Present Control Metrics to boards

Winning the Board’s Attention: How to Present Control Metrics that Land

You do not get many chances with the Board. If your control metrics look disconnected from risk, hard to interpret, or meaningless, you lose the room very quickly. Your goal is simple: show whether the company is within risk appetite, where controls are under pressure, and what you are doing about it. Everything else is noise. Below are a few ideas to help you present control metrics to the Board as you prepare your next presentation.

Start from the risks, not from the controls

    Most finance and risk teams start from the control framework: number of reconciliations, policy updates, access reviews, training completed. That is not how Boards think. They think in risk, how those risks are mitigated, and the outcomes if they are not. So you need to start with the risks and use them to show why the controls matter.

    Before touching slides, list the key risks you want to cover. For a typical finance and internal control update, you might have:

    • misstatement of financial results
    • fraud and misuse of assets
    • IT access and cybersecurity
    • regulatory non-compliance
    • business continuity and third-party failure

    Then ask a simple question for each: what 1–3 metrics would convince a non-technical director that this risk is under control or drifting outside appetite? If a metric does not clearly link to a risk, it probably does not belong in the Board pack.

    A quick filter you can apply when selecting metrics:

    • can I point to a specific risk this metric is monitoring?
    • if this metric turned red, would the Board genuinely care?
    • does it show effectiveness, not just activity volume?

    If you cannot say “yes” to all three, it is likely not a Board metric.

    Build a small, stable set of control metrics

    Your internal dashboards might contain dozens of KCIs (Key Controls Indicators). The Board should see a curated subset. The art is to cover the control environment without drowning people in detail. A simple way is to think in four buckets.

    Design and governance – are the basics in place?

    • percentage of key processes with documented and approved controls
    • percentage of key controls with a named owner and defined frequency
    • number of overdue control or policy reviews

    Operating effectiveness – are the controls actually working?

    • percentage of key controls tested in the period
    • percentage of tested key controls rated effective
    • number of repeat control failures compared to prior periods

    Incidents and control failures – are the controls failing?

    • number of material control failures or incidents
    • number of near misses identified before impact
    • quantified financial or operational impact where possible

    Remediation and maturity – are you improving or just containing issues?

    • number of open remediation actions on high-risk items
    • percentage of actions overdue versus agreed dates
    • control maturity by domain (e.g., 1–5 scale over time)

    Keep this core set stable over time. You can add or retire a metric occasionally, but the Board should see broadly the same “control dashboard” each quarter so they can read trends without having to relearn the pack.

    Use a simple structure for the Board pack

    The way you order the slides is as important as the metrics themselves. A clean structure helps the Board stay with you and keeps the discussion at the right level.

    A practical sequence that works in most companies:

      • Executive view

      Start with a one-page written summary and a high-level dashboard. In one page, answer:

      1. Is the overall control environment effective, under pressure, or deteriorating?
      2. What are the top three control-related concerns this period? Why do they matter?
      3. Where are you clearly outside or close to risk appetite? What are you doing about it?
      4. Are decisions and support needed?
      • Risk Overview

        Then show how this links to key or to principal risks. You do not need a complex risk map. One clear slide with a ranked list of top risks, their residual level, and a short description is enough, as long as you clearly signpost where each risk will be discussed later in the pack.

        • High-level control dashboard

          Follow this with a “control health at a glance” view. Use key domains (financial reporting, IT access, compliance, operations, third parties, business continuity) with a simple RAG status and a trend arrow. Add short comments on key movements and trends, aiming to answer the main questions executives will have when they look at the at-a-glance dashboard.

          • Detailed metrics for each risk

            If required and depending on the audience, you might want to consider putting them into the appendix.
            For each domain, one dashboard slide is usually enough. Limit yourself to 5–7 metrics. For each metric, show: current value, target or tolerance, trend over at least three periods, and a clear status. Add a small text box with two angles: what is working well; where control is under pressure.

            Next to each metric, give the Board a clean view of what is actually broken and what you are doing about it.

            • A summary slide on actions and next steps:

            Focus on next steps: actions to remediate control failures (with due dates and owners), highlighting top priorities and any decisions or support required.

            If needed, keep deep dives (one or two extra slides) for truly material issues only: repeated failures, significant incidents, or areas under regulatory scrutiny. Everything else should stay at the summary level or move to the appendix.

            Close by being explicit about what you need from the Board. Otherwise, the session becomes a passive briefing instead of a governance discussion. Spell out:

            1. which areas are currently outside or at the limit of risk appetite,
            2. which remediation programmes are critical in the next 6–12 months,
            3. what decisions, prioritisation or funding you need from the Board.

            Make the slides readable for non-control experts

            Boards are time-poor. You are competing with strategy, performance, and external topics for attention. The slides need to be easy to scan and understand at first glance.

            A few design disciplines help:

            • focus on trends, not single data points; three or more periods wherever you can
            • agree RAG thresholds upfront and apply them consistently across the entire pack
            • keep charts simple; one idea per slide, one main chart where possible
            • avoid internal jargon; if you must use acronyms, spell them out once in smaller text

            Every chart or table should have a one-line “so what” message. If you removed the numbers and only left the sentence, a director should still understand the point.

            Make it easy to read at different depths

            Different people will read at different levels. Design for three use cases:
            • someone who only reads the executive summary
            • someone who reads the executive view plus the dashboards
            • someone (often the Audit Chair) who will also look at the appendix

            To support that:
            • make the executive summary and “health at a glance” fully self-contained
            • use headings and simple visual cues to pull out key messages; keep explanations in smaller text
            • keep the main deck to the storyline and move technical detail, definitions, and methodology into the appendix

            A simple test: if a director reads only the executive view, the control health slide, and the issues/actions slide, they should still be able to challenge you and participate in decisions.

            Turn the update into a repeatable product

            Treat this Board pack as a recurring product, not a project. You want to reach a point where each cycle feels like “update and review” rather than “reinvent”.

            In practice:
            • lock the structure so it stays the same across meetings
            • agree a defined list of Board-level metrics with clear owners and definitions
            • keep the link from risks → controls → metrics → issues → actions visible in the pack
            • agree a simple cadence and escalation rule set and stick to it

            Once this is in place, the conversation shifts. Directors know how to read your material, so they spend less time asking “what does this mean?” and more time on “what should we do about it?”.

            At internalcontroltoolbox.com, we turn this into something you can actually use with ready-made templates and example metrics you can plug into your own environment and adapt quickly. If you want to enhance how you measure, monitor, and report controls – without reinventing the wheel every quarter – that’s exactly what our toolkits are built for.

            Leave a Reply

            Your email address will not be published. Required fields are marked *