There’s no doubt that risk reporting is key to helping risk management add value to organisations. Stuart Fagg reports on how some companies are using it to their advantage
It’s a question every amateur philosopher has pondered: “If a tree falls in the forest and no one is there to hear it, does it make a sound?” Similarly, risk professionals may well have found themselves asking: “If a risk is managed and no one is told, is it actually being managed?”
Of all the major developments in risk management in the past few years – enterprise risk management (ERM), the use of technology and the emergence of the chief risk officer to name a few – there is one element that brings it all together, and in many cases, stands between success and failure: risk reporting. Perhaps the most key application for risk reporting, in terms of risk professionals, is demonstrating the value that risk management can bring to an organisation and ensuring that those at the top understand and value risk. And with senior executives and boards increasingly looking to realise return on investment in risk, risk reporting is becoming increasingly important.
“When effective risk reporting contributes to effective management of business operations, senior management and executives will see the value, rather than the burden, of risk reporting,” said Danielle Barnes, divisional risk and compliance manager at Wesfarmers Insurance Division.
It also represents a chance to harness some of the upside of risk, an issue not currently being addressed in some risk reporting frameworks, according to Paul Franks, a partner at Deloitte. “Risk reporting should demonstrate that an organisation is managing its key risks,” he said. “But more importantly, it should also show whether there are risks that can be exploited for growth. A of lot risk reporting tends to be all about downside.”
Barnes agreed, adding that risk reporting can unearth excessive controls and smarter resource allocation. “Effective risk reporting, particularly KPI [key performance indicator] reporting linked to risks, might show where controls are excessive in a part of the business and may be scaled back to enable those resources to be utilised in other parts of the business where controls may be less adequate,” she said. “Effective risk reporting may show where risks appear to be concentrated in certain parts of the business and resources can be allocated to those areas.”
However, the key, as with many activities in risk management, is to tailor risk reporting frameworks to the individual organisation. With many organisations looking to maintain a central risk executive – the chief risk officer – while empowering business units to manage their own risk, adapting risk reporting approaches can be difficult, particularly in organisations with diverse and complex operations.
“Another key challenge is the integration of risk management processes to bring conformity to our reporting regime,” said Grant Whitehorn, director, ERM at the Department of Defence. “The major challenge here is convincing and negotiating with the broad range of stakeholders that manage their own risk management processes and systems.”
Franks added that it is also critical to ensure that risk reports are compared with outcomes.
However, with many complex organisations moving toward a ‘federated’ approach to governance, risk and compliance (GRC), there are opportunities to streamline and improve risk reporting. “In a federated GRC approach, you have a centralised role responsible for communication, coordination, and measurement of GRC processes across the organisation,” said Michael Rasmussen, vice-president, risk and compliance at Forrester Research.
“This role does not hold the ultimate accountability for risk and controls as that falls back to the line of business. Success requires that various areas of the business work together on GRC. The goal is to maintain a consistent taxonomy, approach, and accurate risk as well as control information and reporting. Federated GRCallows an organisation to centrally manage and communicate policies, procedures, and controls; use common assessment processes; and monitor cross-organisation losses, incidents, and events. Information gathered throughout this process can be reused for other GRC assessments and analysis as well as to drive business strategy.”
In this environment, common language, communication and collaboration are vital. “Our risk management program is executed via a ‘federation’ model with each business unit (currently we have eight) directly responsible for their own business risk management under the guidance and oversight of a central corporate risk function, which sets risk policies for the group,” said Tony Coleman, chief risk officer and group actuary at IAG.
“All business units need to take an enterprise view of risk so that the potential impact one business unit’s actions may have on the total organisation is understood, assessed and communicated. The risk management functions within the business units work closely with the corporate risk unit using continual communication, participation in various management committees and a clearly defined matrix reporting structure.”
It’s also crucial to ensure that risk reporting is not a one-way street. While, ostensibly risk reporting is designed to enable senior executives and the board of directors to make informed business decisions on the basis of accurate risk information, it should also be linked back to those ‘at the coalface’.
“When risk reports are linked back to the business and actually assist the business in managing its resources, reducing its expenses and enabling risk taking in a controlled environment then effective risk reporting is critical to the risk management and operational process,” said Barnes.
For Wesfarmers Insurance Division (WID), which was formed following Wesfarmers’ purchase of the Lumley group in 2003, a combination of further acquisitions, regulatory pressures and business needs are driving the ongoing evolution of its risk reporting framework. WID now consists of three general insurers (Wesfarmers Federation Insurance Ltd, Lumley General Insurance Ltd and Lumley General Insurance (New Zealand) Ltd); two premium funding businesses (Lumley Finance Ltd in both Australia and New Zealand); and an insurance software developer (Koukia Pty Ltd). The acquisition of OAMPS Ltd and its subsidiaries in 2006 provided an insurance broking business, a financial planning business, underwriting agencies and a superannuation trustee. Prior to 2003 and the formation of WID, Wesfarmers Federation Insurance was the only general insurer in the group and risk reporting was limited to monthly reports to the leadership team and bimonthly CEO reports to the board. Since the formation of WID risk reporting has been mandated through Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) regulation.
As a result, there were different GRC processes operating in each separate business entity, creating a less than efficient risk reporting system. “While we are meeting our current operational requirements and regulatory obligations with APRA and ASIC, this is done in a manner that takes considerable effort, requires constant manual information rework and does not provide the necessary surety of process with respect to managing obligations across the business moving forward, or at least requires significant effort in order to do so,” said Barnes.
However, the firm is introducing risk management technology across WID, which will streamline the process and add value to the reports generated. “The technology is needed to provide regular assurance by control owners that risk controls are working effectively and these assurances provide an audit trail for risk owners and auditors,” said Barnes. “Technology also enables risk management to be embedded into the organisation with risk reports providing an immediate update on the current actual status of risks (as input by risk and control owners) rather than an annual or semi-annual high level executive view of risks in the organisation.”
According to Deloitte’s Franks, as with many GRC projects, it is paramount that processes and obligations around risk reporting are properly designed before technology is implemented. “If you haven’t got all your processes in order and you put a technology solution in place, you’re just making the inefficient more inefficient,” he said.
Barnes agreed, and added that technology implementation has allowed WID to bring together disparate reporting regimes and operate in a more efficient, and compliant, manner. “In most instances WID’s and its business entities governance processes are manually intensive and hence costly to the business in terms of the effort required, but also potentially costly in terms of any exposures with the regulator,” she said. “By automating and consolidating the current processes across a single framework, the business units will be in a position to achieve new levels of efficiencies and drive a higher level of rigour in management taking ownership of their business’ obligations.”
With a continuing focus at many organisations on reducing the cost of compliance – a recent study by PricewaterhouseCoopers ranked over-regulation as the greatest threat to the Australian insurance industry – more efficient risk reporting could lower costs as well as adding value.
“Provisions within the Corporations Act, ASIC Act, Trade Practices Act and APRA Prudential Standards require verification or performance of a large number of actions related to the management of the organisation’s risks and compliance obligations,” said Barnes. “Detailed supporting evidence is often required by the regulators and the auditors in relation to each of the obligations. A technology solution will enable us to react quickly and cost effectively to any compliance requests by APRA, ASIC, ACCC, IOS, other regulators and our internal and external auditors.
It will also empower organisational leaders to make accurate risk-based decisions. “Directors and executive management will also be in a position to receive a consolidated report on the status of current risk controls immediately as well as an outline of the BU’s [business unit’s]risk profile, identifying where the company’s strengths and weaknesses lie and giving confidence in its preparedness to take action to achieve growth,” she said.
Finally, risk culture should also get a boost. “Implementing a business solution to automate the current initiatives will provide greater transparency of information for both audit and business purposes, streamline back-end process, remove the need for continual rework of processes and information and most importantly work towards embedding a governance, compliance and risk management culture across WID,” Barnes said.As for the future, a move towards ‘live’ risk reporting and more multi-dimensional risk reports seems likely, as does more predictive risk reporting. However, for now it’s worth remembering when considering risk reporting that with risk management, to alter a timeworn phrase, what you don’t know will hurt you.
News