ERM Recording and Reporting – Getting It Right

This article is the final of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.

In previous articles we’ve looked at the core elements of the risk management framework and the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. We’ve also briefly looked at the risk management process in a general sense, the importance of communication and consultation, how to set your scope, context and criteria, identifying, analysing and evaluating risks, and monitoring and reviewing risks. In this article, we’ll be looking at recording and reporting risks.


Recording and reporting your risk management activities is one of the most effective ways to recognise and address whether or not they’re actually working. This is a critical aspect to the governance of your risk management process, and it requires you to document and report those risks. Your organisation may already have a set way of recording and reporting tools, such as forms or registers. The requirement to record and report in this aspect of the risk management process is not one which is there for the sake of it; it is informed by a number of objectives which aim to help ease your decision making and risk governance. We’ll delve into these aspects in further detail below.

Objectives of recording and reporting 

As part of revealing the effectiveness of your risk management activities, there are a number of objectives which help orient you to do so. These are listed below.

  • Communicate risk management activities and outcomes across the organisation: without effective communication, your risk management activities and processes are unable to be properly understood, implemented and validated. While this objective works primarily as a communication tool, it also works to enforce a positive risk management culture while reinforcing some of the other objectives to recording and reporting.
  • Provide information for decision making: Through recorded and reported data, you’re able to track trends over time. This will allow you to determine whether or not you need to make a decision to action change to address a risk that may be exhibiting negative changes over time. It is also a useful source of information to determine whether or not the changes you have made are effective at controlling the risk you’re seeking to address.
  • Improve risk management activities: If we follow on from the immediate point above, using recorded and reported data allows you to ensure that your risk management activities are being continually improved over time and in light of your data and the trends it reveals.
  • Assist interaction with stakeholders, including those with responsibility and accountability for risk management activities: Recorded and reported data is a particularly important support tool for those people who are assigned responsibility and accountability for your organisation’s risk management activities. This is as it helps them to store the information for which they are accountable, and it also eases their ability to interpret and then report on that data, for example back to your risk management committee or external stakeholders.

Decisions about recording and reporting

Bearing the objectives of recording and reporting in mind, it’s critical that you are intentional and conscious of the type of information that you’re recording and reporting. Your intention concerning the information that you’re recording needs to be reflected equally in the stages of creating, retaining and handling documented information. This will require you to consider the form of how you record your information, who will be responsible for managing that information, and where that information will be stored. One of the easiest ways to determine what considerations like this would look like for your organisation is by being conscious of how practical your desired option is, and whether or not it aligns with your organisation’s operational reality.

Now, while the stages of creating, retaining and handling documented information are critical, you’ll also need to think about these stages in light of issues such as the sensitivity of the information which is being recorded and reported. On top of this, you will also need to think about what form your risk reporting will take on both internally and externally. Internally, you may choose to communicate risk reports via a staff newsletter, and externally, you may choose to communicate risk reports in other formal documents, such as your annual report. Whatever option you choose, it should be relevant and practical to the needs of your organisation.

Supporting good governance through recording and reporting

Recording and reporting plays a cornerstone role in risk governance. To help enhance the capability of your risk governance activities, your recording and reporting should be done in a manner which enhances the quality of dialogue that you have with both internal and external stakeholders.

As part of quality dialogue and as we’ve mentioned above, this relates to effective communication with stakeholders about your risk management activities. Ideally, quality dialogue will help to inform and support your organisation’s top management and any relevant oversight bodies to help deliver their risk responsibilities. To best support these governance aspects through recording and reporting, there are a number of considerations which should be brought to mind, some of which are listed below.

  • Differing stakeholders and their specific information needs and requirements: especially when you’re reporting, you need to consider the wants and needs of the different stakeholders you’re reporting to and tailor the report to meet those wants and needs. Without thoughtful consideration of this, you may find your communication efforts redundant.
  • Cost, frequency and timeliness of reporting: It’s reasonable to expect that the costs to record and report will exist, and it’s up to you and your organisation to determine just how much you want to budget in terms of time and money towards your recording and reporting activities. You should also consider how often you’ll be committing these resources to recording and reporting to satisfy the ‘frequency’ aspect of the Standard. You will also need to set some criteria to determine what equates to ‘timeliness’ in recording and reporting, which may be immediately after the risk occurs, or even up to 24 hours after the event. While the sooner the better, this decision will need to be made in accordance with the operational reality, goals and objectives of your organisation.
  • Method of reporting: Your choice of method for reporting needs to be practical and efficient. Forms and registers that your team can easily input are typically in alignment with this, however your method will depend on the type of reporting that you’re achieving. For example, a manager delivering a report based on form and register data may take a different approach rather than just providing the form or register itself.
  • Relevance of information to organisational objectives and decision making: the information that you’re recording and reporting needs to be reflective of the goals and objectives that your organisation is seeking to achieve. Without recording and reporting data that is actually relevant, the need to do any type of recording or reporting becomes a time wasting exercise at the very best.


Recording and reporting is an essential part of reviewing and addressing your risk management process and practice. It is through the objectives, decision-making direction and good governance supports that recording and reporting offers that it is able to help your organisation complete its risk management activities to the best of its ability.

If you have any stories – good or bad – about how you’ve approached recording and reporting risks in your organisation, I would love to hear them.

If you’re looking to improve your risk management process and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.

About the author

Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.

If you are interested in working with Peter, please reach out to