report includes actual quotes from the risk conversations (without attribution) that adds significant context to the summarized scores.

How Often to Provide Risk Updates to the Board?

The HCA senior leadership team receives annual updates from ERM each January. This timing allows for the output of the risk identification and assessment process to contribute to the development of the strategic plan update each year (conducted during the spring each year at HCA). While the ERM function makes their presentation once a year it is not uncommon for the board to ask specific risk owners to join them at pother meetings during the year to provide a “deep dive” on certain risks the board has a particular interest in learning more about.

What Software Tools are Needed for Effective Risk Communication?

At HCA, which has been evolving their ERM process for over twenty years, the Microsoft Office suite remains the predominant software used to organize the risk inventory and develop presentations for the board and senior leadership team. Risk data is pulled into a database and Microsoft Power BI is used to query the data and investigate results across multiple subgroups. HCA also utilizes Adobe Illustrator to prepare the graphics used in the ERM report provided to the board.

Starting the Risk Conversation

The reports that HCA’s ERM team provide to their board are only the starting point for developing a rich understanding of risk exposures. By highlighting differences in responses across subgroups (e.g., hospital leadership vis-à-vis the board), all parties can begin to appreciate the diversity of risk perspectives and exposures across an organization and better appreciate the need for a robust risk management and governance process.

Interested in this topic? You may also like this article, Reporting Risk Information to Boards of Directors.