Effective risk reporting

An important element of risk management is related to risk reporting i.e., how do you convey the results of the risk management process to management.

Starting with the end of the sentence “to management” means the reporting must be defined in such a way and with such content that management finds this relevant and valuable. Now here is the first hurdle. Management is working with business performance rather than managing risks. As such, management does not, and should not be specially concerned about risks.

Executives know very well that there are risks and opportunities involved in whatever you do, and that every choice or decision they make becomes a choice between sets of risks and opportunities. This however does make them take their eyes off the ball – performance.

To be relevant and valuable to management, we – the risk profession, have to adjust our management reporting to be performance centric rather than risk centric.

Effective risk reporting is not reporting risks.

To the traditional risk manager, this may sound counter-intuitive and digressing from the concept of risk management altogether. However, it is not.

Imagine a traditional risk report which often includes some red/amber/green risk matrix with a number of risks placed in different coloured squares, combined with a list of risks and selected relevant data.

Something like what is shown here.

This report – irrespective of the validity if the data presented does not help management drive performance.

• There is no telling what will be the effect of more than one risk materializes within the same period/year.
• The risks listed are very different in nature, and hence management’s approach of these will differ. This means that one score of 12 is not the same as another score of 12.
• There is little guidance as to which is worst among the “red” risks. Is the risk A with the higher likelihood more important to mitigate than risk C with the higher impact?

And, to the most prevailing question/concern among managers:

• There is no telling to which extent targeted performance is in jeopardy.

There are many other issues with such reporting. It may seem alluringly simple to understand. However, the question is more “which understanding do you get from this”, and that is significantly trickier to pinpoint.

Outcome ranges, not single-point estimates

As/when management focuses on driving performance, the reporting they value is one which is focused on performance. This does not mean risks are irrelevant:

• Risks which materialize will deplete performance
• Opportunities captured will enhance performance

On top of these, most targets and plans are made using a set of assumptions on sales, cost structure, timing, etc. Assumptions are often/normally embedded as single-point estimates in some calculation. Good/prudent companies make sensitivity analyses where they look at the performance effect of changing a parameter just to know what this will be.

Just as assumed value may vary, so will the effect of risks and opportunities that materialize. These cannot validly be described as single-point estimates despite the fact, that they often are in traditional risk reporting (which is another flaw of risk matrices).

Hence, to establish good and valuable risk reporting, the risk manager needs to leverage outcome ranges in the reporting.

Any one risk, opportunity and uncertainty needs to be described by an outcome distribution.

Furthermore, risks, opportunities and assumptions must be defined in terms/ scales/data which can be embedded in the performance calculation.

This does not mean that if the target is some level of profitability, then all risks must be defined in terms of their impact on profitability. One may be defined as limiting manufacturing capacity, and hence limit revenue, which again affects profitability, others may be linked to timing of new product launches, market entries etc.

For those not mathematically trained, this may sound unnecessarily cumbersome, but in fact it is not. As a risk professional you are expected to have a reasonable understanding of mathematics and statistics. If you do not, you have a step to take.

When you have a series of data elements which are defined in terms of ranges rather than single-point figures, calculations are not single steps either. To calculate the performance, which will also be an outcome range, you will need to Monte Carlo simulate the performance calculation.

Monte Carlo simulation is a pivotal tool for risk managers and easily available as add-on tools on Excel as well as available in other types of software.

Performance, not risk reporting

Leveraging the use of ranges of assumptions, risks and opportunities in a calculation using Monte Carlo simulation will provide insights, which are significantly more valuable to management looking for what it will take to succeed, i.e., meet targets.

Beyond risks and opportunities, the revised performance calculation may include the outcome of specific strategies and action plans if deemed necessary.

Furthermore, defining the performance calculation to cover for all targets, this may provide insights to a list of parallel targets which management is expected to meet.

Hence, a reporting like this, where the likelihood of meeting targets as well as the likelihood of falling below some defined unacceptable level can be delivered.

This report shows a 40% likelihood of meeting the revenue target based on a 45% likelihood of having the targeted customer base.

Such a chart is certain to invoke a management discussion on whether or not this is satisfactory or something must be done to enhance the likelihood of meeting certain targets.

With this, risk management (reporting) affects decision making, which is paramount according to both the COSO and the ISO 31000 standards. 

The range risk-based performance calculation modelling provides further support to decision making in what is known as a Tornado diagram which shows which uncertainties, risks and opportunities have the biggest impact on performance.

The name Tornado chart naturally stems from the image which often looks like this example.

There is an underlying math behind the length and placing of each bar. This is possibly valuable to the risk specialist. For the manager it is often sufficient to know that twice the length, twice the potential impact on performance.

Here, it is shown that the biggest uncertainty is that of forecast uncertainty, i.e., whether or not actual sales will meet planned sales. The second is the outcome of strategy A which has a clear upside. The third is the consequence of a hacking attack, which is seen to have no “upside”, but a significant downside. The vertical delimiter indicates average performance.

Such a chart provides valuable information and may invoke management to discuss what can be done to ensure sales will meet or exceed the planned levels. That discussion may not be a figment of risk management as such, but it drives performance based on the insights provided by the risk and finance functions in collaboration.

How to get there

Assuming current risk management and risk reporting is resembling the traditional reporting described at the beginning of this article, there are a few steps to take for the risk manager:

1. Learn to leverage Monte Carlo simulation – this is as important a tool for you as a screwdriver is to a carpenter. You can use ModelRisk, @Risk, SIP math or like tools at your choosing. However, if others in your company already use e.g. @Risk why choose another.
2. Ensure risks and opportunities outcomes are defined as ranges – while keeping the likelihood this will/will not materialize at all.
3. Liaise with the (finance) team who does the performance calculation whether this is a project performance, a budget or a strategic plan.
4. Put in the effort of working with them redefining their calculation approach from one of single-point figures to one of ranges and ensure they fully understand the value of this.
5. Add in the effect of risks and opportunities as well as any relevant strategies and plans.
6. Do the simulation calculations (10.000 calculations in a modern tool is a matter of seconds, so do not worry) and address the results. NOTE: You will probably not find any breath-taking news as which is a result of good business insights. If you do – make certain you validate this thoroughly to ascertain this is not an error.
7. Collaborate with your peers to define which reporting will truly add value to management, and ensure this is derived from the calculation model.
8. Present, listen to feedback, adjust until you have a reporting format, which is the valuable tool management wants (now that they know it can be made).

From here on, it is a matter of continuous improvement just like any other process in your company.

With this, you and the concept of risk management has become valuable in a volatile world, and you have paved your way to become a trusted advisor to management.

All the best on your endeavour.