Home > Risk > Should the Board have a Risk Committee?

Should the Board have a Risk Committee?

February 3, 2012 Leave a comment Go to comments

Deloitte has just published a Risk Committee Resource Guide for Boards*. This seems to be an excellent guide for financial services firms who are required to have a risk committee. Deloitte suggests that companies in other industries should at least consider establishing a risk committee. I agree and suggest a few questions boards and their advisors might consider:

  • Does your board have sufficient bandwidth to provide effective oversight of risk management?
  • Does your audit committee have time to add risk management (and that’s management of all sources of risk, not just financial) to its agenda, providing quality oversight without detriment to its existing responsibilities?
  • If you have several committees (including an IT committee, for example) does it make sense to distribute among them the responsibility for risk oversight of certain areas with the full board pulling it all together?
  • Does your organization have (and if not should it have) a risk management function? To whom should the leader of that function report?
  • Have you integrated discussions of risk and strategy, risk and performance, and risk and officer performance? Should you, if not? Should those discussions be held with the full board?
  • Does your board include directors with the time and required expertise to support a risk committee? This shouldn’t prevent you from having one, but it might affect the timing of its establishment and whether you need to bring an outside advisor in the interim to perform as a risk management expert.
  • What shareholder or other pressure is there to have a risk committee, or otherwise strengthen oversight of risk? (For example, has the organization experienced failures attributable to ineffective risk management?)

What other questions would you ask? Do you have a preference on this topic?


*Some might quarrel with the Deloitte guide because it only uses the COSO ERM Framework language and terms. However, the principles apply whatever your risk framework or standard (I prefer the global ISO 31000:2009 risk management standard but can live with COSO).

  1. Andrei
    February 4, 2012 at 12:42 AM

    Norman, I didn’t yet go through the Deloitte publication but I am sure it is very useful. With regards to the questions above I have some small comments/additional questions:

    – you ask if the Audit Committee should add risk management to its agenda. Would this be an alternative to setting up a new Board Risk Committee?. The Basel 2 SREP guidance issued by CEBS/(EBA now), requires that the three primary functions of internal audit, risk management and compliance must be independent functions in the Internal Control System of financial institutions. Their independence has two dimensions: independence from the areas/functions that they monitor&control and independence amongst each function. Consequently, Internal Audit cannot take over the risk management role that a dedicated Risk Committee would cover.

    – you also raise the question on the risk management function, and to whom it should report to. I am focusing on banks at this point. In addition to the above bullet point, the independence of the risk management function (in the same guidance) is seen as effective if the head of function reports to a Bank Director that has no responsibility for overseeing the activities that are to be monitored & controlled by risk management. As such, if the head of the risk mgm function is subordinated to a Director that is covering areas/functions that are in the scope of the risk management function monitoring/control role, you will need to take his reporting line higher in the organization. I think that similar to the way the Chief Audit Executive should have a functionally reporting line to the Board and administrative reporting line to the CEO/Senior Management (see internal auditing standards), the organization of the risk management function should replicate that by having a functional reporting line to the Board (or to its newly created Risk Committee) and administratively to the CEO/Senior Management.

  2. Norman Marks
    February 4, 2012 at 8:31 AM

    Andrei, thank you for your comments. The Basel requirements only apply to banks, and I was intending to provide a set of questions that can be considered when there is no legal requirement for a separate risk committee of the board. As for the audit committee, that is a committee of the board and many companies are adding risk to its agenda; this is not the same as saying that the internal audit function should also be responsible for risk management.

  3. Patrick Bowles
    February 4, 2012 at 1:48 PM

    Many Boards have risk committees but this should not be confused with the notion that risk management has been implemented by the CEO and actually working within the organization. In general, CEO have a poor record in working with risk management as evidenced by banking (reference UBS) and financial services failures. There is a certain amount of window dressing by boards to satisfy investors interests but in reality that is all it is. On the other hand if want to see a fully-fledged risk management program, look at the Macquarie Group. Their 2011 Annual Report (pages 56 to 72) outlines in considerable detail the processes used to implement a risk governance strategy and I anticipate that over time, Macquarie, in line with other institutional investors, will require annual reports from the organizations they invest in on the management of risk.

  4. February 6, 2012 at 11:14 AM

    To have one or not to have one…. reminds me of the famous line. The question is mute unless the committee you have will be given the authority to make the decisions that are necessary and have those decisions followed. I served at the pleasure of the Risk Control Committee for the 2nd largest JPA in the United States. When the Committee was given the authority by the Exec Board and top brass, the Committee and the program flourished. When tides changed and the Committee was not seen as valuable, the programs suffered and good people moved on.

    At the end of the day, you have to ask yourself why do you want the Committee and are you going to listen to their expert opinions. If the answer is yes, then move forward.

    On to Norman’s question of what additional questions to ask – here we go:

    Does the Committee have the expertise and skill set to oversee the issues they are faced with?

    Do they have the respect of those that they will advise?

    Are they completely unbiased or are strings attached to their seats?

  5. February 10, 2012 at 10:13 PM

    There is an interesting piece of research by Independent Audit on behalf of the ICAEW in 2010 that argues that the creation of a risk committee can turn risk management more into a compliance activity that becomes divorced from a properly embedded and owned activity at the executive and board levels. This was why this was not mandated in the UK apart from banks where the workload argument was felt to outweigh the issues with a split.

    In addition the Walker Report in the UK has a section on board behaviour, written by a good colleagues of mine Mannie Sher, along with Alison Gill, that emphasises the impact on board dynamics when there are more committees .. The danger is that additional committees have their own problems for example ~ how to integrate what is said in the risk committee back into the board, treading a line between duplication and gaps. Beyond that a strong risk committee may ~ paradoxically ~ push an organisation to becoming risk averse ~ which is a risk in its own right!

    February 14, 2012 at 4:49 AM

    Put the issue of whether a company needs a risk committee or not aside for a moment. The germane question should be “what responsibilities does the Board have to help lead the company in managing its business risks. I believe that these are the responsibilities:

    In the setting of business objectives- too low a target and there will be excess capacity- too high a target and the resulting risks to achieve these will readily become apparent

    In both the commitment and mandate that the organization have a system of risk management- this is a formal top down directive containing a number of different directives

    In establishing the risk criteria/risk appetite of the company

    In ensuring that they receive a comprehensive summation of the company’s business risk portfolio, in prioritized fashion, on a regular basis and ask whatever questions are necessary to establish that the document is what it purports to be

    In ensuring that the risks do not exceed the risk criteria/risk appetite of the company and if for whatever reason they do, sound the alarm bells if these have already not been sounded

    Ensure that there is a comprehensive independent review of the risk management system by a qualified group of individuals that ideally could be the internal auditors providing they have the experience and qualifications to do so

    Ensure that the Board performs its own 360% feedback and as well commissions an independent outside review of Board performance in all of the above duties

    In terms of whether an independent risk committee is needed as stated above, that is secondary. Small to mid sized companies will be unable to afford this. Larger ones could but in end analysis you need to know precisely what you are doing because a separate committee now has created a separate silo and we know what problems silos casue, don’t we?

    In summary stay focused first on making sure that the duties are clear and then worry about the separate committees

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: