Home > Risk > Where should risk management be discussed? Full board or a committee of the board?

Where should risk management be discussed? Full board or a committee of the board?

My good friend, Alexei Sidorenko, recently shared what he considers one of his “controversial thoughts about modern day risk management in non-financial companies”. I recommend his RISK-ACADEMY blog and YouTube channel.

He wrote Why Board Audit Committee is the worst place for risk management and having a separate Board Risk Committee is even worse.

I agree with him to a degree and add that internal audit should report to both the audit committee and any risk committee. Where appropriate, it should attend full board meetings where information from an audit and its effect on enterprise objectives is being discussed.

Here are some key points:

  • Over the last 10 years it became almost dogmatic that risk management effectiveness has to be disclosed at the Board level. It seems to be equally accepted that full Board is responsible for risk management oversight, who, however can and often do, delegate this oversight responsibility to the Audit Committee. This is in fact so common, that many organisations have expanded the Audit Committee mandate to include risk management and renamed them Audit and Risk Committee.
  • According to FRC[1], the audit committee should review related information presented with the financial statements, including the strategic report, and corporate governance statements relating to the audit and to risk management.
  • The audit committee should ensure that the internal audit plan is aligned to the key risks of the business. The audit committee should pay particular attention to the areas in which work of the risk, compliance, finance, internal audit and external audit functions may be aligned or overlapping and oversee these relationships to ensure they are coordinated and operating effectively to avoid duplication. (FRC)
  • If risk management is a decision making tool (under RM2[2]it sure is), then discussing risks, goals, objectives, performance targets or actual performance separate from risks is insanity. Risk is not a standalone item that needs to be managed (except few compliance risks, but only because regulators missed the plot and now we all have to pretend compliance risks need to be managed and not a driver in business decision making), risk is the other side of the performance coin.
  • Business performance is 2 dimensional: reward and risk. How much did we make and how much did it or could’ve cost us (how much risk did we take on to generate the revenue)?
  • Separating the risk conversation from planning, budgeting and performance conversations should stop asap.


I think Alexei is saying this, with which I agree:

  1. The consideration of what might happen (risk and opportunity) is an integral and necessary element in informed and intelligent decision-making. Those decisions include both setting objectives and strategies for achieving them, as well as the tactical and operational decisions made in running the business.
  2. When the board discusses current and future performance, it needs to consider what might happen (information garnered from risk management activities). Discussing strategies and performance at the board level but leaving any thought about what might happen to adversely affect operations and the achievement of objectives to a separate, siloed review by a committee of the board, makes little sense.
  3. Risk and opportunity only make sense when viewed from the perspective of how they might affect the achievement of enterprise objectives. Boards and executives need to manage and direct the enterprise, not a list of risks.
  4. However, the board needs assurance that management has sound processes and systems for understanding and addressing what might happen: its enterprise risk management activities. It is reasonable to delegate oversight of these processes and related activities to a board committee, either risk or audit.

As I said, I think this makes sense.

But what about internal audit?

The traditional approach is to have internal audit report to the audit committee of the board. But what if there is also a risk committee?

I would suggest:

  1. The CAE should report on a solid line to the audit committee, consistent with regulatory guidelines.
  2. The CAE should communicate any issues it identifies that might have a significant impact on the business and its abilities to achieve its objectives to both the audit and the risk committees, preferably at a joint meeting. The CAE should routinely attend both committee meetings, even when he or she has nothing to report.
  3. Where there is a compliance committee and the CAE identifies related issues, he or she should attend a meeting of that committee and communicate the results. I believe the CAE should be a regular attendee of that committee.
  4. When there are serious issues that merit the attention of the full board, the CAE should attend and participate in the board’s discussion.


What do you think?

[1] The Financial Reporting Council explains that “We regulate auditors, accountants and actuaries, and we set the UK’s Corporate Governance and Stewardship Codes. We promote transparency and integrity in business. Our work is aimed at investors and others who rely on company reports, audit and high-quality risk management.”

[2] Alexei defined RM1 and RM2 in 2018 as “There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.”

  1. hayestoph
    May 21, 2021 at 12:13 PM

    2 dimensions?
    Is there now a 3rd dimension boards need to consider for “business performance”?
    Thinking about sustainability/the contribution to global sustainability goals.

  2. John Fraser
    May 23, 2021 at 5:25 PM

    The full board is often too busy to do justice to risk management. I have felt that a risk committee consisting of the chairs of the various sub-committees would make sense. When I have discussed this with Chairs, their response usually is that this would make this committee so well informed that non-members would be jealous of their elitism. What is interesting is that while there is usually an audit committee, an HR committee and maybe a safety committee, there are never committees dealing with the biggest areas of risks, e,g, customers, assets and technology….

  3. May 31, 2021 at 1:50 PM

    A few thoughts:
    The 2 dimensions overlap, e.g. the Board is both internal and external. So it should be part of both dimensions. Credit rating agencies have an interest in risk as well as strategies, though unlike the Board they’re not actively involved in decision processes.
    Re the description # 1 of Alexei’s thinking: in (sophisticated) financial organisations and in (commodity) trading houses risk is part of decision making on strategy and operations; ex-post results are evaluated against the amount of risk taken to realise such result. This should be good practice for non-financial organisations also, as it raises awareness and helps improve future decisions.

  1. May 20, 2021 at 1:47 PM
  2. May 21, 2021 at 12:57 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: