Over half of cybersecurity professionals are experiencing more cyber attacks compared with a year ago, according to new research from global professional association ISACA. Contents First: don’t think like a specialist How to tell the story of risk Tell the story in miniature Make the most of visuals What can go wrong with graphics A final thought: lessons learned And it’s not only cyber attacks that business leaders have to worry about. A whole range of risks are on the rise: geopolitical, environmental, regulatory, reputational and financial to name a few. This means that effective risk reporting is increasingly important – and, if you write risk reports, that makes your job more critical than ever. But there are risks associated with writing these reports too. As with many other business reports, the biggest danger is that the key message that you need the reader to grasp can be lost on the way. And in this case, the fallout if that happens could potentially be catastrophic. I’ve worked with many teams of risk professionals over the years. So I’m drawing from that experience now to outline best practice for writing risk reports – and the major pitfalls to avoid. First: don’t think like a specialist (for a moment) As a risk professional, you’re a specialist. Maybe you’re an expert in credit risk or climate risk or in preventing cyber attacks. Whatever the case, it’s easy to forget that your readers may not have your level of knowledge. ‘The implications of this risk are obvious,’ you may think. But, often, they’re not. In fact, one of the biggest grumbles we hear from our clients is that the documents their teams write don’t draw out the implications in terms of impact on key areas of the business. And that’s coming largely from the senior leaders who read these risk reports in order to make important business decisions. So when I work with risk teams, a core part of the training is helping them identify the story or ‘So what?’ of the particular risk area they’re reporting on. And, of course, how they then communicate the ‘So what?’ is also pivotal – especially for non-specialist stakeholders. I spoke with Richard Elias, Capability Lead, Risk at NatWest. As he put it: ‘One of the key skills in risk reporting is being able to tell the story to someone who isn’t a risk professional.’ How to tell the story of risk Each risk has its own story, and you should be able to capture it using the questions below: What’s the risk? How likely is it to happen? What would the impact be? What can we do to minimise it? How big is the effort needed to address the risk, including the opportunity cost? How much will it cost financially to address it? How urgent is it? Tell the story in miniature Summarising well at the start is vital in these kinds of reports. Otherwise it’s hard for the reader’s brain to absorb the key information, especially if they’re not a risk specialist. So you can answer the above questions briefly to create a summary. Then you can give more detail about each one to form the main body of your report, if necessary. Make the most of visuals You can summarise using words or graphics or both, but the crucial thing is to focus on possible outcomes, implications and impact to the business overall – and not just in your specialist area. Measuring risk Two of the key questions for readers are: ‘How big a risk is this?’ and ‘How likely is it to happen?’ So naturally, as a writer, you’ll want to have some way of quantifying and measuring the risks in question. Narrative can work well, but often some sort of visual representation works best – so long as it’s done well. In working with risk teams and their documents, I’ve seen all the following used to assess risk: Percentages within a table or chart – to show whether a risk falls within an acceptable level of tolerance. This can be good to quantify financial risk, eg if spending is more than 5% above the budget or sales more than 10% lower than forecast. Risk registers – often in a spreadsheet to list and categorise all the risks a business faces. Risk models – visual representations of data to quantify the likely risk of a certain event occurring and/or its impact. You often see these used in government to assess spending priorities and courses of action. (We saw this a lot during Covid, when health experts were using epidemiological and statistical data to assess risks.) Red, Amber, Green (RAG) reports – a simple way of colour-coding to indicate level or risk and/or priority for action. Red is serious (or urgent), amber is neutral (or medium) and green is for low-level risks or low priority for action. These are usually presented in dashboards and tables, pie charts or bar charts. The image below is an example of the RAG concept, taken from an HM Treasury report. Open image description and transcript [Transcript:] Recommendation 2 2.8 All business critical models in government should be managed within a framework that ensures appropriately specialist staff are responsible for developing and using the models as well as for quality assurance. Chart 2.B: RAG rating of organisations for recommendation 2 [Image description:] Horizontal rectangular band divided into different sized and different coloured sections, labelled with percentages, as follows from left to right: – Red-and-amber striped, 11% – Amber, 16% – Amber-and-green striped, 32% – Green 42% [End of image description] 2.9 The responses revealed 76% of organisations at green or amber-green. Some responses showed that progress in this area was restricted by staffing, both in terms of identifying the roles needed and recruiting people into them, which can be lengthy processes. Some organisations recognised that their frameworks may need further adjustment. It may be appropriate that plans be considered as ‘organic’ documents as models may change over their life cycle. They may also need to reflect that an organisation’s responsibilities and priorities change. Flexible plans that are regularly assessed are crucial to achieving appropriate QA. [End of transcript] In this case, the author is using the RAG to try to quantify the risk of the recommendation becoming a reality. You can also see they’ve added some hybrid categories: red/amber and amber/green. Nothing like sitting on the fence! RAG reports can work well, but bear in the mind the following: A small percentage of your readers are colour-blind. So red and green are not great in that sense. And for accessibility, you shouldn’t use only colour to convey meaning. You have to print the document in colour if you need a hard copy, which is more expensive. Monitoring risk Some risks are one-off events. But most are ongoing items you need to monitor. So bosses also want to know from one period to another whether the risk is increasing, decreasing or staying the same. In other words: what’s the trend? Let’s look at an example below, taken from the Harvard Business Review, of a simple table that also tries to show the trends of ongoing risks. Open transcript and accessible table [Transcript:] The Risk Report Card VW do Brasil summarizes its strategy risks on a Report Card organized by strategic objectives (excerpt below). Managers can see at a glance how many of the identified risks for each objective are critical and require attention or mitigation. For instance, VW identified 11 risks associated with achieving the goal “Satisfy the customer’s expectations.” Four of the risks were critical, but that was an improvement over the previous quarter’s assessment. Managers can also monitor progress on risk management across the company. Strategic objective ASSESSED RISKS CRITICAL RISKS TREND Achieve market share growth 4 1 ↔ Satisfy the customer’s expectations 11 4 ↑ Improve company image 13 1 ↔ Develop dealer organization 4 2 ↔ Guarantee customer-oriented innovations management 5 2 ↓ Achieve launch management efficiency 1 0 ↔ Increase direct processes efficiency 4 1 ↔ Create and manage a robust production volume strategy 2 1 ↓ Guarantee reliable and competitive supplier-to-manufacturer processes 9 3 ↔ Develop an attractive and innovative product portfolio 4 2 ↓ [End of transcript] What’s interesting about this one is that it’s assessing risks against an organisation’s strategic objectives – quite a useful thing to do. It also uses a simple arrow to show the trend’s direction of travel. But readers of these reports want to know at a glance what’s improving, what’s worsening and what’s the same. So we could improve the table by grouping the items of like kind together. Also from the reader’s point of view, probably the most important of the three right-hand columns is the one called ‘Trend’. Meanwhile, the column ‘Critical risks’ is more important than ‘Assessed risks’. So a much more reader-friendly way to arrange the table is as below: Strategic objective TREND CRITICAL RISKS ASSESSED RISKS Satisfy the customer’s expectations ↑ 4 11 Guarantee customer-oriented innovations management ↓ 2 5 Develop an attractive and innovative product portfolio ↓ 2 4 Create and manage a robust production volume strategy ↓ 1 2 Guarantee reliable and competitive supplier-to-manufacturer processes ↔ 3 9 Develop dealer organization ↔ 2 4 Achieve market share growth ↔ 1 4 Improve company image ↔ 1 13 Increase direct processes efficiency ↔ 1 4 Achieve launch management efficiency ↔ 0 1 Within each category, I’ve also ordered the columns so that those with the most critical risks come higher up. What can go wrong with graphics Probably the biggest mistake you can make with your visuals is not grouping and summarising things effectively for the reader – as in the original version of the table above. In effect, you’re forcing the reader to do extra work. But there are other common missteps when it comes to tables, charts and other visuals: Using far too many colours, lines or data labels Not adding a caption to highlight the main message Putting columns or rows in the wrong order (ask yourself which are most important for the reader – then put the most important rows higher and the most important columns further to the left) Too many grid lines in tables – they should be in the background so they don’t compete with the text When you’re reviewing a graphic, ask yourself: Where do you want the readers to look? What message do you want them to take away? Then structure your graphic around your answers to those questions. A final thought: lessons learned Naturally, most risk reports focus on what might happen in the future. But part of a really good risk analysis is a proper understanding of previous events. So a thorough root cause analysis (RCA) of past incidents will stand you in good stead for future reporting. If it’s your job to report on risk in your organisation, you’ll know it’s a risky business. Get it wrong and you expose your organisation, its stakeholders and its customers to potential threats. But get it right and you’ll give the big bosses something vital and solid on which to base their key decisions – and you’ll become someone valuable they rely on. Image credit: Mike Flippo / Shutterstock