In addition to the risk policy, the main risk management document is the risk register. This is likely to be a substantial document, primarily for reporting to management, and may well be too detailed for reporting to the governing body. The governing body and the audit committee will have to determine how risk matters should be reported and how frequently.
How regularly risk is reported to governing bodies varies. Some have a standing item at meetings consisting of a short progress update against key risks, and this might generally be considered to be good practice. Others ask for detailed reports on one of the major board level risks at every audit committee meeting, and many have risk management as a standing item on the audit committee agenda. Another approach is to have quarterly reports to the governing body as part of the review on strategic and operational performance. In a well run board, the need to discuss the issues causing concern will be identified beforehand in discussions between the chair and the clerk.
Increasingly, governing body or audit committee monitoring of risk is combined with simple presentational devices such as traffic lights, so that progress being made on specific items is easy to see.
In addition, a board should at a minimum receive - and approve - an annual risk report (usually prepared by the audit committee) which notes progress on all key identified risks. This is essential for internal purposes, and will form part of its compliance reporting to the funding body.
More information [PDF, 62KB]