TL;DR

By this point, Jess has done a lot of the hard work.

She has listened properly. Assessed what the organisation was really working with. Built a first risk register people can actually use. Helped the Board and executive team articulate risk appetite in a way that means something.

Now comes the part that often determines whether all that work sticks or quietly drifts.

Reporting.

Not reporting as in “produce a nicer Board paper”.

Reporting as in: can the executive team give the Board a timely, accurate, complete and relevant picture of risk? Can they show what has changed, what sits outside appetite, whether treatments are moving, whether controls are actually working, who owns what, and where accountability is slipping?

That is where buy-in gets tested.

Because the Board cannot govern from vague reassurance. The executive team cannot manage from stale information. And Jess cannot produce good reporting if the rest of the organisation treats risk as something that only matters the week before the Board pack goes out.

That is the shift in this part.

Risk management stops being a setup exercise.

It becomes a rhythm.

A risk register is not the same as having reporting.

A month ago, Jess was trying to get people to agree on the top risks.

Now she is sitting with the CEO, preparing the next Board Risk and Audit Committee paper, and a different problem shows up.

The register looks better. The appetite field is there. Owners have been named. A few treatments are underway.

But the paper still feels thin.

One risk says “within appetite: no” but gives no real commentary. Another says a treatment is “in progress” even though the due date passed three weeks ago. A third still looks green on the summary page, but when Jess asks a couple of questions it becomes obvious the control assessment is based more on confidence than evidence.

That is the point where a lot of organisations get themselves into trouble.

They assume that because they now have a risk register, the reporting will take care of itself.

It won’t.

A register is a source.

Reporting is judgement.

The Board does not need more paper. It needs a clearer picture.

This is where executive buy-in matters.

If the executive team sees risk reporting as a compliance task delegated to Jess, the Board paper will always be second-hand. Technically assembled. Operationally thin. Full of status labels and light on meaning.

That is not enough.

The CEO and executive team are the ones who have to own the story the Board sees. Jess can coordinate it. She can challenge it. She can improve the quality of it. But she cannot manufacture executive ownership after the fact.

So she starts there.

Not with a template.

With a conversation.

“What does the Board actually need from us each quarter?”

The answer is usually simpler than people make it.

The Board needs to know:

• What are our top risks now?
• What has changed since the last report?
• Which risks are outside appetite, or getting close?
• Are the controls we are relying on actually working?
• Are treatment actions moving, stalled, or drifting?
• Who owns the issue?
• What decisions, support, or escalation do you need from us?

That is the spine of a good report.

Not fifteen pages of colour-coded comfort.

Full reporting versus exception reporting

This is both a critical question, and one that is difficult to answer.

Full reporting gives discipline. Exception reporting gives focus.

If you only do full reporting, the Board gets buried. Every risk, every quarter, every small movement, all flattened into one big paper. Important things get lost beside routine updates.

If you only do exception reporting, the Board loses line of sight. It sees only the fires, not the pattern. It becomes harder to judge whether the overall risk profile is improving, deteriorating, or quietly staying exposed.

So Jess lands on something practical to start.

A short core report every quarter covering the full top risk profile at a high level.

Then deeper exception commentary on what actually matters.

That means the Board gets visibility across the whole picture, but real attention is spent on:

• Risks outside appetite
• Material movement in rating or exposure
• Overdue or stalled treatments
• Control failures or declining control effectiveness
• Emerging risks
• Ownership gaps or accountability slippage
• Anything management wants the Board to discuss, endorse or escalate

That structure works because it respects the Board’s job.

Directors are not there to read the register line by line.

They are there to govern from it.

This is where watermelon risks show up

I heard the watermelon analogy at the 2026 RMIA conference and loved it.

A watermelon risk is green on the outside, red on the inside.

On paper, it looks low and under control. In reality, the inherent risk is still serious and the only thing keeping it from turning ugly is a set of controls people have started taking for granted. If those controls have not been tested, reviewed, or evidenced properly, that nice green status can become an exploding watermelon very quickly.

Jess starts seeing these everywhere once she knows to look.

Cyber is one.

The report says the risk is moderate because MFA exists, backups exist, and awareness training was done six months ago. Fine. But access reviews have not been completed consistently, the incident response plan has not been tested, and nobody has really challenged whether the outsourced provider controls still match the organisation’s exposure.

That is not a settled green risk.

That is a potential watermelon.

The same thing happens in compliance. And key-person dependency. And funding concentration. And workplace conduct. Risks that look calm because nothing terrible has happened yet.

So Jess adds a better question into the reporting process:

“What evidence tells us the controls we are relying on are actually effective?”

That changes the quality of commentary immediately.

Good commentary is what makes the report useful

This is the bit people skip.

A Board paper without commentary is just a spreadsheet wearing a blazer.

The commentary does not need to be long. It does need to do real work.

For each material risk, Jess pushes risk owners and executives to answer four things in plain English:

• What is happening or changing?
• Why does it matter?
• What are we doing about it?
• What does the Board need to know or do?

That is enough.

So instead of writing:

Cyber risk remains high. Treatment in progress.

She writes:

Cyber risk remains outside appetite. MFA and backups are in place, but access reviews are inconsistent and the incident response plan has not been tested this year. Management has approved a remediation plan, with access review completion due by 30 June and a tabletop exercise scheduled for July. No Board decision is required this quarter, but the executive team is flagging this as a priority area.

That is better.

It tells a story.

Not a dramatic story. A useful one.

Timeliness, completeness and accuracy do not come from the Board paper stage

They come much earlier.

This is where whole-of-organisation engagement matters.

If risk only appears as a quarterly reporting exercise, the information will always be late, partial, and political. People will remember updates when chased. Owners will default to optimistic wording. Actions will be marked “in progress” long after momentum has gone.

So Jess does something simple.

She gets risk onto the agenda of existing management meetings.

Not as a big ceremonial item every time. Just enough to keep it alive.

• Executive meeting. Top risk movements.
• Operations meeting. Incidents, near misses, control failures, treatment progress.
• Project meeting. New and emerging risks.
• Leadership meeting. Risks outside appetite and overdue actions.

That rhythm matters because it creates freshness.

And freshness creates better reporting.

By the time the Board paper is due, Jess is not trying to reconstruct the last quarter from emails and memory. The information has already been discussed, challenged and updated closer to real time.

That is how timeliness improves.

Completeness improves the same way. When people know risk is a standing part of how the business talks, more of the picture shows up. Incidents. Weak controls. Slipping actions. New exposures. Not because people suddenly love governance. Because it is now normal to raise it.

Accuracy improves because information gets challenged earlier.

An executive hears that a treatment marked complete is not actually embedded. A control described as effective turns out not to have been reviewed in nine months. A “low” risk gets re-examined because the consequence, if the control fails, is clearly much worse than the report suggests.

That is how bad surprises reduce.

The executive team sets the tone with the Board

This relationship matters more than any template.

In early-stage organisations, roles are often a bit fuzzy. Jess is coordinating. The CEO is accountable for management. Executives own specific risks. The Board governs. Sometimes there is a Risk and Audit Committee. Sometimes there is not. Sometimes the risk manager is a dedicated role. Sometimes it is Jess with three other jobs.

Fine.

Whatever the maturity level, the principle is the same.

Management should not wait for perfect certainty before telling the Board something matters.

Earlier communication is better.

• If a risk moves outside appetite, say so.
• If a treatment is delayed and the exposure is increasing, say so.
• If a control failed and the impact could become material, say so.
• If an emerging risk is still forming but could affect strategy, say so.

Boards generally cope better with early warning than late surprises.

The thing is, executives sometimes avoid that because they think reporting a problem makes them look weak.

Usually the opposite is true.

What worries a Board is not that a risk exists. Of course risks exist. What worries a Board is finding out late, or finding out that management has been using green language to describe a red reality.

That destroys confidence quickly.

Emerging risks deserve a place, even when they are not fully formed

One of the easiest mistakes in reporting is to focus only on what is already in the register.

But emerging risks do not arrive with perfect wording and a settled rating. They show up as signals. Trends. Conversations. Incidents elsewhere. Regulatory shifts. Market changes. Technology changes. Strange patterns that do not fit neatly into last quarter’s categories.

Jess creates a small section in the report for these.

Not alarmist. Not overcooked.

Just a short note on issues management is watching, why they matter, and whether they may require a deeper assessment next quarter.

Emerging risks help the Board do what it is there to do: look ahead, not just backwards.

What good looks like at this stage

By now, Jess is not trying to produce a perfect risk report.

She is trying to produce one the Board can trust.

That means it is timely enough to be relevant. Accurate enough to support decisions. Complete enough to show the real picture. Focused enough that directors can see what matters. Honest enough to surface discomfort. Practical enough that management can act from it.

And the report only gets there when the organisation helps create it.

Good risk reporting is not a writing exercise done by one person at quarter end.

It is the output of an organisation that has started talking honestly about risk, with clear ownership, regular review, and enough discipline to test whether the controls it depends on are actually working.

That is the buy-in piece.

Not getting everyone to love risk management.

Getting enough of the organisation engaged that the Board sees reality in time to govern from it.

That is a very different standard.

And a much more useful one.

If you want to discuss risk reporting and how to make it more effective, reach out.
A conversation is usually the best place to start.

Book now

Next week, we’ll pick up with Jess six months on. Not to admire the framework she built, but to look honestly at what has stuck, what has drifted, and what it takes to move risk management from “good enough” to genuinely mature.