Board-Level Risk Reporting: What Boards Need and What They Typically Get
A board that receives a risk heat map once a quarter and spends ten minutes reviewing it has not discharged its risk governance obligation. It has completed a process.
The distinction matters because boards in high-hazard industries carry genuine legal exposure when risks that were foreseeable, material, and present on the risk register were not acted upon. In the aftermath of a fatality or a major environmental event, the board’s risk reporting record becomes relevant. What did the board know? When did it know it? What did it do with that information?
Most board risk reports are not designed to answer those questions well.
What Boards Are Actually Required to Do on Risk
Boards in Australian companies operating in high-hazard industries have risk governance obligations under the Corporations Act, under ASX Corporate Governance Principles (for listed companies), and under WHS legislation where officers have a due diligence obligation.
The due diligence obligation under WHS legislation is specific: an officer must take reasonable steps to acquire and keep up-to-date knowledge of WHS matters, understand the nature of the operation and its hazards, and ensure the organisation has appropriate resources and processes to manage those hazards. This is not a passive obligation satisfied by receiving a quarterly report. It requires active engagement with the risk picture.
For the board to fulfil this obligation, the information it receives must be accurate, current, and connected to operational reality. A risk register that is updated annually and summarised in a heat map does not provide this. A board that relies on that information and does not know the difference is at risk in any regulatory investigation.
What Information Boards Need vs What They Typically Receive
What boards typically receive:
A red-amber-green heat map showing the top 10 risks, with scores that have not materially changed from the previous quarter. An incident summary listing the number of recordable injuries and the LTIFR. A list of treatment actions, most of which are marked in progress. An assurance statement from the CEO that the risk management framework is operating effectively.
This report can be produced without anyone ever checking whether the critical controls are functioning. It can be produced while the operation has overdue verifications on three principal hazards, a backlog of 40 corrective actions from the past six months, and a TARP that was activated last week and not correctly responded to. None of that is visible in the standard report.
What boards need:
The current state of critical controls. Which critical controls are meeting their performance standards? Which are overdue for verification? Which have failed a verification check and not yet been restored? This is not a complete risk register — it is the subset of the risk picture that determines whether the most dangerous scenarios are being actively managed.
Leading indicator data alongside lagging indicators. The critical control verification rate, the overdue corrective action count, the TARP activation and response compliance rate. These tell the board whether the risk management system is functioning in real time, not whether it produced good outcomes in the past period.
Significant incidents and their systemic implications. Not a count of incidents, but a summary of the two or three most significant events of the quarter — what happened, what controls failed, and what is being done to prevent recurrence. The board should understand whether the incidents reflect isolated failures or patterns that indicate systemic issues.
Progress on material risk treatments. The treatment actions that, if not completed, leave the operation exposed to a material risk. Not the full action backlog, but the items that are consequential if they slip.
Emerging risks. Changes to the operating environment — new regulatory requirements, new hazards introduced by expansion or new contracts, early signals from incident data — that are moving the risk picture and have not yet been reflected in the formal register.
What a Board Risk Report Should Look Like in Practice
A board risk report that serves the governance purpose rather than the compliance purpose is typically short and specific. Its structure:
Executive summary (half a page): The current state of the risk profile compared to the previous period. Any material changes. The two or three things the board needs to know before reading further.
Critical risk status: A table showing the principal hazards and critical risks, with the current status of their critical controls — green for controls meeting performance standards, amber for controls with overdue verifications or partial compliance, red for controls that have failed. This is a leading indicator presented visually.
Significant incidents: A narrative summary of significant incidents from the reporting period, including the failed controls, the investigation findings, and the status of corrective actions. This connects the incident record to the risk register in a way that a frequency count does not.
Material treatment action status: A focused list of the high-priority risk treatments, with their due dates and current status. Actions that are overdue without a revised plan should be flagged explicitly.
Emerging risks: A brief section on risks that are changing — new regulatory requirements, early warning signals from the operation, changes to the hazard profile from operational changes.
What Common Board Reporting Failures Produce
Static heat maps. A heat map where the scores do not change from quarter to quarter is either evidence of a perfectly stable risk environment — which does not exist in a live mining or construction operation — or evidence that the scores are not being genuinely reassessed. Boards that see the same heat map for three consecutive quarters should ask why nothing has changed.
No connection to the operational system. The risk report is prepared by compiling information from multiple sources — incident data from one system, risk register from another, treatment actions from a spreadsheet. The report reflects what management has chosen to include. It does not provide the board with direct visibility into the operational risk system. Boards that want genuine assurance need some level of direct access to the operational data — not mediated entirely through a management summary.
Assurance without evidence. “The risk management framework is operating effectively” is an assertion. The basis for that assertion — what was checked, what evidence was reviewed, who signed off — should accompany it. An assurance statement without a described basis is an opinion.
Lagging-only reporting. A board that reviews injury frequency rates and incident counts is looking backwards. The LTIFR from the last quarter does not tell the board whether the critical controls that prevent a fatality next quarter are functioning today. Both types of information are required.
What Management Must Provide for Board Reporting to Work
Board risk reporting is only as good as the information management provides. If management does not have access to real-time data on critical control health, overdue actions, and TARP compliance, they cannot provide the board with accurate current information. They will provide what they can produce — which is a review of documents that may not reflect operational reality.
The connection between the board’s risk information and the operational risk system requires that the operational system be capable of producing the relevant data. A risk register that is reviewed annually, with controls recorded as text, cannot produce a real-time critical control health report. A platform that captures verification records in the field, tracks corrective action status automatically, and surfaces overdue items on a dashboard can.
The board’s ability to fulfil its due diligence obligation depends on management’s ability to provide accurate, current information. That ability depends on the operational systems management uses to manage risk. The chain runs from the field to the board, and it is only as strong as its weakest link.
For a breakdown of how RiskSight surfaces critical control health, leading indicators, and corrective action status for management and board reporting, see Risk Management Software for Mining, Construction & Heavy Industry.
Start a 30-day free trial with demo data included. No credit card required.
Ready to modernise your risk management?
Start your 30-day free trial. No credit card required.
Start free trial