This content has been archived. It may no longer be relevant

Enhancing board reporting and defining information required to communicate risk

Karina Volvovsky, Senior Vice President, Business Control Officer for Entertainment, City National Bank

Below is an insight into what can be expected from Karina’s session at Vendor & Third Party Risk USA.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What are the key components of effective board reporting for communicating risk

The key component of effective board reporting is just that – communicating risk. One of the major requirements of a successful supervisory board is leaning in and working with management to establish a routine, systematic and sustainable process for reporting and analyzing defined key risk indicators, emerging risks, and creating a platform where these escalations are welcome. The regulatory requirements from the boards constantly change, and keeping a finger on the pulse of these requirements is crucial – especially for complex and global organizations. Having structures in place to support the ever-changing expectations and evolving nature of non–financial risk is imperative for effective supervision.

How do regulatory requirements shape the way firms report risk to the board

Regulatory requirements around board reporting are essential for ensuring transparency, accountability, and compliance within organizations. Regulatory frameworks often mandate standardized reporting to ensure consistency across firms – that includes the types of risks the boards are expected to oversee, frequency of reporting required, escalation paths from the internal governance committees. It does become quite challenging when a company travels across jurisdictions, products, and regulators. Imagine a financial services company that operates in the US and Luxembourg. The Dodd-Frank Act and Sarbanes-Oxley Act (SOX), enforced by the Federal Reserve and SEC, require detailed financial and risk disclosures through quarterly (10-Q) and annual (10-K) reports. LFIs (large financial institutions) must establish effective risk committees and report on the annual stress test exercises. In Luxembourg, on the other hand, the company must adhere to EU regulations like MiFID II, enforced by the CSSF (Commission de Surveillance du Secteur Financier). CSSF issues detailed guidelines on governance and risk management, applying a proportionality principle based on the institution’s size and complexity.

What criteria should be used to determine if a risk is a board-level concern

There is no “one size fits all” answer to this question. Determining whether something is a “board-level concern” involves evaluating issues based on their potential impact on the organization, their strategic significance, and the necessity for high-level oversight. There is a myriad of criteria that an organization may decide to adopt – which, as we discussed before, would need to be determined for the framework to be effective. There are some commonly used considerations – financial significance (does this concern have a potential for bringing the house down), strategic impact, regulatory or compliance risk – which, by the way, often feeds into the financial significance, ethical and reputational concerns, etc. I like to think of the board as the ‘lighthouse keeper’.  Imagine a company as a large ship navigating through potentially treacherous waters. The management team is the crew, responsible for handling the day-to-day operations of the ship, ensuring it runs smoothly, and making real-time adjustments to keep it on course. The board of directors, on the other hand, serves as the lighthouse keepers. Their role is not to steer the ship but to guide it safely through dangerous waters, providing high-level oversight and ensuring the ship avoids major hazards.

What challenges do firms face in creating the process for board approvals?

Thank you for asking this question – it is an important acknowledgement. Organizations do, indeed, face significant challenges in creating the board approval process. The collapse of Silicon Valley Bank (SVB) in 2023 serves as a stark example of the challenges firms face in creating an effective board approval process. The collapse of that organization, of course, cannot be distilled to just the role of the board – there were many causes that likely will be studied for years to come.  It did, however, highlight the challenges firms face in creating an effective board approval process.

The first and likely one of the most difficult challenges to overcome is ensuring comprehensive and proactive risk management. It requires significant investment – in capital and human resources, rigor, and discipline. The importance of it isn’t always apparent – not until there is an evident problem, or – commonly – a regulatory observation. Aligning strategic decisions with the firm’s risk appetite and long-term objectives might also present difficulties – when there is something that an organization truly believes is great for its growth, it might underestimate the inherent or residual risks that accompany that strategy. Another challenge is the one we talked about earlier in this session – staying abreast of and ensuring compliance with evolving regulatory requirements. These are evolving as regulators are becoming more complex, and frankly, the risks are constantly changing as well.

I do believe that in the last decades, the organizations truly upgraded their board reporting and oversight breadth and depth. We see much more sophisticated reporting; we see growth of professionals in the governance area – all that is indicative of attention that financial firms are paying to risk management. As a risk professional, I am very excited to see this trajectory of board reporting enhancements.