What a board risk report should contain

A good board risk report contains the top five risks — each with five elements: description, consequence, likelihood, owner, and plan. Plus two more: how the picture has changed since the last meeting, and which early warning signals you're tracking. Anything less is not a risk report — it's a tick-box.

The five elements per risk

Template — one line per risk:

1. Description — one concrete sentence. Not "regulatory risk" but "risk of losing operating licence in Germany by Q3 if new ESG reporting is not in place".
2. Consequence — ideally in euros or % of revenue. "Material" is not a consequence.
3. Likelihood — low/medium/high or %.
4. Owner — one named person. Not "management".
5. Plan — what is being done, when it is reviewed, and at what point it escalates to the board.

Top five — not top twenty

A risk report with 17 risks tells the board the CEO hasn't prioritised. Top five forces the executive team to decide: what actually matters most? If risk number six turns out to be more important, then the prioritisation was wrong — and it's better to discover that in the risk review than at the next board meeting.

Change since last meeting

The single most useful element in the risk report is often: what has changed since the last meeting? The board cannot remember 20 risks across four quarters. But it can remember whether something has moved the right way or the wrong way. Use arrows (↑↓→) or colour coding to show the movement.

Early warning signals

Each material risk should carry one or more early warning signals — the thing that shows the risk is starting to develop. Examples:

• Liquidity risk — days of cash falls below 45.
• Customer risk — top three customers exceed 60% of revenue.
• People risk — voluntary attrition above 12% among key staff.
• Covenant risk — less than 0.5x buffer to a covenant breach.

Early warning signals turn risk into a continuous follow-up — instead of a quarterly status meeting.

The quarterly update cycle

The risk report isn't used only at the board meeting itself. It's maintained between meetings. A simple cycle works for most SMEs:

• Week 1 after the meeting: Update the report with decisions taken. Send the relevant minute extracts to each risk owner.
• Week 4 (mid-quarter): Risk owners report status to the CFO or chief of staff. Escalation triggers are checked.
• Week 8 (end of quarter): Full review. New risks considered for inclusion. Existing risks reassessed for change.
• Week 11 (before the meeting): Final risk report goes to the chair 7 days before the meeting.

The full cycle takes 6 to 8 hours per quarter — spread across 4 or 5 people. It's a small investment for a decision document that can prevent a big mistake.

Why the risk item often fails

Many CEOs treat the risk item as something to get through. That is exactly the impression the board should not be left with. It is often here that directors form their real view of whether the CEO has a grip on the business — or is simply good at presenting the upside.

Template: risk report table for an SME board meeting

The simplest form of risk report is a table with one row per risk. It typically fits on a single page and can be updated in 30 minutes before each meeting:

Risk report — Q2 2026 (example):

1. R1 — Customer concentration. Top 1 = 28% (above stated limit of 25%). Consequence: €720K EBITDA impact. Likelihood: medium. Owner: Lars Nielsen. Plan: alternative contract draft Q3. Escalation: unconfirmed negotiation by 1 July. Movement: ↑ since Q1.
2. R2 — Liquidity. 67 days of cash (above warning level of 90, above floor of 60). Consequence: loss of strategic flexibility. Likelihood: low. Owner: CFO. Plan: bank negotiation on extended facility. Escalation: below 60 days. Movement: → flat.
3. R3 — Key personnel. Loss of COO would cost €350K in revenue over 6 months. Likelihood: low. Owner: HR + CEO. Plan: succession plan documented Q2. Escalation: resignation received. Movement: ↓ (succession plan in place).
4. R4 — IT security. Three phishing attempts this quarter. Consequence of a successful attack: €100K–€400K plus reputational damage. Likelihood: medium. Owner: Head of IT. Plan: MFA across all systems Q2, security training Q3. Escalation: successful attack. Movement: ↑ (more attempts).
5. R5 — Regulatory (CSRD). Failure to report may trigger fines plus loss of customer contracts. Likelihood: high. Owner: CFO. Plan: consultant engaged, deadline Q4. Escalation: delay greater than 30 days. Movement: ↑ since last meeting.

The most important element in the table is the movement since last meeting — arrows (↑↓→) or colours. The board cannot remember 20 risks across four quarters. But it can remember whether something is moving the right way or the wrong way.

Recurring vs. new risks

Risks fall into three categories — each handled differently:

• Standing risks (liquidity, customer concentration, key personnel): appear on every report. Always shown with movement since last meeting.
• Cyclical risks (seasonality, currency exposure, commodity prices): appear in the quarters where they are live. Rotate through the year.
• New risks (regulation, technology shift, geopolitical event): introduced with full context, so the board understands why they have suddenly appeared on the list.

When a new risk appears, the CEO should explicitly explain why — otherwise the risk picture looks like it's jumping around without a steady hand.

The honest test

If you remove everything from the report except the risk section, and hand it to someone outside the company who knows your industry — can they tell you where the business will be in 12 months? If yes, the report is good. If no, it's missing either concrete numbers, an honest view of likelihood, or clear plans.