Finance & Accounting
9 mins read

Four Proven Ways to Make Risk Reporting More Effective

Featuring Sanjay Kallapur
Despite billions in penalties, companies’ risk reporting still fails to guide strategy. A study offers four tested remedies.
Four Proven Ways To Make Risk Reporting More Effective
Listen to this article
Sanjay Kallapur
Professor of Accounting. His research spans financial and managerial accounting, auditing, corporate governance, and risk management. He also served as the Associate Dean and the Deputy Dean at ISB for nearly a decade.
View all featured articles

 

Although risk reporting has been promoted as a key pillar of enterprise risk management since the early 2000s, many companies continue to treat it as a compliance exercise. Consequently, the gap between risk reporting and strategic decision-making remains wide. A recent survey by the Enterprise Risk Management (ERM) Initiative at the North Carolina State University reveals that 41% of top management respondents were either “not at all” or only “minimally” satisfied with their companies’ risk reporting. 

What is the source of this perennial problem, and what are the possible corrective measures?

 

In a field study conducted in more than 20 large financial institutions, ISB Professor Sanjay Kallapur and Ruchi Agarwal sought to understand what works in practice.

 

Drawing on hundreds of interviews, they identified four effective ways to improve risk reporting: strengthening vertical and horizontal communication, reporting near misses, and digitising communication through apps.

 

We take a deep dive into the findings with Professor Sanjay Kallapur.

 

What problem were you trying to address in this study? 

We wanted to understand why risk reporting often fails to support effective risk management. Frameworks such as the Committee of Sponsoring Organizations of the Treadway Committee (COSO) and ISO 31000 emphasise linking risk reporting with strategic decision-making, yet in many organisations, it is limited to operational levels. Our aim was to identify practices that made risk reporting more effective.

 

So, we conducted a field study in over 20 large financial institutions between 2013 and 2019. These institutions had paid over $372 billion in penalties since 2009 and therefore had a strong incentive to improve risk management. We interviewed executives, including Chief Risk Officers, and triangulated their inputs with their public disclosures and academic literature. 

 

What were the most common weaknesses in how organisations approached risk reporting? 

There were four primary issues:  

  • First, reporting was confined to the operational level and not integrated with strategic decision-making.  
  • Second, departments operated in silos and did not consider interrelated risks.  
  • Third, near misses were not reported, often due to a fear of blame.  
  • Fourth, key risk events were communicated too late—by the time they were included in periodic reports, the information was often obsolete for strategic use.