New guidance for risk committees
A new publication by the Risk Coalition (a group of organizations in the UK that includes their Institute of Directors, a couple of risk management associations, and the organizations for internal and external auditors) merits our attention.
Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services Sector has some interesting content. For example, it says:
- In financial services the real risk is to take no risks. We are in the business of managing financial risks.
- While the concept of the Three Lines of Defence continues to provoke much academic and professional debate, the Risk Coalition believes the basic principle of requiring independent oversight and challenge of management risk-taking remains sound.
In addition, I like that the guidance talks about ‘risk taking’ instead of simply managing risk. It also defines risk as not purely a negative effect on objectives:
The possibility that events will occur that affect the likely achievement of an organisation’s corporate strategy or strategic objectives. Commonly considered as negative events (downside risk), there may be occasions where risks may be exploited to an organisation’s advantage (upside risk).
Its definition of risk culture is also useful:
The combination of an organisation’s desired ethics, values, behaviours and understanding about risk, both positive and negative, that influences decision-making and risk-taking.
There are some key phrases in its definition of a risk appetite framework (which I highlight):
A key, board-approved framework designed to aid effective management decision-making, risk monitoring and reporting, and through which aggregate risk appetite is translated and cascaded into meaningful, calibrated risk thresholds, limits, metrics and indicators aligned to strategic objectives, and embedded throughout the organisation.
I highlighted these sections because in my experience very few risk appetite statements or frameworks are developed in such a way that they influence risk-taking and decision-making at all levels of the organization. For example, how does an HR manager know how his or her decision on which candidates to present might affect enterprise strategic objectives? How does saying that the organization has no tolerance for compliance or safety failures affect decisions on investments in those areas?
The guidance says is it “evolutionary, not revolutionary” and I must agree.
It provides more clarity to traditional thinking about risk management, but doesn’t suggest how to step up to real value-add activities.
In other words, there’s quite a lot missing!
I set up a risk committee when I was CAE and CRO at Business Objects. The first question that had to be addressed was:
Why do we need a risk committee?
If the answer is that we need one to comply with the expectations of the regulators, then we are unlikely to get the full and enthusiastic support of the management team. The team is focused, as should be the board, on achieving the strategic objectives for the organization – in other words, they are focused on the success of the organization, not just its compliance obligations.
I vividly remember a conversation I had many years ago with a senior executive. He was responsible for the company’s trading desk and told me that he couldn’t spend much time answering my questions because he had to get back to running the business and making money.
We get the executives’ attention and support when they appreciate how what we are doing helps them do both – make money and run the business for success. In time, this executive learned how my team and I could help him do both and he became a huge supporter.
The answer to the question should be that the committee helps the board be assured that management is taking the right risks, seizing opportunities wisely, as a result of informed and intelligent decisions.
The answer should not be limited to any form of blinkered focus on managing the possibility of downside events and situations that ignores the need to weigh ALL the potential things that might happen. In other words, is management weighing ALL the pros and cons before making decisions, or is simply looking at the cons out of context? Even the COSO ERM framework explicitly recognizes that when justified by the opportunity, risk appetites should be exceeded.
So the next question is:
How does the risk committee contribute to success?
I struggle with this myself, in particular the next question:
Why do I need a separate risk committee when strategy and performance are discussed elsewhere?
Separating risk and strategy, or risk and performance management, makes little sense to me – unless your risk committee is there as window-dressing for compliance, rather than helping the organization both protect and create value in its pursuit and achievement of objectives.
I recall a panel discussion at an event years ago in Canada. The CEO of the Hudson Bay Company told us that his board had a Risk and Strategy Committee. I think this is a world-class practice.
So, what do you think? Does it make sense to have a committee that only focuses on the downside? If it is charged with assuring the board that due consideration is given to all the things that might happen during decision-making and risk-taking, how does that work?
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Love your comment about the Hudson Bay Company approach. At the Australian Institute of Company Directors where we teach people how to be better Directors we do a Strategy session in the morning and a Risk session in the afternoon and a key message is that they play off each other, each is discipline is stronger in the presence of the other.
But then you hit the real world and the compliance mantra driven by news cycles and regulators can put pressure on Directors to lean too far one way. But ultimately the role of the Director has to start making sure the organisation is finding the balance between the two that is the sweet spot for the organsiation.
Great insights as always Norman.
The Hudson Bay approach didn’t help in the Netherlands. Their plans to conquer this new market to them, resulted in big losses and bankruptcy causing them to leave the country. First analyses show they failed to investigate local customs and to chose the right (strategic) position between other department stores. They simply thought that what would work in USA/Canada would also work in the Netherlands. They should have known better as they started in a number of stores that became available after the bankruptcy of a Dutch deparment store V&D that also failed to select the right strategy to attract customers. A perfect example that risk management deals with not only the right objectives / goals but also the right strategy to make it work.
The usefulness of the RMC is it allows all the Risk Owners to provide RMC their input if they are satisfied with the controls currently in place WITHOUT having to consult the immediate superior who could suppress the Risk Owners proposal. This is my experience. Compliance is a sure thing, no company dares to breach a compliance, the CEO in Malaysia (Financial Institutions only) will be called up by the Central Bank.
I presented a need to enhance the available system in the warm site for Business Continuity, CEO not happy incur direct cost, BOD upon hearing the proposal ask to proceed. RMC is useful in this sense.
Para 28 states: 28. In conjunction with the audit committee (as appropriate), review and
advise the board of the results of independent assessments of the adequacy and effectiveness of the organisation’s risk management and internal control systems, including the adequacy and the effectiveness of its risk and compliance functions.
I’m left asking, ‘what’s the real difference between the two committees?’ Reading through the principles, most of them could equally apply to the Board Audit Committee which, in many countries has a statutory responsibility, unlike the Risk Committee. I think there is a splendid opportunity here for ‘buck passing’.