February 5, 2019
February 5, 2019
Many companies have a management risk committee (MRC) as part of their risk infrastructure. While not part of the board, such committees, made up of the appropriate executives at the company and reporting to the board, nonetheless can contribute to the board’s risk oversight. How can your organization reap the benefits of this added oversight tool and maximize their effectiveness?
Whether organized as a designated or de facto committee, MRCs have increasingly been used in recent years, likely due to the growing complexity of risks inherent to the organization’s strategy and business model and the increasing sophistication of risk management infrastructure. Additionally, the agenda of the executive committee may be too crowded to sufficiently cover these matters and extenuating circumstances may exist (e.g., a history of surprises, substantive improvements required in the company’s risk management capabilities, a critical risk meriting special attention, or a need to strengthen risk culture).
There are several merits to consider when evaluating whether to organize an MRC—for example, ensuring successful implementation of the organization’s approach to enterprise risk management focusing management attention on specific risk areas (e.g., technology, litigation, or environmental issues), identifying emerging risks, and helping the company anticipate and react to disruptive events and trends. The committee’s deliberations can enhance the risk dialogue in the C-suite and boardroom by sharpening the focus on critical enterprise risks and emerging risks.
When it comes to MRCs, the old cliché of one-size-fits-all does not apply. For example, in financial institutions, commodity-based businesses, or operations with hazardous activities, the MRC may focus on managing specific risks inherent to the enterprise’s business model that either are not managed by the business units or are more effectively managed enterprise wide, consistent with a portfolio view. Other MRCs may focus on the risk management process and assume no overall responsibility for mitigating risks.
As both the board and executive team can benefit from an effective management risk committee, here are six suggestions for forming and operating such committees:
1. Clarify MRC responsibilities through the charter. The charter should specify the committee’s mission or purpose, membership, duties and responsibilities, authorities (if any), and if necessary, specific activities it is to perform. It should be approved by the executive team and reviewed with the appropriate board committee. As directed by the executive team, the MRC’s responsibilities may include identifying and prioritizing risks; monitoring changes in the external environment for strategic risk implications; periodically assessing the entity’s risk culture, benchmarking peers, and best-of-class organizations; and ensuring the executive team and the board are considering critical enterprise risks. An MRC offers the board an opportunity to periodically review the committee charter to ensure it addresses issues germane to the board’s risk oversight.
2. Include the right people. The committee, depending on its scope, should combine a diverse range of strategic, operational, and functional perspectives. The selection criteria might include experience, knowledge of the business, specialized expertise, and fit. At least one senior executive should be a member (e.g., an executive sponsor). It may make sense for the general counsel and a representative from the disclosure committee to be present. Some companies rotate MRC members to bring a fresh perspective and create risk awareness across the entity. Size is also a factor; too large of a group can inhibit dialogue.
3. Conduct effective meetings. Considerations for meeting frequency include the nature and volatility of the organization’s strategy, operations, and risks, as well as the scope of responsibilities outlined in the committee charter. MRCs can meet quarterly, monthly, or more frequently as necessary, and meeting agendas should be developed by the committee chair with suggestions from committee members. They might include specific risk issues (e.g., drill-downs on risks or evaluations of risk appetite), as well as open discussions of new internal and external developments and other activities. Briefing materials should be provided in advance of each meeting.
4. Focus the group dialogue on what executives and directors may not know. The management risk committee’s real value comes from focused dialogue around what’s new, what’s changing, and the implications regarding emerging opportunities and risks. Heads turn when the committee escalates insights that aren’t on the radar of the organization’s leaders. Meetings should be inclusive so that everyone is engaged. Cluttering meetings with presentations is a mistake—if the right group is assembled, it makes sense to hear what they have to say. While presentations by different risk owners explaining how they are addressing risks for which they are responsible are acceptable, sufficient time should be allowed for discussion and input.
5. Don’t let the committee get stale. Taking too broad of a focus and repeating the same activities can sap the committee’s energy over time. Consider mixing things up and refocusing the committee’s activities depending on the organization’s needs. For example, if the economy is in recession, the focus might be on liquidity and monitoring the impact of cost-cutting and terminations on the risk management process and internal control structure. It is a good idea to revisit the committee’s emphasis periodically—at least annually—given the company’s circumstances and the current business environment.
6. Spot the warning signs of a deteriorating risk culture. The committee should watch for signs of a dysfunctional culture and be sensitive to operating units taking risks recklessly or forgoing attractive market opportunities through risk-averse behavior. A pattern of limits violations, near misses, noncompliance incidents, internal control deficiencies, and foot-dragging on issue remediation are other signs of potential cultural issues that may warrant escalation.
It’s important to note these six points are illustrative and
are intended to be neither exhaustive nor prescriptive. The chief executive and
executive committee dictate the scope of the management risk committee,
delegating responsibilities consistent with the priorities of the business. The
board can provide input into this direction.
Jim DeLoach is managing director of Protiviti.