Risk reporting and communication

There are different levels of reporting required as well as different target audiences. The differing levels of report will need to be couched in different language for the differing audiences. The Board would not be that interested in the detailed risks and countermeasures on a firewall but they would be interested in the financial loss that could occur if the firewall failed and the web site was unavailable for 3 days.

In the same way as there are different risk reports there are also different risk registers used for different specific purposes and at different levels in an organisation. A project risk register for a specific project would be only of interest to the project management unless there was a direct impact to the Board. In the same way that the corporate risk register would be of little interest to a systems administrator - though he may be curious to see what is on it!

Internal reporting

Different levels within an organisation need different information from the risk management process.

The 'Board of Directors'

Should:

· know about the most significant risks facing the organisation;

· know the possible effects on shareholder value of deviations to expected performance ranges;

· ensure appropriate levels of awareness throughout the organisation;

· know how the organisation will manage a crisis;

· know the importance of stakeholder confidence in the organisation;

· know how to manage communications with the investment community where applicable;

· be assured that the risk management process is working effectively;

· publish a clear risk management policy covering risk management philosophy and responsibilities.

Business units

Should:

· be aware of risks which fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them;

· have performance indicators which allow them to monitor the key business and financial activities, progress towards objectives and identify developments which require intervention (e.g. forecasts and budgets);

· have systems which communicate variances in budgets and forecasts at appropriate frequency to allow action to be taken;

· report systematically and promptly to senior management any perceived new risks or failures of existing control measures.

Individuals

Should:

· understand their accountability for individual risks;

· understand how they can enable continuous improvement of risk management response;

· understand that risk management and risk awareness are a key part of the organisation's culture;

· report systematically and promptly to senior management any perceived new risks or failures of existing control measures.

External reporting

An organisation needs to report to its stakeholders on a regular basis setting out its risk management policies and the effectiveness in achieving its objectives. Increasingly stakeholders look to organisations to provide evidence of effective management of the organisation's non-financial performance in such areas as community affairs, human rights, employment practices, health and safety and the environment.

Good corporate governance requires that companies adopt a methodical approach to risk management which:

· protects the interests of their stakeholders;

· ensures that the Board of Directors discharges its duties to direct strategy, build value and monitor performance of the organisation;

· ensures that management controls are in place and are performing adequately.

The arrangements for the formal reporting of risk management should be clearly stated and be available to the stakeholders.

The formal reporting should address:

· the control methods - particularly management responsibilities for risk management;

· the processes used to identify risks and how they are addressed by the risk management systems;

· the primary control systems in place to manage significant risks;

· the monitoring and review system in place.

Any significant deficiencies uncovered by the system, or in the system itself, should be reported together with the steps taken to deal with them.

An Introduction To Information, Network and Internet Security
Risk reporting and communication There are different levels of reporting required as well as different target audiences. The differing levels of report will need to be couched in different language for the differing audiences. The Board would not be that interested in the detailed risks and countermeasures on a firewall but they would be interested in the financial loss that could occur if the firewall failed and the web site was unavailable for 3 days. In the same way as there are different risk reports there are also different risk registers used for different specific purposes and at different levels in an organisation. A project risk register for a specific project would be only of interest to the project management unless there was a direct impact to the Board. In the same way that the corporate risk register would be of little interest to a systems administrator - though he may be curious to see what is on it! Internal reporting Different levels within an organisation need different information from the risk management process. The 'Board of Directors' Should: · know about the most significant risks facing the organisation; · know the possible effects on shareholder value of deviations to expected performance ranges; · ensure appropriate levels of awareness throughout the organisation; · know how the organisation will manage a crisis; · know the importance of stakeholder confidence in the organisation; · know how to manage communications with the investment community where applicable; · be assured that the risk management process is working effectively; · publish a clear risk management policy covering risk management philosophy and responsibilities. Business units Should: · be aware of risks which fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them; · have performance indicators which allow them to monitor the key business and financial activities, progress towards objectives and identify developments which require intervention (e.g. forecasts and budgets); · have systems which communicate variances in budgets and forecasts at appropriate frequency to allow action to be taken; · report systematically and promptly to senior management any perceived new risks or failures of existing control measures. Individuals Should: · understand their accountability for individual risks; · understand how they can enable continuous improvement of risk management response; · understand that risk management and risk awareness are a key part of the organisation's culture; · report systematically and promptly to senior management any perceived new risks or failures of existing control measures. External reporting An organisation needs to report to its stakeholders on a regular basis setting out its risk management policies and the effectiveness in achieving its objectives. Increasingly stakeholders look to organisations to provide evidence of effective management of the organisation's non-financial performance in such areas as community affairs, human rights, employment practices, health and safety and the environment. Good corporate governance requires that companies adopt a methodical approach to risk management which: · protects the interests of their stakeholders; · ensures that the Board of Directors discharges its duties to direct strategy, build value and monitor performance of the organisation; · ensures that management controls are in place and are performing adequately. The arrangements for the formal reporting of risk management should be clearly stated and be available to the stakeholders. The formal reporting should address: · the control methods - particularly management responsibilities for risk management; · the processes used to identify risks and how they are addressed by the risk management systems; · the primary control systems in place to manage significant risks; · the monitoring and review system in place. Any significant deficiencies uncovered by the system, or in the system itself, should be reported together with the steps taken to deal with them.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security