Home > Risk > Do you need a risk committee?

Do you need a risk committee?

A new paper from RIMS (the Risk Management Society) carries the title Exploring the risk committee advantage. RIMS is an interesting organization. While it has some excellent members (including Carol Fox), when I attended their meetings I was struck by the number of people whose understanding of enterprise-wide risk management is limited. I hope the association continues its strong efforts to educate the many who started as managers of their organization’s insurance function and are now stepping up and leading their organization to an enterprise risk management system.

This new paper is a reasonable discussion of the role of a risk committee. It explains that a risk committee can take multiple forms, from a board-level committee (such as is becoming common in financial services organizations) to a C-suite committee, to an operational risk committee.

Because the paper has taken on these three different topics, it is not possible for the authors to dwell on any of them at any length. Instead, it sensibly suggests that each organization should determine what form of committee would add value in its specific circumstances (and that may mean it has one, two, or all three forms), define its objectives, develop a charter, and so on.

The paper then suggests how the risk officer can make use of these committees and what it should be doing to support them.

When I established risk management at Business Objects, the CEO agreed to a C-suite level risk committee. This small group of business leaders helped me ensure that we had a common process and language for risk management and were excellent ambassadors for integrating the management of risk into and across the organization.

But it was always clear that management was responsible for the identification, assessment, and treatment of risk. I was a facilitator, mentor, and so on.

I am not sure that is clear in this paper. I suspect that the authors see more ownership of risk by the CRO than I do.

At Business Objects, we did not have a risk committee of the board. The audit committee oversaw the risk management system, and the full board considered strategies and risks to those strategies together.

Do you have a risk committee (or multiple risk committees)? How well do they work for you?

  1. March 17, 2015 at 11:05 AM

    As a financial institution, we have several risk committees although they are not necessarily named that. We have Loan Committees (two levels) and an Asset/Liability Committee. These are clearly focused on asset portfolio risks. As to operational risks, we have a committee but it only handles the really big picture items like potential strategic dependencies on third party relationships. For operational topics, it clearly falls into the lap of the business unit owners to understand and take reasonable risks. A committee involvement is very challenging in operational risk issues because of the difficulty in setting a threshold for their involvement.

  2. ivi haralambous
    April 14, 2015 at 10:18 PM

    Norman From ur experience of the executive risk committee was it responsible for critical analysis and approval of specific risk measures? How did u manage to avoid creating a parallel approval structure in addition to normal measure/budget approving structures? Could u share some more info on its responsibilities and what this committee was not? Thanx!! Your response would be mucb appreciated.

    • Norman Marks
      April 15, 2015 at 6:14 AM

      Ivi, my risk committee provided overall direction and support. It helped me aggregate risk assessments from different parts of the organization (sometimes contradictory assessments of the same source of risk), oversaw risk policies, etc. They did not have a separate budgeting role.

  3. April 27, 2015 at 3:42 AM

    In my healthcare services (hospitals) co., we have two management risk committees – one each for Medical Risks & non-Medical Risks – headed by the clinical director (CRO-M) and CFO (CRO-NM) respectively. The two committees are responsible for identifying, prioritizing and reporting on relevant risks to the Audit Committee of Board. The process is facilitated by a small Risk Coordination group (mainly supervised by CFO for its process). It’s still early days to gauge success, but the process seems to work to surface the most significant risks and pushing risk management accountability to unit and functional heads.

  4. June 7, 2015 at 3:13 PM

    That is a very good tip particularly to those fresh
    to the blogosphere. Brief but very precise info… Appreciate your sharing this
    one. A must read post!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: