How to Report AI Risks to Your Board: Templates and Best Practices

Executive Summary

• Boards need AI risk information that's concise, meaningful, and actionable
• Effective reports balance comprehensiveness with board-level accessibility
• Standard formats enable comparison over time and across organizations
• Reports should answer: What's the risk? What are we doing? Is it working?
• Frequency depends on AI maturity and risk profile—quarterly is typical
• Avoid technical jargon; focus on business implications
• Include recommendations, not just information

Why Board AI Risk Reporting Matters

Boards have fiduciary responsibility for organizational risk. As AI becomes embedded in operations, boards need visibility into AI risk—not the technical details, but the business implications.

Good reporting enables boards to:

• Exercise appropriate oversight
• Ask informed questions
• Support or challenge AI investment decisions
• Fulfill governance responsibilities
• Demonstrate due diligence to regulators and stakeholders

Poor reporting—or no reporting—leaves boards unable to govern AI effectively.

What Boards Need to Know

The Four Key Questions

Every board AI risk report should answer:

1. What AI are we using?

   • Inventory of AI systems
   • Changes since last report
   • Planned additions

2. What are the risks?

   • Current risk posture
   • Key risks and their ratings
   • Changes in risk profile

3. What are we doing about it?

   • Mitigation activities and progress
   • Governance activities
   • Incidents and responses

4. Is it working?

   • Effectiveness of controls
   • Trends over time
   • Outstanding issues

What Boards DON'T Need

• Technical details of AI models
• Exhaustive risk registers (summary is sufficient)
• Jargon-heavy explanations
• Information that can't lead to decisions

Board Report Template

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
        AI RISK REPORT TO THE BOARD
        [Organization Name]
        [Quarter/Year]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

EXECUTIVE SUMMARY

Overall AI Risk Status: [GREEN / YELLOW / RED]

Key Points:
• [Summary bullet 1]
• [Summary bullet 2]
• [Summary bullet 3]

Recommendations for Board:
1. [Recommendation requiring board action]
2. [Recommendation for board awareness]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. AI INVENTORY UPDATE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Current AI Systems: [Number]
New This Quarter: [Number]
Retired This Quarter: [Number]
Planned Next Quarter: [Number]

KEY CHANGES:
• [Notable new AI deployment]
• [Significant AI expansion]
• [Retirement or replacement]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. RISK POSTURE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

RISK SUMMARY

| Risk Level | Count | Trend |
|------------|-------|-------|
| Critical   | X     | ↑/↓/→ |
| High       | X     | ↑/↓/→ |
| Medium     | X     | ↑/↓/→ |
| Low        | X     | ↑/↓/→ |
| TOTAL      | X     |       |

TOP RISKS FOR BOARD ATTENTION:

1. [Risk Name]
   Status: [Rating] - [Trend]
   Description: [One sentence]
   Mitigation: [Status]
   Outlook: [Improving/Stable/Concerning]

2. [Risk Name]
   Status: [Rating] - [Trend]
   Description: [One sentence]
   Mitigation: [Status]
   Outlook: [Improving/Stable/Concerning]

3. [Risk Name]
   Status: [Rating] - [Trend]
   Description: [One sentence]
   Mitigation: [Status]
   Outlook: [Improving/Stable/Concerning]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. GOVERNANCE ACTIVITIES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

AI Governance Committee:
• Meetings held: [X]
• Key decisions: [List]
• Issues escalated: [List or "None"]

Policy Updates:
• [Any policy changes]

Training:
• Completion rate: [X%]
• Notable activities: [Summary]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. INCIDENTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

AI Incidents This Quarter: [X]

INCIDENT SUMMARY (if any):

[Incident 1]
• Date: [X]
• System: [X]
• Impact: [Brief description]
• Status: [Resolved/Ongoing]
• Lessons: [Brief summary]

[If no incidents: "No AI incidents this quarter."]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. COMPLIANCE STATUS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Regulatory Developments:
• [Any relevant regulatory changes]

Compliance Status:
• PDPA: [Compliant/In Progress/Concerns]
• Sector requirements: [Status]
• Internal policy: [Compliance rate]

Upcoming:
• [Any compliance deadlines or changes]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. OUTLOOK AND RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

NEXT QUARTER OUTLOOK:
• [Key expected changes]
• [Emerging risks to monitor]

RECOMMENDATIONS:

For Board Decision:
1. [Item requiring board approval]

For Board Awareness:
2. [Item for information]
3. [Item for information]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Report Prepared By: [Name/Role]
Date: [Date]
Next Report: [Quarter]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Best Practices

1. Keep It Concise

Board time is limited. One to three pages is ideal. Use appendices for detail that members may want but most won't read.

2. Use Consistent Format

Same structure each quarter enables comparison over time. Board members learn where to find information.

3. Lead with Status

Start with the overall status (Red/Yellow/Green) and key points. Board members who read only the first paragraph should get the essential message.

4. Include Trends

Numbers without context mean little. Show direction: increasing, decreasing, stable. Compare to prior quarter.

5. Be Honest About Problems

Boards appreciate candor. Hiding problems undermines trust. Present issues with proposed responses.

6. Make Recommendations

Reports that require decisions should include recommendations. "We recommend the board approve..." is more useful than "The board may wish to consider..."

7. Anticipate Questions

Before presenting, ask: "What questions will board members ask?" Address likely questions proactively.

Reporting Frequency

Trigger-Based Reporting

In addition to scheduled reports, report immediately for:

• Significant AI incidents
• Material regulatory changes
• Major AI deployment decisions
• Emerging risks requiring board attention

Common Mistakes

1. Too Much Technical Detail

Boards don't need to understand how the AI works. They need to understand business risk and implications.

Fix: Describe risks in business terms. Save technical details for appendices or follow-up questions.

2. No Actionable Recommendations

Reports that inform but don't recommend leave boards unsure what to do.

Fix: Include specific recommendations. Be clear whether you need approval, support, or simply awareness.

3. Inconsistent Format

Different format each time makes comparison difficult and frustrates board members.

Fix: Use a standard template. Consistent structure becomes expected.

4. Burying Bad News

Hiding problems or putting them deep in the report undermines trust.

Fix: Lead with status. If there's a problem, address it upfront with your response plan.

5. No Comparative Data

Current risk levels without context are hard to evaluate.

Fix: Show trends and comparisons to prior periods.

Checklist: Board AI Risk Report

Preparation

• Data gathered from AI governance committee
• Risk register reviewed for changes
• Incidents documented
• Compliance status confirmed
• Trends analyzed

Content

• Executive summary with status
• AI inventory update
• Risk summary with top risks
• Governance activities
• Incidents (if any)
• Compliance status
• Recommendations

Review

• Language appropriate for board level
• Technical jargon minimized
• Recommendations clear and actionable
• Questions anticipated and addressed
• Format consistent with prior reports

Next Steps

Establish regular AI risk reporting if you haven't already. Use the template as a starting point and adapt to your board's needs and preferences.

Book an AI Readiness Audit with Pertama Partners for help establishing governance and reporting frameworks.

Related Reading

• [AI Risk Register Template]
• [10 AI Risks Every Executive Should Understand]
• [AI Investment Prioritization]

Structuring Effective Board AI Risk Reports

Board-level AI risk reports should communicate complex technical risk information in formats accessible to non-technical directors while providing sufficient detail for informed oversight decisions. Use a consistent reporting structure that includes a one-page executive summary with traffic light risk indicators, a dashboard showing risk trends over time across key AI risk categories, detailed analysis of new or escalating risks with specific mitigation actions and timelines, and an appendix containing supporting data for directors who want deeper technical context.

Connecting AI Risk to Business Strategy

Board members engage more effectively with AI risk reporting when risks are framed in terms of their potential business impact rather than their technical characteristics. Instead of reporting that a model shows 8 percent accuracy degradation, frame the risk as a projected 15 percent increase in customer complaint rates that could affect renewal revenue. This business impact framing helps directors understand the materiality of AI risks and make informed resource allocation decisions for risk mitigation investments.

Establishing a Regular Reporting Cadence

Boards should receive AI risk reports at a frequency that matches the pace of AI deployment within the organization and the materiality of AI-related risks to the business. Quarterly reporting is appropriate for most organizations, with supplementary ad-hoc reports triggered by significant risk events such as AI-related regulatory actions, material model failures, or data breaches involving AI systems. Between formal reports, the board AI risk committee chair should receive monthly briefings to maintain ongoing awareness without requiring full board attention for routine updates.

Boards should also request benchmarking data comparing the organization's AI risk profile against industry peers and regulatory expectations. This external benchmarking provides context for evaluating whether the organization's AI risk levels are appropriate given its industry position, regulatory environment, and strategic ambitions. External comparisons help boards distinguish between AI risks that reflect industry-standard deployment practices and risks that indicate governance gaps requiring remediation investment.

Effective risk reporting templates should include forward-looking risk scenarios that help board members understand emerging AI risks before they materialize. Scenario analysis sections presenting hypothetical but plausible AI risk events along with their potential business impacts and recommended preparedness measures enable proactive governance rather than reactive incident response. Updating scenarios quarterly based on evolving AI landscape developments keeps board risk awareness current and actionable.

How Board AI Risk Reporting Differs From Cybersecurity Reporting

While AI risk reporting shares characteristics with cybersecurity board reporting, several distinctions require different templates and approaches. Cybersecurity risks are primarily technical and defensive: protecting systems from external threats. AI risks span technical, ethical, legal, and reputational dimensions simultaneously: a single biased hiring algorithm creates technical debt, discrimination liability, regulatory penalties, and brand damage across four distinct board-level concern categories. AI risk reports must therefore integrate perspectives from CTO, General Counsel, Chief Ethics Officer, and Chief Risk Officer rather than flowing primarily through the CISO reporting channel used for cybersecurity matters.

What Boards Are Asking About AI in 2026 That They Weren't in 2024

Board AI questions have shifted from exploratory ("should we invest in AI?") to accountability-focused. Common 2026 board questions include: what percentage of customer-facing decisions involve algorithmic input, what liability exposure exists if our AI systems produce discriminatory outcomes, and how does our AI governance compare to competitors and regulatory benchmarks? Reports that anticipate and proactively address these questions demonstrate management competence and reduce the likelihood of ad-hoc information requests that consume disproportionate executive preparation time.

Practical Next Steps

To put these insights into practice for report ai risks to your board, consider the following action items:

• Establish a cross-functional governance committee with clear decision-making authority and regular review cadences.
• Document your current governance processes and identify gaps against regulatory requirements in your operating markets.
• Create standardized templates for governance reviews, approval workflows, and compliance documentation.
• Schedule quarterly governance assessments to ensure your framework evolves alongside regulatory and organizational changes.
• Build internal governance capabilities through targeted training programs for stakeholders across different business functions.

Effective governance structures require deliberate investment in organizational alignment, executive accountability, and transparent reporting mechanisms. Without these foundational elements, governance frameworks remain theoretical documents rather than living operational systems.