Reporting to the board
In most organisations it is the Board of Directors who are ultimately responsible for the management of risks and they will commonly look to:
- ensure there is an effective system of risk management in place
- ensure that treatment activities are appropriate and effective
- ensure that the right risks are being taken and that the organisation is operating within its risk appetite.
Reporting can be done to the board as a whole but certain activities are often delegated to specific committees of the board. In general there are two approaches:
- An audit committee looks at the effectiveness of risk systems while a separate risk committee focuses on the content of the risks and the effectiveness of the treatment activities.
- An audit committee looks at both the effectiveness of risk systems and the content of the risks and the effectiveness of the treatment activities.