Login
Request a demo
PLATFORM

Overview

Audit, Risk & Compliance software that works the way you aspire to

Pricing

Annual Pricing that is affordable and transparent

MODULES

Business Continuity

PCI

Cyber Security & Data Privacy

Vendor Management

ESG

Compliance

Risk

Controls

Audit

Efficient GRC Management

OPAL streamlines your GRC processes, making risk, compliance, and controls professionals more effective.

Create by Experts

Developed by experienced risk, audit, and compliance professionals, OPAL offers a product with the features you need.

Comprehensive Functionality
OPAL provides a wide range of features to address your GRC requirements.

Comprehensive Functionality

OPAL provides a wide range of features to address your GRC requirements.

Straightforward Pricing

We don’t charge by the module. Clients can access all the features, including future features, without incremental costs. Pricing is transparent, based only on core user count.

Request a demo
FRAMEWORKS & STANDARDS

Data Privacy

Cyber Security

Technology

Risk Management

Compliance

Financial Reporting

INDUSTRIES

Telecommunications

Media & Entertainment

Mining & Natural Resources

Industrials & Manufacturing

Real Estate

Financial Services

Energy

Consumer Goods

E-commerce

Healthcare & Biotechnology

Technology

Request a demo

Leading Practices for Enterprise Risk Management Reporting

The following are leading practices for enterprise risk management programs that may help enhance your organization’s program, risk discussions, and reporting. So much of the value of a good ERM program is unlocked through having effective risk discussions. Great risk discussions are facilitated by obtaining the right information, asking appropriate questions, and developing the right reports. Below is an example outline for a risk report that could be used to report to executive management or the board.

When creating a risk report for discussion, consider the following elements:

Current State & Outlook

  • Positive Developments – Starting with positive developments is usually a good thing because it helps balance the report and helps set the tone for the rest of the discussion.
  • Risk Heat Map – Including the top ten to twenty risks on a heat map showing likelihood and impact is a great way to visually present the organization’s overall risk position. Showing the mitigation strength by using a color-coding system and/or adding other elements, such as velocity, can also be helpful. However, be careful not to add more than your audience will be able to understand and digest. Simple is more effective than complex. It is better to spend time discussing the risks, than trying to explain a complicated slide.
  • Risk Assessment Detail in Financial Terms of Expected Loss – Determining the specific probability in terms of a percentage along with expected impact will allow a risk manager to calculate “expected loss.” Comparing expected loss across top risks will clearly rank top risks in financial terms.
  • Emerging Risks – Obtain emerging risks from individuals from appropriate locations, management levels, and business functions to help ensure that all relevant perspectives are considered. Also consult external resources such as benchmark industry reports, data from the World Economic Forum, and reports from large consulting and accounting firms.
  • Relevant Project Issues or Delays – Understand key projects impacting top-risk areas and report anything that should be escalated to the level you are reporting to.
  • Risk Outlook – Management and the board will generally be interested in what the outlook is for each top risk, especially if the outlook is worsening over time.

Lookback

  • Risk Heat Map Changes – Showing a lookback of one, two, or three years can help management and the board understand how risks are changing over time. You can use a heat map with red or green arrows showing how risks have moved over time.
  • Changes in External Factors – It can be helpful to include key events impacting your organization and changes in external factors, such as regulatory environment, technology, competition, internal organization, capabilities, business performance, improvements, etc., can all be helpful to understand the current risk environment and why the organization is positioned as it is.
  • Prior-Year Go-to-Green Plan Results – Looking back at prior-year action plans to address top risk areas helps improve accountability.

Risk Reduction Priorities, Tradeoffs, & Decision-Making

  • Forward-Looking Risk Appetite – Risk appetite discussions can help facilitate discussions regarding how much risk has already been assumed and what the tolerance or appetite is for taking on additional risk in each top-risk area.
  • Balancing Related Risks – Sometimes risks are related to each other, and sometimes risks are inversely related. For example, perhaps a business continuity risk (having sufficient product on hand) is inversely related to a forecasting/inventory write-off risk. Showing these risks together and including certain information for each can help generate discussion about striking the right balance and appropriately managing both risks.
  • Balancing Risk and Reward – Sometimes, it can be helpful to report on other specific questions that are included in a risk survey, such as “How good are we at balancing risk and reward?” This information can be valuable to executives because it comes directly from risk owners themselves and can help spot unknown problem areas.
  • Prudent Spending by Risk – Including annual risk mitigation spending for each top risk can help identify areas where the organization may be over- or under-spending.
  • Opportunities to Improve Efficiencies – In times of budget constraints, it can be helpful to include opportunities to improve efficiencies while maintaining an appropriate level of mitigation.
  • Tradeoffs, Risks vs Opportunities – If confident in having the discussion, taking time to teach management how to make risk-based decisions evaluating expected benefits and expected losses can be rewarding and helpful for management.
  • Go-to-Green Plans – If a top risk does not have a mitigation level that is adequate, then it may make sense to include a “go-to-green” plan. It may also be helpful to show the impact in terms of “expected loss” or likelihood and impact if the “go-to-green” plan is implemented, along with the estimated cost of the project(s).
  • Top Concerns Across Top Risks – Asking risk owners their top risks as an open-ended question can help uncover trends, broader organizational problems, or other critical concerns that should be reported to management and/or the board.

Risk Management and Oversight

  • Assurance Across Top Risks – Reporting assurance levels using the three-lines-of-defense model across top risks can help identify where top risks may be lacking assurance.
  • Risk Leadership – Reporting on those accountable and responsible for top risks helps improve accountability and helps ensure that management of risk does not “fall through the cracks”.
  • Risk Oversight Schedule – Including timing of individual risk deep dives with the board committees and management helps ensure alignment with expectations.
  • ERM Program Developments – Holding the ERM program accountable by reporting on improvements and other developments during the period.
  • Plans – Discuss the next steps to continue to improve the ERM program to garner support and obtain direction as appropriate from management and the board.

Strengthen your Enterprise Risk Management Program with Opal

Opal can facilitate the most critical components of any high-performing ERM program. Contact us if you would like to learn more.

Leave a Reply

Discover more from Opal GRC

Subscribe now to keep reading and get access to the full archive.

Continue reading