By Jim DeLoach – Managing Director, Protiviti
Most directors and governance authorities agree that the full board should retain overall responsibility for risk oversight, mirroring its overall responsibility for strategy.
In the absence of statutory requirements to the contrary, the board has the flexibility to organise itself for risk oversight as it sees fit, given its company’s size, structure, complexity and risk profile, as well as the composition and structure of the board itself.
The Dodd-Frank legislation in the US requires a separate risk committee consisting of independent directors for certain publicly traded bank holding companies. Over the years, we have seen a ‘trickle-down effect’ of this approach to other companies, particularly those with complex environments shaped by the nature of their industry, risks inherent in their strategy and business model and the sophistication of their risk management infrastructure. When the collective agendas of the full board and its standing committees are too packed to give risk oversight sufficient attention, directors may choose to form a focussed risk committee.
Making a board risk committee effective
When a separate risk committee is established, the question arises as to how to make it effective. The following are some suggestions:
1. Evaluate committee composition and service terms Select independent directors with the requisite qualifications to oversee the enterprise’s risks. Consider whether a ‘risk expert’ should serve on the committee – i.e. someone with a background in risk management or oversight relevant to the nature of the organisation’s operations, a role analogous to the audit committee financial expert. In defining the terms of service for members and the committee chair, note that for the sake of continuity term limits may not be desirable. The committee chair may be rotated, appointed or reappointed by the board chair, or elected by majority committee vote.
2. Ensure risk is integrated with strategy-setting and business planning Evaluate whether appropriate risks are taken in creating value and challenge management’s assumptions underlying key strategies and decisions. Understand the company’s risk management infrastructure and capabilities and assess their alignment with management’s strategy and risk appetite, both overall and by line of business.
3. Oversee and position the risk management organisation for success Approve company-wide policies with respect to risk assessment and risk management practices. If there is a chief risk officer (or equivalent executive), review his or her appointment and performance in consultation with the full board; ensure he or she has sufficient stature, authority and independence within the organisation; and oversee his or her activities through ongoing communications, risk reporting and periodic executive sessions. Periodically inquire as to the adequacy of resources allocated to risk management.
4. Oversee risk reporting and monitoring Ascertain whether management is identifying, prioritising and monitoring the appropriate types, levels and concentrations of risk, both by line of business and enterprise-wide. Ensure risk reporting is responsive to the needs of the committee and the board and is focussed on the critical enterprise risks and emerging risks, as well as the response strategies for addressing them.
5. Advise management on critical risk matters on a timely basis Review the results of enterprise-wide risk assessments, including the identification and reporting of critical enterprise and emerging risks (the risks that matter). Engage management in an ongoing risk appetite dialogue as conditions and circumstances change and new opportunities arise. Review crisis management plans to ensure management has in place actionable response plans to address key risks, including plausible and extreme scenarios.
6. Influence risk culture In cooperation with the compensation committee, watch for behaviour that could undermine risk management effectiveness, such as compensation incentives that may encourage inappropriate risk-taking. Oversee communications about escalating risks on a timely basis and pay attention to the warning signs of a dysfunctional culture. Oversee remediation of issues to ensure they are addressed in a timely manner (e.g. limits violations, near misses, noncompliance, control deficiencies, etc).
“When the collective agendas of the full board and its standing committees are too packed to give risk oversight sufficient attention, directors may choose to form a focussed risk committee”
7. Coordinate risk oversight with other board committees As the board’s various standing committees typically address risks germane to their respective chartered responsibilities, coordinate with these committees to avoid gaps and overlaps in the board’s overall risk oversight process and identify risk interdependencies warranting consideration. For example, the audit committee may focus on compliance risk and certain technology risks; therefore, the scope of the risk committee’s oversight should consider that coverage and coordination undertaken with the audit committee to ensure the organisation’s internal audit plan addresses the key risks.
8. Report to the full board at least annually Present the committee’s appraisal of the company’s risk management programme, along with any deficiencies noted and input from the other board committees. Establish criteria for risk reporting to the board and recommend for board approval. Review the charter at least annually and update it as needed to respond to changing risk profiles, oversight priorities, and regulatory or other requirements, and submit it for approval to the board. Review disclosures in public reports related to risk and board risk oversight and provide input to the board and audit committee.
9. Consult external experts as necessary Obtain outside advice regarding risk-related matters and when conducting investigations into any matters within the committee’s scope of responsibility.
10. Align meeting activities with chartered responsibilities Monitor the committee’s activities against the various responsibilities outlined in the charter (general counsel can help with this). It is important that the committee fulfils the terms of its charter. To that end, meeting frequency should be driven by the nature and volatility of the organisation’s strategy, operations and risks.
Making a management risk committee effective
When management sees fit to form a management risk committee, another question arises: what makes that committee function effectively in relation to the board’s oversight?
Whether organised in the form of a designated management risk committee (MRC) or a de facto risk committee,[1] the use of MRCs has increased over the years.[2] This increase is likely due to the growing complexity of risks inherent in the organisation’s strategy and business model and increasing sophistication of risk management infrastructure. The CEO’s executive committee agenda may be too crowded to cover certain risk matters sufficiently. Extenuating circumstances – e.g. a history of unexpected surprises, substantive improvements required in risk management capabilities, a critical risk meriting special attention and/or a need to strengthen risk culture – may also be a contributing factor.
Formed by senior management, an MRC sometimes focusses on managing specific risks inherent in the enterprise’s strategy that either are not managed by the business units or are more effectively managed enterprise-wide by a central risk unit. With support-staff assistance and in cooperation with the business units, the MRC evaluates, pools, reduces, transfers and exploits the risks for which it is accountable. It may even have veto and/or escalatory authority with respect to certain business activities and may share responsibility for managing specific risks with the business units. Other MRCs may have less authority and be more focussed on the risk management process, with no day-to-day responsibility for mitigating risks. If there is a chief risk officer (or equivalent executive), he or she may support and even chair the committee.
There is no standard one-size-fits-all model. MRCs are more commonly found in financial institutions, commodity-based businesses or operations with hazardous activities, where management of certain risks must be executed skilfully within the company’s risk appetite and established risk tolerances. These risks may include interest rate risk; currency risk; commodity price risk; credit risk; catastrophic risk; or health, safety and environmental risk.
Functioning under the auspices of the CEO and/or executive committee, the MRC assesses and monitors the organisation’s internal and external environment and provides insights and recommendations to executive, operational and functional leaders, all in the spirit of improving the company’s risk management capabilities continuously as the business environment changes.
Both the board and executive team can benefit from an effective MRC. The following are some suggestions for creating and operating this committee:
1. Use the MRC charter to clarify responsibilities Use the charter to articulate the committee’s mission or purpose, membership, duties and responsibilities, and authorities (if any), and, to the extent necessary, specific activities the committee is to perform. It should be approved by the executive team and reviewed with the appropriate committee of the board.
2. Gain CEO and executive team support Don’t leave home without it.
3. Consider the appropriate committee composition Seek a diverse range of strategic, operational and functional perspectives and experience as well as knowledge of the business. At least one senior executive should be a member (i.e. an executive sponsor).
4. Keep it manageable Avoid too large a group, as it inhibits discussion. Manage the numbers by designating ex officio members who contribute when they have fresh insights to offer – e.g. it may make sense for the general counsel and a representative from the disclosure committee to be present from time to time.
5. Meeting frequency should match the risk profile Meet quarterly, monthly or more frequently, considering the nature and volatility of the organisation’s strategy, operations and risks as well as the responsibilities outlined in the charter.
6. Conform the committee’s activities to specs Align meeting agendas with the requirements of the charter and suggestions from committee members and executive management. Agendas might include specific risk issues (e.g. drill-downs on specific risks or evaluation of risk appetite), as well as open discussions of emerging internal and external developments.
7. Meetings should be inclusive Make sure everyone is engaged. While presentations by risk owners explaining how they are addressing risks for which they are responsible are appropriate, sufficient time should be allowed for discussion and input. Provide briefing materials in advance of each regularly scheduled meeting
8. Don’t let the committee get stale Consider mixing things up and refreshing the focus, depending on the organisation’s current needs. When attendance declines or senior personnel who are supposed to attend start sending delegates, it’s a clear sign something is wrong. Too broad a focus and doing the same things over time sap energy, engagement and enthusiasm.
9. Focus dialogue on what executives and directors may not know The MRC’s value primarily comes from focussed dialogue around what’s new and what’s changing and the implications in terms of emerging opportunities and risks. Heads turn when the committee escalates insights and issues that aren’t on the radar of the organisation’s leaders.
10. Spot the warning signs of a deteriorating risk culture The committee should watch out for signs of a dysfunctional culture and be sensitive to operating units engaging in unethical or irresponsible business behaviour or foregoing attractive market opportunities through risk-averse thinking. A pattern of limits violations, near misses, noncompliance incidents, internal control deficiencies and foot-dragging on remediation of issues is a sign of potential cultural issues that warrant escalation.
MRCs often facilitate the board’s risk oversight. The CEO and the executive committee dictate the MRC’s scope, delegating responsibilities consistent with business priorities. The board provides input into this direction and approves the MRC charter to ensure the committee’s activities are adequate to inform the board’s risk oversight.
Summary
The above points are illustrative and are intended to be neither exhaustive nor prescriptive. This article is also not intended to suggest that every board must have a risk committee and every company must have an MRC. Directors and senior management must decide how best to oversee and manage risks, and a risk committee is but one tool to consider.
About the Author:
Jim DeLoach is a managing director and member of the Protiviti leadership team, and has 45 years’ experience assisting companies with integrating risk management with strategy setting, business planning and performance management. He served on the COSO Advisory Council contributing to the development of the Enterprise Risk Management – Integrated Framework and on the COSO Project on Monitoring. Author of several books and numerous articles on risk management, Jim was named one of Consulting magazine’s Top 25 Consultants (2011) and named to the NACD Directorship 100 list (2012-2018), recognizing him as one of the 100 most influential governance professionals in the boardroom community.
Footnotes:
1.A de facto risk committee may exist through a subcommittee of the executive committee or an equivalent group with a name other than ‘management risk committee’.
2.According to The State of Risk Oversight: An Overview of Enterprise Risk Management Practices by Mark Beasley, Bruce Branson and Bonnie Hancock (March 2017), in the United States, 80 per cent of the largest organisations (greater than $1billion in revenue) and 83 per cent of public companies had a management risk committee in 2016. Usage of these committees since 2014 increased across all types of organisations and specifically for the largest organisations and public companies by 17.6 per cent and 18.6 per cent, respectively. Since 2009, usage increased dramatically (by 164 per cent) for all organisations.
