Tag Archive: Risk committee

Should Boards Have a Separate Risk Committee?

Published by
Jim DeLoach

Jim DeLoach

Among many other duties, the board is tasked with ensuring that a process is in place for managing the significant risks facing the organization and that those processes are continuously improved as the business environment changes. While the full board retains overall responsibility for risk oversight, there are several ways to think about how this process is organized.

Key Considerations 

One approach is for the full board to coordinate the scope and accountabilities of risk oversight, assigning certain responsibilities to the various standing committees. The full board receives reports from management and each committee regarding the status of critical risks and recommendations for risk-related considerations to place on the full board’s agenda.

A second approach is for the board to delegate its overall responsibility to a standing committee. For many boards, the audit committee may be the default option because the New York Stock Exchange listing standards require that the audit committee charter for listed companies include the committee’s duties and responsibilities to discuss risk assessment and risk management policies. For that reason, the audit committee often has the most involvement in the board’s risk oversight process, either overall or related to specific risks germane to its prescribed activities.

A third approach is for the full board to delegate its overall responsibility to a designated risk committee of the board to oversee risks specifically outlined in the committee’s charter. These risks will vary widely based on the nature of the industry and the complexity of the organization’s risk profile, requiring focused expertise to provide appropriate oversight. Among other things, a designated risk committee might oversee the company’s risk management framework, management’s determination of critical risks and risk management capabilities, and periodically report risk oversight findings to the full board.

There are several compelling reasons for creating a separate risk committee. First, the business environment is increasingly complex. Second, the collective agendas of the full board and the various standing committees may be too packed to give risk oversight sufficient attention, and the audit committee may either be too focused on financial reporting or lack the requisite expertise to be a satisfactory solution.

There are also considerable benefits. Namely, a dedicated committee creates an opportunity to obtain and focus risk management experience, and by extension a more effective anticipation of and reaction to events and trends that could lead to disruptive change, and a stronger focus on specific critical enterprise risks, such as cybersecurity, litigation, and environmental issues.

There may, however, be arguments against a separate risk committee. For example, risk oversight is an overall board responsibility that must be embedded in—and not segregated from—board discussions regarding strategy, policy, execution and reporting. Various board committees naturally address risk through their respective chartered activities. Therefore, a separate risk committee might contribute to confusion over where the responsibilities of one committee end and others begin, leading to possible gaps and overlaps. Another consideration is that the board cannot be certain in advance whether a risk committee will accomplish its intended objectives.

If the board decides to form a separate risk committee, it must then define the committee’s role. There is no one-size-fits-all standard, so each board must make this determination based on the organization’s circumstances. The board should keep the following responsibility areas in mind when defining the risk committee’s charter:

  • Ensuring risk is appropriately considered in strategy-setting and business planning. Evaluate whether appropriate risks are taken in the pursuit of value creation and challenge management’s assumptions underlying key decisions and strategies. Provide input to management regarding the enterprise’s risk appetite and risk tolerances and limit structures, both overall and by line of business.
  • Overseeing monitoring of the organization’s risk profile. Ascertain whether management is identifying, assessing, and monitoring the types, levels, and concentrations of risk, both by line of business and enterprise-wide. Ensure that the risk profile remains within the company’s risk appetite and that there is a process for identifying emerging risks. Discuss the critical enterprise risks and emerging risks with management, and understand the response strategies for addressing them.
  • Overseeing the risk management organization. Approve companywide policies with respect to risk assessment and risk management practices. If there is a management risk committee, approve its charter to ensure that the committee’s activities are in accordance with expectations and are adequately informing the board. If there is a chief risk officer (CRO) or equivalent executive, review his/her appointment, performance, and replacement in consultation with the full board; ensure he/she has sufficient stature, authority and independence within the organization; and oversee his/her activities through ongoing communications and risk reporting and periodic executive sessions.
  • Overseeing management’s implementation of risk responses. Understand and approve the organization’s risk management infrastructure and program, and oversee whether the critical risks are being effectively managed within established risk tolerances. Ensure that management has actionable response plans in place to address potentially disruptive risks. Understand, provide input, and approve the risk reports the committee receives from management in discharging the scope of its risk oversight responsibilities.
  • Influencing risk culture. Promote an open and positive risk culture such that personnel at all levels of the organization manage risks rather than take them recklessly or avoid them altogether. Oversee communications about escalating risks on a timely basis, and pay attention to the warning signs of a dysfunctional culture. Oversee remediation of issues such as violations of risk limits, policy noncompliance, and control deficiencies and ensure issues are addressed in a timely manner.
  • Reporting to and advising the full board, and coordinate risk oversight with other board committees. Advise the board on risk strategy, and ensure that the board’s risk oversight is focused on critical enterprise risks and emerging risks. Annually present to the full board a report summarizing the committee’s review of the company’s risk management program, including deficiencies noted. Recognize the responsibilities delegated to other board committees and coordinate with these committees to avoid gaps and overlaps in the board’s overall risk oversight process. Coordinate with the audit committee to understand how the organization’s internal audit plan is aligned with its key risks. Establish criteria for risk reporting to the board, and recommend the same for board approval. Review the charter at least annually and update it to respond to changing risk profiles, oversight priorities, and regulatory or other requirements; and submit the charter to the full board for approval. Review risk-related disclosures in public reports, and provide input to the board and audit committee.
  • Consulting external experts as necessary. Obtain expert advice regarding risk-related matters. When conducting investigations into any matters within the committee’s scope of responsibility, obtain advice and assistance from outside advisers as necessary.

Once the board decides the risk committee’s duties, it must then determine who will sit on the committee  and set meeting agendas. With respect to composition, boards should:

  • Consider whether committee membership should consist primarily of independent directors.
  • Determine the experience and skills necessary for an effective risk committee member. Hopefully, some directors currently serving on the board will meet these requirements. If not, make sure candidates have the right “fit” in terms of personality, team orientation, and leadership and communication skills, so they can effectively work with other committee members, the full board and management. In addition, consider how the organization can attract, cultivate, and retain committee members.
  • Consider whether a “risk expert”—someone with a background in risk management or oversight relevant to the nature of the organization’s operations—should serve on the committee.
  • When defining the terms of service, note that term limits may not be desirable because of the need for continuity and the limited pool of candidates. In selecting the committee chair position, note that the chair may be rotated, appointed, or reappointed by the full board chair; election by majority committee vote; or selection by other means.

Meeting agendas might include specific risk issues (e.g., risk responses or evaluation of risk appetite) and other activities (e.g., risk committee education). Agendas should be developed based on suggestions from committee members and approved by the committee chair. The risk committee calendar should be coordinated with the respective calendars of the audit, compensation and other committees to coordinate activities and resources. Briefing materials should be provided in advance of each regularly scheduled meeting, which should begin or conclude with an executive session. The committee should meet periodically with executive management, line of business leaders, the CRO (or equivalent executive) and the chief audit executive.

Questions for Boards

The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations.

If there is a separate risk committee of the board:

  • Does the committee have access to the company executives, resources, and information it needs to carry out its oversight responsibilities? Does it include a risk expert?
  • How will the board ensure that the committee chair, the committee itself and its individual members are evaluated?
  • Is the committee adequately funded? Does it have access to outside experts? Have risk oversight responsibilities been delineated (i.e., which risks will the risk committee oversee, and which risks will be left to other board committees to oversee)?
  • If there is a CRO (or equivalent executive) and/or a management risk committee, does the board committee have sufficient transparency into their activities?
  • Is the committee fulfilling its chartered responsibilities?

Jim DeLoach is a managing director with Protiviti, a global consulting firm.

How Boards Can Strengthen the Risk Oversight Dialogue With Management

Published by

This spring, members of the NACD Advisory Council on Risk Oversight convened in Washington, D.C., to discuss how boards can strengthen their dialogue with management on risk oversight. Participants—including Michael Hofmann, the former chief risk officer of Koch Industries and current director of Calpine—shared experiences, lessons learned, and effective approaches for embedding risk in board-level strategy dialogue. From that discussion—detailed in the meeting’s Summary of Proceedings—delegates focused on these steps directors can take. They include:

  • Establish a clear definition of what “risk” means at the company: For management and the board to work together, they need to establish a shared definition of what risk means to the company.
  • Monitor the company-wide risk culture: Directors should ensure that the company has a culture that supports the discussion of risk throughout the entire organization and is seen as part of the company’s fabric.
  • Avoid the trap of false precision: Looking at only the expected return of a new business program or strategic move can restrict dialogue and lead to minimization of the potential downside.
  • Get out of the weeds by taking a deep dive: To help counteract the tendency of boards and management to focus on operational, regulatory, and financial reporting risks, many boards conduct an annual “deep dive” or “off-site” meeting. These meetings are dedicated to thinking about, understanding, and challenging assumptions of strategic moves and risks.

The Summary of Proceedings also investigates ways in which directors can and do incorporate these practices into their boards’ activities. NACD members can click here to access the full list of takeaways.

Who Is Trying to Eat Your Lunch?

Published by

Last year, NACD launched its fourth Advisory Council on Risk Oversight—the first of our councils not dedicated to a specific key board committee. In fact, less than 10 percent of public companies even have a committee dedicated to risk oversight. This advisory council was formed as the result of a simple observation: the responsibility of risk oversight has expanded significantly in the last several years. This council is not lacking for discussion topics—the nature of potential risks to an organization is evolving seemingly by the day. Directors need to know the strategies in place to not only mitigate but capitalize on the risks currently facing the company, and those predicted to present challenges in the future.

But that just accounts for what is on the board’s radar. At the second meeting of NACD’s Advisory Council on Risk Oversight held in collaboration with PwC and Gibson Dunn, the discussion went beyond current and predicted risks to the challenges of disruptive technologies and innovation. Increasingly, the most severe shocks have been largely unpredictable: extreme weather, the confluence of multiple events, or innovation that upturns the industry. As one delegate observed: “We haven’t spent much time on the [risk of] ‘I will eat your lunch with a completely different approach.’ Companies don’t sit down and think about who is going to attack from a completely different angle.”

In their oversight capacity, directors cannot constantly monitor the more detailed aspects of the business. Nor can “you anticipate what you don’t know.” Nevertheless, several delegates suggested that the appropriate risk oversight processes in place, coupled with a resilient culture that efficiently reports risks up to the board, can support directors in mitigating known and unknown risks. The meeting, captured in the 2013 Advisory Council on Risk Oversight Summary of Proceedings, focused on areas critical to effective risk oversight processes. These include:

  • Board processes and people. It is critical that the board not only has the right talent, but engages it fully. Directors should have a “real and thorough” understanding of the business to be able to effectively discuss both strategy and risk with management.
  • Recognizing asymmetric information risk. While the board has to be comfortable with the reality of information asymmetry, directors should establish tolerance levels for the level of asymmetric risk they are willing to bear, and look for signs of when this risk has become too high.
  • Engaging with management involved in risk reporting. For companies with a chief risk officer (CRO), that person can keep an “inventory” of risks throughout the organization. Additionally, directors can ask internal audit to identify what it believes will be “hot-button” risk areas.
  • Linking strategy to risk. The board’s oversight of risk should begin with an assessment of the company’s strategy and its inherent risks, which necessitates understanding and agreeing on the risk appetite, or the amount of risk the company is willing to accept.
  • Allocating the work of risk oversight. The significant increase in risks facing the board necessitates defining who will act as an “air traffic controller”—allocating risk oversight responsibilities.

Leading practices for risk oversight—including allocation of work and the development of a risk strategy document—will continue to be the focus points not only for this advisory council but also NACD’s Directorship 2020 initiative. To download the full summary of proceedings, click here.