Do you need a risk committee?
A new paper from RIMS (the Risk Management Society) carries the title Exploring the risk committee advantage. RIMS is an interesting organization. While it has some excellent members (including Carol Fox), when I attended their meetings I was struck by the number of people whose understanding of enterprise-wide risk management is limited. I hope the association continues its strong efforts to educate the many who started as managers of their organization’s insurance function and are now stepping up and leading their organization to an enterprise risk management system.
This new paper is a reasonable discussion of the role of a risk committee. It explains that a risk committee can take multiple forms, from a board-level committee (such as is becoming common in financial services organizations) to a C-suite committee, to an operational risk committee.
Because the paper has taken on these three different topics, it is not possible for the authors to dwell on any of them at any length. Instead, it sensibly suggests that each organization should determine what form of committee would add value in its specific circumstances (and that may mean it has one, two, or all three forms), define its objectives, develop a charter, and so on.
The paper then suggests how the risk officer can make use of these committees and what it should be doing to support them.
When I established risk management at Business Objects, the CEO agreed to a C-suite level risk committee. This small group of business leaders helped me ensure that we had a common process and language for risk management and were excellent ambassadors for integrating the management of risk into and across the organization.
But it was always clear that management was responsible for the identification, assessment, and treatment of risk. I was a facilitator, mentor, and so on.
I am not sure that is clear in this paper. I suspect that the authors see more ownership of risk by the CRO than I do.
At Business Objects, we did not have a risk committee of the board. The audit committee oversaw the risk management system, and the full board considered strategies and risks to those strategies together.
Do you have a risk committee (or multiple risk committees)? How well do they work for you?