Regulators have shown a growing interest in the way boards manage and report risk, and in 2011 the UK Financial Reporting Council identified three areas for improvement:

  • Responsibility for risk: Boards did not take collective responsibility for risk, with a tendency to treat risk as a specialist topic for experts like the chief risk officer.
  • Appetite for risk: Boards needed a better way to express risk appetite and tolerance and show they understood the link between risk exposure and external factors.
  • Information about risk: Boards were not clear why certain risks were more significant than others, or what made risk exposure rise and fall.

So what has changed in the last four years? Despite encouraging progress in some areas such as risk appetite or risk culture, the underlying problem still seems to exist, arising from differences in perception around the board table about the nature of risk. This in turn affects the way risk is discussed and used by the board — or not. Four areas need attention:

1. Perception

International standards and leading practitioners agree that risk is future uncertainty, which includes both favorable and unfavorable outcomes. Yet many boardrooms limit their view of risk to unfavorable events that threaten the business continuity. As a result, risk management focuses on control systems to avoid business interruption.

The risk register aims to provide reassurance that unfavorable outcomes can be avoided, managed or mitigated. The root problem is a fixation on trying to control risk, but future uncertainty cannot be controlled. Boards need to broaden their perception of risk and develop better corporate responses to risk.

2. Presentation

Risk is usually presented at the board level using a two-dimensional matrix or "heat map" based on probability and severity, or urgency and importance. This neatly places each risk into a box and gives the false impression it will stay there for at least another year.

But risk is not static, and it is dangerous to present risk in this simplistic way. Risks increase and decrease dependent on a number of contingent factors, often with connectivity between them, and some risks are consequential upon others.

Risk is a complex dynamic. The way risk is presented to boards needs to reflect this, without overcomplicating the message.

3. Promotion

Risk and strategy are closely linked, and they need to be discussed and reported together by boards. Strategy is "future direction," risk is "future uncertainty," and the two are inseparable.

Corporate reporting often focuses on shareholder confidence, and it has traditionally presented strategy as an engine of growth and shareholder return, while risk management provides controls to reassure investors that contingencies exist. A better way would be for strategy and risk to be reported together within the context of the broader business model.

4. Paradox

Boards are often confused about why they need to report on risk at all. Who benefits from talking about uncertainty?

The regulator demands good governance, while shareholders seek certainty. It is inevitable that these different audiences will want to hear different messages about risk, because what is material or proportionate for one group does not matter to another.

This confusion about the purpose of risk reporting can lead boards to give mixed messages or vague generalities that fail to satisfy either regulators, investors, shareholders or market analysts. We need to resolve the paradox.

So where are we on risk management and reporting in the boardroom? Since the global financial crisis, many boards have recruited compliance directors who wish to avoid risk, which prevents the board from taking appropriate risk.

Risk is seen in mostly negative ways, and governance and control drive the default response to risk. It seems the journey for improved risk awareness at the board level has just started, and there is still a long way to go.