EVEN WHEN THEY HAVE every intention to do so, the executive team and board of directors may find it difficult to fully grasp the firm's risk profile. The sheer complexity involved in running a business is a big factor. But so is a certain lack of analytical capability, and the fact that much of the relevant information is found in the silos, that is, business units or corporate functions. An essential part of enterprise risk management (ERM) is closing this information gap by creating the necessary lines of communication and new analytics to describe risk.

Ensuring a continuous supply of high‐quality information to support decision‐making at all levels of the organization is what risk reporting is all about. However, there must be something useful to report in the first place. Even if the business units and functions have the relevant expertise about the risks in their line of business, they may not have the tool or techniques, or the language even, to express this knowledge in a way that executives and directors can comprehend and apply in decision‐making. Before risks can be reported there has to be a systematic approach to identifying and assessing them, or what is commonly referred to as ‘risk mapping’.

Risk mapping, and the reporting of the identified risks, fulfils several important functions. One is simply to reduce the frequency of surprises. Being caught unawares when things go wrong implies a lack of control and professionalism, the avoidance ...