Home > Risk > A management risk committee

A management risk committee

February 17, 2019 Leave a comment Go to comments

A couple of weeks ago, Jim DeLoach shared his views on effective [management] risk committees. I pretty much agree with what he had to say in NACD’s BoardTalk.

This, plus a question from a follower of this blog on the same topic, had me searching for the charter of the risk committee I established, with the strong support of the CEO, at Business Objects. Unfortunately, I couldn’t find it. But I can share some of the principles under which it operated.

The four members were all direct reports to the CEO and I served as staff and advisor. They included the executive vice presidents responsible for Product Development and Marketing (chair), plus the CFO and general counsel

The committee was responsible for oversight of management’s processes and policies around the management of risk. This included being evangelists for the consideration of ‘what might happen’ in all major decisions of the business.

We spent most of our time working to reach a consensus on the major risks and opportunities that might affect the company’s objectives. The members each represented a very different segment of our business operations and it took their collective insights to see the big picture.

But, the full executive committee would then consider the assessments made by the risk committee, led actively by the CEO. In fact, in some respects the executive committee was the risk committee.

In any event, the committee did not last very long for the simple reason that the company was acquired by SAP.


How does your risk committee function?

Why does it exist?

What value does it deliver?

How does it integrate with discussions on strategy and performance?

  1. February 17, 2019 at 6:22 PM

    Has been available on RISK-ACADEMY website for a free download for over 5 years )) https://risk-academy.ru/download/risk-management-committee/

  2. msfedorov
    February 17, 2019 at 8:37 PM

    To my experience, RMC is a redundant Committee unless the very specifics of a business required its presence (like Banks or training organizations). For the rest if standard bodies (Board, Executive Committee and the rest) perform well they can consider any risk within their duties.

  3. Jim DeLoach
    February 17, 2019 at 10:34 PM

    msfedorov is correct that risk committees are common in financial services, but they also exist in commodity-based businesses or operations with hazardous activities. In addition, they exist in other entities to address certain situations and objectives. Protiviti issued a Board Perspectives on this topic for those who are not NACD subscribers. Available at https://www.protiviti.com/US-en/insights/bpro112, this issue elaborates a bit on the topic raised by msfederov.

  4. February 18, 2019 at 7:31 AM

    In my experience, the issue is less whether there is a formal executive/management risk committee, and more about ensuring there is the space (=time and mindset) on the C-suite agenda to give risk, taken broadly, the appropriate attention.

    Sometimes the best way to get there is a committee, with charter, calendar/schedule, etc. That’s what works in some companies to telegraph the need for focused attention, to frame the objectives and set the stage for the right discussion, esp. when the same people are likely to interact in a very different form of dialogue in other instances they meet (e.g. a highly metric-achievement driven organization, or one that prides in quickly and pragmatically making decisions and then going into “execution mode” — all good things but can be at odds with thoughtful what-if/how might be be wrong discussion).

    Other times a “committee” whose membership would perhaps cover 80% of the exec committee anyway would be a needless formalism, something whose mere existence would feel bureaucratic. A regular agenda item for C-suite discussions, seeded with the right questions to provoke the right mindset, is then more effective. This is in line with msfedorov’s redundancy point.

    In any case, agree wholeheartedly with the objectives of the discussion as Norman writes in his post.

  5. Jim DeLoach
    February 18, 2019 at 12:06 PM

    Nice comment, Martin. Agree completely a committee which covers a high percentage of the executive committee is clearly redundant. The model I see in practice often deploys a member of the executive team as an “executive sponsor” and often as chair. I refer to this point in both the NACD blog Norman references and the Board Perspectives issue I reference in my earlier comment. That way, the committee’s focus can be directed to obtaining input from operational and functional leaders on emerging risk issues of interest to the executive team.

  6. Kayalethu Lonwabo Kwinana
    February 21, 2019 at 6:24 PM

    Just a few remarks about risk management committees …

    When an organisation has a risk management committee, that, to me, is a clear indication that it has inadequate internal control.

    The claimed justification is the provision of oversight. If internal control were adequate, every unit would be getting that from two levels higher up to that specific unit.

    Then it is claimed it spends most of its time “working to reach a consensus on the major risks and opportunities that might affect the company’s objectives.” If internal control were adequate, this would be happening at every unit (including those of the C-suite) focusing on risks to that unit’s objectives.

    Also, such concepts (major risks, high risks, top “whatever” risks) are meaningless in an internal control context. It is the significance of risks which matters but then again, how significance is determined is either flawed or not a priority to the risk management committee.

    Risk management committee practices undermine internal control in an organisation. For example, no one should ever decide on which risks should be addressed and which not other than the specific objective setter. The committee does this anyway.

    Individual responsibility normally fostered by internal control and residing with individual managers throughout the (length and breadth and depth of) organisation is replaced by a collective responsibility (C-suite or closer there) which is meaningless on the one hand and is a hiding place on the other.

    The existence of risk management committees also undermines internal auditing or shows it to be incompetent. If this were not so, why would there be a need for a standing forum to discuss and decide on a process owner’s objectives and risks thereto? To make it even worse, this is mostly in the absence of both objective setter and process owner!

  1. February 17, 2019 at 11:40 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: