Forget the old-fashioned risk information flows from business units to risk managers who develop risk reports and present them to executives, the audit committee or the Board. There is a better way. Based on the research and interviews we conducted, the internal risk communication should be two-way:
- Business units should be reporting on their own risks as part of normal performance reporting (be it weekly, monthly or quarterly performance reporting) as well as for any significant decisions;
- Risk managers should be reporting on risks when there is an alternative point of view that is contradictory to business unit opinion or risk managers have additional information which should be considered when making a decision.
One thing is clear, information about risks should flow in the organisation every day and every time a decision is being made, not once a week or month when a risk assessment is done.
There are several ways to significantly improve internal risk management communication:
- Include the requirement to share / disclose risk information in policies and procedures;
- Change performance reporting / management reporting templates to include risk analysis results;
- Get involved in report and document preparation to make sure risks are adequately captured;
- Create own communication channels (newsletters, intranet site, email alerts);
- Take ownership of some internal reporting on risks.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
|☐||Identify existing information flows (management performance reporting, decision making / approvals, information bulletins)|
|☐||Change internal policies and procedures to require risk information to be included / disclosed|
|☐||Change existing reporting templates to include risk management information|
|☐||Provide methodologies to business units to help them accurately disclose risk information|
|☐||Review / validate results to check for quality, accuracy, consistency and completeness|