Board and Risk Committee Reporting Governance

2. Summary

Board and Risk Committee Reporting Governance requires that organisations define minimum reporting cadence, content standards, and escalation routes for senior governance reporting on AI agent risks and controls. Boards and risk committees bear ultimate accountability for the governance of AI agents, but they can only exercise that accountability if they receive structured, timely, and accurate reports on the governance posture, residual risks, conformance status, and material incidents. Without reporting governance, information reaches the Board late, in inconsistent formats, filtered through layers of management that may suppress unfavourable data. The reporting framework MUST define what information the Board receives, how often, in what format, and through what escalation routes — and MUST ensure that the reporting is complete, accurate, and timely regardless of the content.

3. Example

Scenario A — Filtered Reporting Conceals Deteriorating Governance Posture: An organisation's AI governance team produces monthly reports for the CTO, who produces quarterly summaries for the Board. Over 6 months, the governance team reports a steady decline in conformance scores: 12 controls drop from Score 2 to Score 1, and 3 controls drop to Score 0. The CTO's quarterly summary presents the overall conformance rate as "89% of controls at Score 1 or above" — technically accurate but concealing the trend and the 3 critical controls at Score 0. The Board receives no information about the Score 0 controls. When one of the Score 0 controls (AG-001 aggregate enforcement) fails and produces a £4.2 million exposure, the Board asks: "Why were we not informed?" The CTO points to the quarterly summaries; the Board points out that the summaries concealed the material risks.

What went wrong: No reporting content standard existed. The CTO had discretion over what to include and how to present it. The reporting format did not mandate inclusion of controls at Score 0, negative trends, or specific risk categories. The Board received a filtered view. Consequence: £4.2 million exposure, Board declares loss of confidence in governance reporting, CTO removed, external review commissioned at £380,000.

Scenario B — No Escalation Route for Material Governance Failures: A governance analyst discovers that the configuration store underpinning AG-007 (Governance Configuration Control) has been compromised — version history has been modified, invalidating all configuration-dependent controls for the past 3 weeks. The analyst reports this to the governance manager, who schedules it for discussion at the next monthly governance meeting (in 18 days). No escalation route exists for material governance failures that cannot wait for the regular reporting cycle. During the 18-day delay, the compromised configuration store causes two additional control failures, and the organisation continues operating agents with invalid governance configurations.

What went wrong: No escalation route existed for material governance failures outside the regular reporting cycle. The governance manager had no defined obligation to escalate immediately. The analyst had no mechanism to bypass the management chain. Consequence: 18 additional days of operating with compromised governance, two additional control failures, total remediation cost £620,000.

Scenario C — Reporting Cadence Misaligned with Agent Operational Tempo: An organisation deploys high-frequency trading agents that execute 50,000 trades per day. The Board receives AI governance reports quarterly. Between quarterly reports, a model upgrade changes the agent's risk profile, 3 controls are temporarily disabled during a platform migration, and the agent accumulates £12 million in positions that exceed the risk appetite defined in the mandate. None of these events reaches the Board until the quarterly report — 67 days after the first event. The Board's quarterly cadence is designed for human-scale operational tempo; the AI agent operates at machine tempo.

What went wrong: The reporting cadence was not calibrated to the operational tempo of the governed agents. A quarterly cycle designed for human-speed operations is inadequate for machine-speed operations. No event-triggered reporting existed alongside the periodic reporting. Consequence: 67 days of unescalated risk accumulation, Board accountability gap, regulatory finding for inadequate Board oversight.

4. Requirement Statement

Scope: This dimension applies to every organisation where a Board, Board-level committee, or equivalent senior governing body bears accountability for AI agent governance. For organisations without a formal Board (e.g., startups, small enterprises), the "Board" equivalent is the most senior individual or group with governance accountability. The scope covers: the definition of reporting content, the reporting cadence, the escalation routes for material events, the format and presentation standards, and the mechanisms to ensure reporting completeness and accuracy. The scope does not prescribe specific governance structures — it governs the information flow to whatever senior governance body exists.

4.1. A conforming system MUST define a minimum reporting cadence for AI governance reporting to the Board or risk committee, not less frequent than quarterly. Organisations with high-risk or critical-risk agents MUST report at least monthly.

4.2. A conforming system MUST define mandatory reporting content that includes, at minimum: (a) overall conformance posture (number and percentage of controls at each score level), (b) controls at Score 0 or Score 1 with remediation plans and timelines, (c) aggregate residual risk posture (from AG-224), (d) material governance incidents since the last report, (e) conformance trend over the trailing 12 months, and (f) regulatory and standard changes with impact assessment (from AG-228).

4.3. A conforming system MUST define escalation routes for material governance events that require Board or risk committee attention outside the regular reporting cycle, with defined criteria for what constitutes a "material event" and maximum escalation timelines (not exceeding 24 hours for critical events, 72 hours for high-severity events).

4.4. A conforming system MUST ensure that governance reports are not filtered or summarised by individuals with conflicts of interest — specifically, individuals whose performance is evaluated based on governance outcomes must not be the sole editors of governance reports to the Board.

4.5. A conforming system MUST retain all governance reports to the Board with version history, distribution records, and any Board decisions or actions taken in response.

4.6. A conforming system SHOULD implement a standardised reporting template ensuring consistency across reporting periods and enabling trend analysis.

4.7. A conforming system SHOULD supplement periodic reporting with event-driven reporting triggered by defined threshold breaches (e.g., any control dropping to Score 0, any agent operating outside its certification scope, any residual risk acceptance expiry without renewal).

4.8. A conforming system SHOULD provide Board members with direct access to the underlying governance data (dashboards, risk registers, conformance assessments) enabling independent verification of report content.

4.9. A conforming system MAY implement automated report generation from governance data systems, reducing manual compilation effort and the risk of transcription errors or selective presentation.

5. Rationale

Board accountability for AI governance is established by regulation and organisational governance principles. The EU AI Act, FCA Senior Managers Regime, SOX, and ISO 42001 all establish or imply Board-level accountability for the governance of AI systems. This accountability is meaningful only if the Board receives the information necessary to exercise it.

Three problems arise without reporting governance. First, information asymmetry: the governance team has detailed knowledge of the governance posture; the Board has whatever the management chain chooses to share. Without mandated content requirements, the Board may receive optimistic summaries that conceal deteriorating conditions. Second, tempo mismatch: AI agents operate at machine speed, but Board reporting cycles are designed for human-speed operations. A quarterly report on systems that change daily creates a 90-day information gap. Third, escalation gaps: material governance failures require immediate Board awareness, but without defined escalation routes, they travel through the regular management chain at the regular pace — arriving too late for the Board to intervene.

Reporting governance addresses these problems by defining what the Board receives (content), when (cadence), how urgently (escalation routes), and with what quality assurance (conflict-of-interest controls and data access). It transforms Board governance from a ceremonial review into an informed accountability function.

6. Implementation Guidance

Governance reporting should be implemented as a structured process with defined inputs (governance data), defined transformation (report compilation), defined outputs (report artefacts), and defined distribution (Board and risk committee members).

Recommended patterns:

• Standardised report template with mandatory sections. Define a report template with mandatory sections that must be populated in every report: (1) Executive Summary — 1-page overview of governance posture, (2) Conformance Dashboard — visual representation of all controls by score, (3) Score 0 and Score 1 Detail — for each control below Score 2, the issue, remediation plan, owner, and target date, (4) Residual Risk Summary — aggregate residual risk from the AG-224 register, (5) Material Incidents — incidents since the last report with root cause and remediation status, (6) Trend Analysis — 12-month conformance trend with commentary on significant movements, (7) Regulatory Horizon — upcoming regulatory changes and their impact assessment. The template ensures nothing is omitted.
• Dual-channel reporting. Complement the periodic report with a real-time governance dashboard accessible to Board members. The dashboard provides: current conformance scores for all controls, alerts for controls at Score 0, residual risk register visibility, and incident status. This eliminates the information gap between periodic reports and gives Board members the ability to independently verify report content.
• Escalation matrix with tiered timelines. Define an escalation matrix: Critical events (e.g., any control at Score 0, any agent operating without a valid certification, any data breach) — escalated to Board Chair within 24 hours. High-severity events (e.g., control dropping from Score 2 to Score 1, residual risk acceptance expiry without renewal, material vendor change) — escalated to risk committee chair within 72 hours. The matrix should define specific event categories, the escalation timeline for each, and the responsible escalator.
• Independent report review. Before the report is finalised, an individual independent of the governance team (e.g., internal audit, compliance) reviews the report for completeness and accuracy against the underlying data. This prevents the filtering problem described in Scenario A.

Anti-patterns to avoid:

• Vanity metrics reporting. Reporting only favourable statistics ("95% of controls are assessed") without context (the remaining 5% are the highest-risk controls) or trend information. Reports must include unfavourable information with the same prominence as favourable information.
• Single-editor reporting. Allowing a single individual to compile, filter, and present the governance report without independent review. This creates a bottleneck through which unfavourable information can be filtered.
• Reporting without action tracking. Producing reports that the Board reviews but without tracking Board decisions, actions, or follow-up. Reports should generate tracked action items with owners and due dates. If the Board requests information or action, that request must be recorded and its fulfilment tracked.
• Ad hoc reporting formats. Changing the report format between periods, making trend analysis impossible. A standardised template ensures that each report is comparable to prior reports.

Maturity Model

Basic Implementation — A standardised report is produced and presented to the Board at least quarterly (monthly for high-risk deployments). The report includes all mandatory content elements defined in 4.2. Escalation routes are defined for material events. Reports are retained with distribution records. An individual independent of the governance team reviews the report before finalisation.

Intermediate Implementation — The report is generated from governance data systems with automated data extraction, reducing manual compilation. A real-time governance dashboard supplements periodic reporting. Event-driven escalation is automated — threshold breaches trigger immediate notifications to the appropriate Board or committee members. Board actions and decisions are tracked with follow-up accountability. Reporting is reviewed semi-annually for relevance and effectiveness.

Advanced Implementation — All intermediate capabilities plus: automated report generation produces draft reports requiring only human review, not manual compilation. Board members have direct query access to governance data. Reporting effectiveness is measured (e.g., Board member surveys, decision quality metrics). Cross-organisation reporting supports group-level governance for multi-entity organisations. External comparisons (benchmarking against peer organisations' governance postures) are included where available.

7. Evidence Requirements

Required artefacts:

• Reporting cadence definition. Document defining the reporting frequency, mandatory content, escalation criteria, and escalation timelines.
• Board reports archive. All governance reports presented to the Board during the assessment period, with distribution records showing when and to whom each report was sent.
• Escalation records. Records of all material governance events escalated outside the regular reporting cycle during the assessment period, showing: the event, the escalation timeline, the recipient, and the response.
• Independent review records. Evidence that an individual independent of the governance team reviewed each report before finalisation.
• Board action tracking records. Records of Board decisions and actions arising from governance reports, with follow-up status.
• Conflict-of-interest declaration. Declaration confirming that report compilers and reviewers do not have conflicts of interest (per 4.4), or documenting mitigations where conflicts exist.

Retention requirements:

• Board reports, escalation records, and action tracking: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Mandatory Content Completeness

• Stimulus: Review the most recent 4 governance reports to the Board. Verify that each contains all mandatory content elements defined in Requirement 4.2.
• Expected behaviour: All reports contain all mandatory elements.
• Pass criteria: 100% of reviewed reports contain all 6 mandatory content elements (conformance posture, low-score detail, residual risk, material incidents, trends, regulatory horizon).
• Fail criteria: Any report is missing any mandatory content element.

Test 8.2: Escalation Timeline Compliance

• Stimulus: Review all material governance events during the assessment period. For each, verify that escalation occurred within the defined timeline (24 hours for critical, 72 hours for high-severity).
• Expected behaviour: All material events were escalated within the defined timelines.
• Pass criteria: 100% of critical events escalated within 24 hours. 100% of high-severity events escalated within 72 hours.
• Fail criteria: Any material event was escalated outside the defined timeline, or was not escalated at all.

Test 8.3: Conflict-of-Interest Control

• Stimulus: Identify the individuals who compiled the most recent governance report. Verify that no individual whose performance is evaluated based on governance outcomes was the sole editor of the report. Verify that an independent reviewer reviewed the report.
• Expected behaviour: Report compilation involved conflict-of-interest controls as defined in 4.4.
• Pass criteria: An independent reviewer (not evaluated on governance outcomes) reviewed the report before finalisation. The review is documented.
• Fail criteria: The report was compiled and finalised solely by individuals with governance outcome-based performance evaluation, without independent review.

Test 8.4: Reporting Cadence Compliance

• Stimulus: Review the dates of all governance reports during the trailing 12 months. Verify that reports were produced at the defined cadence (at least quarterly, or monthly for high-risk deployments).
• Expected behaviour: Reports were produced on schedule with no gaps exceeding the defined cadence.
• Pass criteria: No reporting gap exceeds the defined cadence by more than 14 days.
• Fail criteria: Any reporting gap exceeds the defined cadence by more than 14 days.

Test 8.5: Report Retention and Distribution

• Stimulus: Request all governance reports from 24 months ago. Verify they are retrievable with distribution records.
• Expected behaviour: Reports and distribution records are retained and accessible.
• Pass criteria: All requested reports are retrievable within 48 hours, with complete distribution records.
• Fail criteria: Any report is missing from the archive, or distribution records are incomplete.

Test 8.6: Board Action Tracking

• Stimulus: Review the most recent 4 governance reports and identify all Board decisions or action requests. Verify that each has a tracked action item with owner, due date, and current status.
• Expected behaviour: All Board decisions are tracked with accountability.
• Pass criteria: 100% of Board decisions or action requests from the reviewed reports have tracked action items with owners and status updates.
• Fail criteria: Any Board decision or action request is untracked or has no assigned owner.

Conformance Scoring

• Score 0: No structured governance reporting to the Board or risk committee — information reaches senior governance through ad hoc channels or not at all.
• Score 1: Periodic reports are produced but do not follow a standardised template, do not include all mandatory content elements, and escalation routes are not defined. Reports may be filtered by individuals with conflicts of interest.
• Score 2: Reports follow a standardised template with all mandatory content, produced at the defined cadence. Escalation routes are defined and followed. Conflict-of-interest controls are in place. Reports are retained with distribution records. Board actions are tracked.
• Score 3: Verified by independent audit — an independent party has validated reporting completeness, escalation compliance, and conflict-of-interest controls. Automated report generation and real-time dashboards supplement periodic reporting. Board members have direct data access for independent verification.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9(9) (Risk Management — Reporting)	Supports compliance
EU AI Act	Article 26 (Obligations of Deployers)	Supports compliance
FCA SYSC	4.3.1R (Responsibilities of Senior Management)	Direct requirement
FCA	SM&CR (Prescribed Responsibilities)	Direct requirement
SOX	Section 302 (Corporate Responsibility)	Direct requirement
ISO 42001	Clause 5.1 (Leadership and Commitment)	Supports compliance
ISO 42001	Clause 9.3 (Management Review)	Direct requirement
DORA	Article 5(6) (Board Responsibility for ICT Risk)	Direct requirement

FCA SYSC — 4.3.1R and SM&CR

SYSC 4.3.1R requires senior management to receive adequate management information on the matters for which they are responsible. Under SM&CR, prescribed responsibilities include oversight of the firm's AI governance arrangements. AG-225 directly implements this requirement by defining the information flow that enables senior management to exercise their prescribed responsibilities. The FCA has enforcement authority for inadequate management information — the absence of structured AI governance reporting to senior management is itself a potential finding.

SOX — Section 302

Section 302 requires corporate officers to certify the effectiveness of internal controls based on their evaluation. Officers cannot make this certification without receiving structured, accurate, and timely information about the control environment. AG-225 provides the reporting framework that enables the officer's evaluation. Without it, the Section 302 certification is made without adequate basis — a condition that could expose the officer to personal liability.

ISO 42001 — Clause 9.3 (Management Review)

Clause 9.3 requires top management to review the AI management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. AG-225 provides the structured input for this management review: the governance reports contain the information that management needs to evaluate the AI management system's performance.

DORA — Article 5(6)

Article 5(6) requires the management body of financial entities to approve and periodically review the ICT risk management framework. For AI agents, this extends to the governance framework controlling agent operations. AG-225 ensures that the management body receives the information necessary for this periodic review.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — directly affects Board accountability and personal liability of senior managers

Consequence chain: Without reporting governance, the Board operates in an information vacuum regarding AI agent governance. The immediate failure mode is uninformed accountability — the Board is accountable for AI governance but cannot exercise that accountability because it does not receive the information needed to do so. The downstream consequence is regulatory exposure: under SM&CR, SOX, and equivalent regimes, senior managers who cannot demonstrate they received adequate information about the governance posture face personal liability. The ultimate business consequence is dual: governance failures that could have been prevented by Board intervention (because the Board would have demanded remediation had it been informed), and personal sanctions against senior managers who were technically accountable but practically uninformed.

Cross-references: AG-224 (Residual Risk Acceptance Governance) provides the residual risk data that reporting consumes. AG-222 (Conformance Profile Governance) provides the conformance targets against which reporting measures performance. AG-153 (Control Efficacy Measurement) provides the efficacy metrics included in reports. AG-226 (Independent Audit Challenge Governance) may audit the reporting process itself. AG-228 (Regulatory Horizon Scanning Governance) provides the regulatory change information included in reports.