Sometimes it’s hard to know when to report risks to your board. Major corporations will typically include within their proxy statements promises that senior management will frequently update the board about risks. Some companies — including Staples, American Express, Alliance Data Systems and SLM (the former Sallie Mae) — even touch on those policies in their filings.
Yet many companies don’t have formal protocols, or predetermined triggers for reporting — or “escalating” — risks to the board.
Leaving it up to managers to escalate risks to the board isn’t necessarily a bad thing, say directors and risk management professionals. It does, however, require board directors to instruct executives clearly about the kind of risks about which they expect to be notified.
As boards of directors become increasingly interested and involved in enterprise risk management, it’s important you have the tools necessary to present risks in a concise and effective manner. This will enable better decision making at the top, as well as solidify your seat at the table among leadership — ensuring success for your organization and your career.
How to Present Risks to Your Board:
Here are three tips for presenting risk to your board of directors and how the right risk management technology can help:
Highlight how risks are interrelated
Risks don’t stand alone, and neither should risk data. You need to make clear to the board how one risk affects the next so all parties can adequately problem solve — rather than create even bigger risks that might result from operating in silos. However, this is tough to do if all your critical risk information is locked away in disparate spreadsheets or different departments.
Risk management technology exists so organizations can consolidate risk and insurance data from across the enterprise; surface relevant information from wherever it’s hiding; connect it with other internal and external data; and then normalize the data so it’s all relatable. With the right functionality, integrated risk management technology can exploit its deep connection to expansive risk and insurance data and automatically create real-time visuals that take into account the full spectrum of risk.
Show what’s working…and what’s not
Equally important to showing how risks are interrelated is the ability to show how risk mitigation programs are performing. This can help the board to prioritize spending on mitigation efforts; understand the actual return on such investments; and even realize the value you bring to the organization by creating programs and offering tangible insight into what is working and what is not.
Not only does risk management technology provide eye-catching data visualizations — in the form of dashboards, charts and graphs — to help illustrate program effectiveness, but it allows for the automatic benchmarking of both internal and external claims in real time. This allows you and the board members to determine which programs are making an impact and deserve further attention, as well as how your organization’s claims (i.e. workers’ compensation claims) stack up against others. Learn more about how to manage the right risks at the right time in our white paper.
Talk with the board, not at the board
The best presentations are conversations. If you want to make an impact in the boardroom, you need to engage board members in conversation — not just spout off facts about key risks or your overall risk program. That means if board members have questions, you should have answers…and on the spot.
Risk management technology can make visualizing data dynamic — allowing users to instantly (and easily) manipulate images and drill deeper with more specific queries for any type of information. The data visualizations are comprehensive and up-to-date; have many layers; and are easy to produce on the fly and in the moment. These capabilities are vital when presenting risk to board level stakeholders. Risk management technology takes the myriad data and turns it into actionable priorities. This is extremely helpful when trying to convey a meaningful story to the board.
Out-of-date tools equal inadequate analysis
If you don’t have the right tools, presenting to the board can be a real challenge. Frankly, the spreadsheets and presentation software that many organizations continue to use cannot meet today’s demands. Rudimentary exhibits for boards and executive management do not enable effective discussion or understanding of risks and risk relationships.
These non-technical tools do not aggregate the cumulative cost of risks and interdependencies of risks, nor do they have the ability to drill-down on objects and show additional, related information as needed.
When presenting to your board of directors, expectations are high and effective communication is critical. With typically a very short presentation time available, you need to be able to provide a convincing and clear picture of the significant risks to your company’s objectives. Risk management technology can clearly highlight the interrelationships of the risks that are impacting your organization, show mitigation activities for key risks and facilitate meaningful conversation between you and the board.
“The reason there isn’t any standard is because it doesn’t make sense to have a pick list. The organization has to decide which drivers are relevant to them,” says Russell McGuire, director of enterprise risk services at risk consulting and software firm Riskonnect
Why Legacy Technology Should Frighten the C-Suite
Besides being kept up to date with risk information, the C-suite also needs be well aware of how legacy technology is holding its business back, and understand that the potential damages of archaic technology far exceed “mere inconveniences” for employees faced with resulting cumbersome and inefficient processes.
Now that you know the best ways to present information to your board, here are the top three frightening realities that stem from using legacy risk management technology to keep board members informed:
Legacy System Fright #1: Heightened Security Risks
Data breaches are becoming the way of the world. Cybersecurity is consistently named a top risk for businesses, with cybercrime costing the global economy an estimated $445 billion annually, according to a report from the Center for Strategic and International Studies called, “Net Losses: Estimating the Global Cost of Cyber-Crime.”
Organizations that fall prey to data breaches can face huge losses in the form of compromised reputation, legal damages and declines in revenue and shareholder value. As such, organizations must look for ways to minimize the impact of a cybersecurity breach on their businesses—and deploying secure technology is one obvious solution.
But legacy systems of any kind—including those used for risk, insurance and claims—are often a deterrent to security, rather than a solution. First, they lack the additional security controls offered by more modern technology, including those that are cloud-based. Second, they often distract IT departments away from cybersecurity efforts because they must devote so much time to updating or patching countless applications in order for them to work on an internal server.
The right advanced risk management technology, however, will offer end-to-end security, including controls like:
- Password policies that can be defined to fit client standards including timeouts, length, and password strength
- Client defined/assigned security roles for users–down to the field level–to prevent unauthorized access to any part of your system including objects, reports, page layouts and views, and specific fields
- Server protection at top tier data center facilities with adequate physical access controls
- Firewalls with tightly controlled perimeters, intrusion detection systems and proactive log monitoring
- Third party validation services that attest to the secure nature of the software
Further, truly Integrated Risk Management Technology can actually consolidate or reduce the amount of applications being used (from enterprise risk management and Sarbanes-Oxley solutions, to claims management and compliance and regulatory management solutions, to health and safety management solutions)—creating tremendous efficiencies for the IT department.
Less time spent managing multiple applications might mean more time devoted to broader and more meaningful cybersecurity efforts. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance.
Legacy System Fright #2: Low Quality Data
Data quality is top of mind for most executives as they want to avoid making and being held accountable for poor decisions based on erroneous or incomplete data. Still, in a recent KPMG study, 84% of CEOs indicated they’re concerned about the quality of the data on which they base their decisions.
Legacy risk management systems can contribute to this data distrust. Often, such systems are unable to seamlessly import or export real-time data, particularly in standardized formats that would make sense to any stakeholder across the enterprise.
In addition, data can rarely be integrated. This means different data sets don’t “talk to each other,” and changes to one set of data won’t be reflected in another set of data—even if the data is ultimately related and does in fact affect each other. It also means data typically must be updated manually or “re-keyed” multiple times.
These limitations translate into “rear-view mirror data” at best, and entirely inaccurate data at worst. Either way, trends are difficult to identify, and confident decision-making is a struggle—whether that decision making is on behalf of risk, safety or claims managers, or the leadership overseeing their programs and initiatives.
Inaccurate and untimely data aside, legacy system data is also difficult to report—almost always necessitating the manual creation of graphs and charts from static data representing a fleeting snapshot in time. As such, creating reports is time consuming, and the data within those reports is further out of date by the time it reaches decision makers’ hands—also hindering confident decision making.
Conversely, Integrated Risk Management Technology can surface relevant risk information from wherever it’s hiding in an organization and analyze it, connect it with other internal and external data, and normalize it securely in the cloud. It also makes risk data dynamic—updated and visualized in real time. Questions can be asked and answered on the spot, in the same meeting, rather than weeks at a time elapsing while a new report is crafted. With such advanced technology, actionable intelligence is as easy to create as it is to consume.
Legacy System Fright #3: Unproductive Workforce
All too often, the benefits of employee engagement and productivity are considered “soft” or “intangible,” when really, hard costs and definite ROI can in fact be attributed to unproductive and productive workforces respectively.
For instance, investment in technology beyond a legacy system might seem like a “nice to have” from leadership, because of course, they want the best for their people. But when leadership only views such an upgrade as means to save employees from inconveniences—instead of as solution that will lead to cost cutting and revenue generation across the business—making the case for investment can be difficult.
A productive workforce is not employees just “whistling while they work” and pleasantly checking the boxes on their to-do lists each day. A productive workforce is innovative—in ways that technology cannot and never will be. Yet, to be productive, employees need the resources and tools to do the parts of their job that make them unproductive.
Look at it this way, the inefficiencies spurred by legacy systems can hinder IT from working on preventing security breaches, even though the hefty costs associated with a breach and its potential negative impact on any organization have already been discussed above.
Similar inefficiencies can also mean claims managers are spending more time processing claims than actually investigating them, hindering them from detecting expensive fraudulent claims or uncovering claims trends that could lead to a reduction in the frequency or severity of claims and associated costs.
The same could be said for risk and safety managers: Legacy systems might be forcing them to be reactive rather than proactive–resulting in heightened incident, insurance and legal costs to name a few. No…employee productivity is not just a feel good initiative. The costs of unproductivity are very real.
Integrated Risk Management Technology enables productivity, however–driving innovation by automating and streamlining administrative tasks so employees have more time to do higher-value work; as well as by supplying them with higher quality data and visibility into that data to improve decision making at all levels across the organization.
In conclusion, while the realities posed by legacy systems can in fact be frightening, advanced risk management technology now exists that can turn an organizational nightmare into a dream come true.
Parts of this article were originally published on Agendaweek.com.