What should an awesome risk report look like?

Companies and regulators love reports, disclosures and transparency. And nobody loves risk reporting more than me. Trouble is risk reports are RM1. If we wanted to really make a difference to decision makers we would switch from risk reporting to risk-adjusted performance reporting instead. Risk managers always have a choice: generate own risk reports or use the outputs of risk analysis to improve existing performance and management reports instead. To me the choice is clear. Integrating risk information into existing management reporting is the future. So, what should risk-adjusted performance report look like?

5 items you would expect to see in an awesome performance report:

1. Probability of achieving a target or an objective / likelihood of success

A useful metric that risk managers should communicate to decision makers is the probability of meeting / achieving an objective or target. Think of it as achievability given the risks. If your performance report has targets or objectives, then risk managers can measure and report how achievable they are and whether they are more achievable today than last month. Norman Marks calls this likelihood of success and Tim Leech calls objective centric. I provide a step by the step guide how to do it here.  This can be represented as a single number (70% probability of achieving business plan objective) or as bands (forecasted performs falls within acceptable range). Separate likelihood of success needs to be reported for each significant objective. Archer Insight, for example, does a good job presenting risk information as probability distributions around the objective.

2. Risk-adjusted performance metrics

Most of the time it makes no sense reporting on the risks, instead information about risks can be represented as effect on some existing performance metric. Taleb calls it X and f(X). They also call it f(x) in operations research. Sure we can quantify any risk, build a loss exceedance curve and even make important conclusions related to the mitigation of that specific risk. This is called X. But it is so much more useful to measure the effect of risk on a decision or an objective instead. This is called f(X) or function of risk.

This can look like representing risks associated with an investment project as volatility of NPV or risks associated with construction project as volatility of budget and schedule. Risks associated with production can be represented as volatility of volume of product produced. Or assigning future cash flows to their associated risks expectations to inform decision makers that some promises are more certain than others. Other metrics like RAROC are also good examples.

Obviously it would be weird to see risk adjusted metrics in a risk report, instead good risk managers change how performance is reported in existing performance and management reports.

3. VaRs, EaRs, cVaRs

There are certain risks where it makes sense to report them as stand alone items. For these risks a loss exceedance curve is normally generated and useful metrics like expected losses, VaR (unexpected losses), probability above threshold, etc. are determined.

This is what a typical loss exceedance curve looks like:


It makes sense to report risks as standalone if they need to be monitored on a regular basis and have a specific and mature market for mitigation, for example credit risk or market risks. Sometimes we reported operational risks as well, but usually to serve a specific and once-off narrow purpose like purchasing an insurance policy or adjusting maintenance budget or mitigating an environmental risk.

If there is a culture within the organisation to track and monitor specific financial risks then it is common to pull that information into a separate risk report and present it on a regular basis to monitor whether risk exposure is within limits. Since VaR recalculation requires risk models companies usually automate that part of risk reporting. More on that in the next section.

4. Limit breaches and activated stop losses

Whenever risks are quantified as standalone, unexpected losses or VaRs can be used to set limits and use middle office to monitor against the target risk exposure. Risk management team plays an important internal control role by recalculating VaRs frequently, monitoring risk exposure and activating stop losses if risk exposure goes outside limits. This work usually requires close collaboration with finance, treasury and commercial teams.

5. Transparent methodology with a back test

Finally, an awesome risk-adjusted performance report would make the methodologies used in risk analysis transparent to the decision makers and provide clear results of the back tests used. Showing evidence of past back tests is important to give decision makers the confidence needed to make the decisions based on the information presented.

What would you add to the risk-adjusted performance report? Catch Graeme, David and I just before the FERMA event in Copenhagen to share ideas.


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


3 thoughts on “What should an awesome risk report look like?

Leave a Reply to Paul E. ZikmundCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.