Should the Board have a Risk Committee?
Deloitte has just published a Risk Committee Resource Guide for Boards*. This seems to be an excellent guide for financial services firms who are required to have a risk committee. Deloitte suggests that companies in other industries should at least consider establishing a risk committee. I agree and suggest a few questions boards and their advisors might consider:
- Does your board have sufficient bandwidth to provide effective oversight of risk management?
- Does your audit committee have time to add risk management (and that’s management of all sources of risk, not just financial) to its agenda, providing quality oversight without detriment to its existing responsibilities?
- If you have several committees (including an IT committee, for example) does it make sense to distribute among them the responsibility for risk oversight of certain areas with the full board pulling it all together?
- Does your organization have (and if not should it have) a risk management function? To whom should the leader of that function report?
- Have you integrated discussions of risk and strategy, risk and performance, and risk and officer performance? Should you, if not? Should those discussions be held with the full board?
- Does your board include directors with the time and required expertise to support a risk committee? This shouldn’t prevent you from having one, but it might affect the timing of its establishment and whether you need to bring an outside advisor in the interim to perform as a risk management expert.
- What shareholder or other pressure is there to have a risk committee, or otherwise strengthen oversight of risk? (For example, has the organization experienced failures attributable to ineffective risk management?)
What other questions would you ask? Do you have a preference on this topic?
*Some might quarrel with the Deloitte guide because it only uses the COSO ERM Framework language and terms. However, the principles apply whatever your risk framework or standard (I prefer the global ISO 31000:2009 risk management standard but can live with COSO).