This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Communicating business risks to inform decision making

News
Share:
Communicating business risks to inform decision making

By

By Louise Fleming, Partner, Aretai Consulting

Dig out your firm's latest management information report. You may receive a hard-copy file
or a PDF to read on your tablet. Or, you may have access to an interactive online report that enables you to drill down to practice group, sector and geographic levels. Can you find it? Try your inbox or,
if not, perhaps the 'deleted items' folder.

Whatever format you receive this information in, consider how many people it is distributed to and how long you would expect each of them to spend reviewing
it. Multiply the client charge-out rate of these individuals by the number of hours it takes to read and understand the report and you have the approximate cost of distributing it.

Now, I am not for a minute saying that you shouldn't send out this information - quite the contrary; comprehensive management information forms a key part of firm governance. What I am saying is that the business services team should invest time in ensuring each report is focused on business objectives, adding value and enabling decision making. You need to ensure they are worth the investment of fee earners' time.

Delivering 'comprehensive management information' means ensuring the pack does not simply collate a series of bottom-up reports prepared in silos by business services teams. Management information should report a joined-up view against the firm's objectives across all areas of a balanced scorecard, from financial performance to client satisfaction.

Good practice

In this context, what risk information do you report? In some firms, the simple answer to this question is 'none'. Slightly better practice is to attach a copy of the detailed risk log to the back of the reporting pack.

So, what does good practice look
like? The following five tests will help
you to determine whether the risk information you deliver is fit for purpose as part of your governance and risk management framework.

1. Risk appetite

Does the report tell you whether the business is operating within the firm's risk appetite? Your risk appetite might be considered in terms of earnings volatility, financial capital, reputation impact, regulatory standing and human capital.1

It is likely that profits and capital will form part of your existing financial reporting; most firms also report on regulatory compliance. Less common is proactive and regular reporting on reputational risk. While human capital is the core of a professional services firm's assets, it is at best reported on in an apologetic rather than strategic manner.

2. Top 10 risks

Does the report include a summary of the top ten risks faced by the business and an assessment of how well controlled they are? Clearly, an endless detailed list of risks in font size 8 adds no value and will not be read. The way to overcome this is to: engage management in the process to determine the key risks to monitor; and present the information in a user-friendly format, providing a snapshot that is quick and easy to review.

3. Key controls

Does the report identify whether key controls are operating effectively, for example by reporting internal audit findings? Again, management information does
not need to include detailed information
about all internal audit findings, but it is important to identify control issues as well as progress in remediation. Information
should be tracked until issues are satisfactorily resolved.

4. Risk events

Does the report include a summary of risk events? This is where risks have actually crystallised; it should also include identified near misses. The purpose of this is to ensure that the business learns from this information and uses it to support continuous improvement.

This must be about improving business resilience and not about assigning blame. As well as identifying material risks, risk event information should also be used to identify themes where lower-impact risks have occurred with higher frequency.
Both of these should be subject to regulatory reporting.

5. Decision making

Does the report enable better business decision making? This is by far the most important test.

Informed decisions

We make business decisions based on data and information which we process using skills acquired through experience and education. The distinction between data and information is that information is data that has been analysed, organised, structured or presented in a given context to make it useful. Examples of this include the use of comparatives and RAG (red, amber, green) ratings or the inclusion of a short narrative to interpret the results.

Ideally we want to ensure information is read before and discussed at management meetings. That way, valuable time at the meeting can be used to answer the most important question: 'so what?' Put simply, people at every level in the firm should have the information needed to make decisions in their role to manage risk and improve business performance. In light of that, how valuable is the report in your hand?

Reference

  1. See 'Articulate your risk appetite to drive business growth', Louise Fleming, Managing Partner, Dec 2014/Jan 2015

Louise Fleming has 20 years' experience working with professional and financial services firms in business and risk management (www.aretai.net)