California Management Review
California Management Review is a premier academic management journal published at UC Berkeley
by Ruchi Agarwal
Despite risk reporting being an important component of risk governance frameworks, a recent survey finds that 41 percent of top management respondents are “not at all” or only “minimally” satisfied with the nature and extent of their companies’ risk reporting. In our field research in the financial services sector, we found several barriers that impede effective risk reporting.
First, risk management and reporting are confined mainly to the operational level in many organizations. Second, departments work in silos and do not interact with each other enough to understand the connections among their risks. Third, senior management is not informed of near misses, which are often the early warning signals. Fourth, key risk events are not informed in a timely manner, and by the time they are reported periodically, the information is obsolete for strategic decision-making. A few organizations have overcome these problems through better vertical and horizontal communication, near-miss reporting, and the digitization of reporting through an app.
A large American bank made a commitment to reporting ESG risks and instructed each front-line employee to report two ESG risks. However, this reporting did not work as intended: many of the reported risks were strategically insignificant (e.g., responsible sourcing was reported but was not important for banks). And significant risks, such as a lack of ESG analysis in loan appraisal, were not mentioned. The problem was eventually overcome by vertical communication, coupled with incentivization of department heads if they reported at least 75% of the risks separately identified by auditors.
A leading Asian insurance company became profitable after it identified common frauds perpetrated by outsiders using similar techniques across different business lines and geographies. Departments began to cooperate after risk was made a key metric for performance evaluation in each division.
A global leader in reinsurance lost a million dollars to fraud that occurred after several unsuccessful attempts. Knowing that it could have been prevented if the attempted frauds had been reported, the CEO directed that near-misses be reported, and created a software to make it convenient. However, these reports were taken seriously only after a monetary value was attached to each near-miss event, enabling the person reporting to showcase how much money had been saved.
A UK-based insurance company found that risk reports were actually read and acted upon only after it developed a risk reporting app, similar to a news app, which made reporting a daily activity rather than a year-end activity. The app enabled risks to be reported in time for action. Senior executives were much more likely to read and act upon information provided in short, timely snippets than in lengthy reports once a quarter. Risk management got embedded into the daily routine of executives, thereby making it part of the corporate culture.
These fixes to risk reporting involved simplification and incentivization, which improved risk management and risk culture overall. The solutions are not specific to the financial sector, and we believe the principles are generalizable to other industries. Accordingly, our forthcoming article should be of interest to those interested in risk reporting and risk management in medium to large organizations across industry sectors.