Why companies need risk management committees

Every board needs a focus on digital maturity and impact, cyber security and AI as it closely aligns with risk managementImage: Shutterstock

If an enterprise board in its perfect role has to govern the enterprise strategy and guide it, risk oversight is critical. Should the entire board take up the responsibility for risk management or should it form a sub-committee for risk management?

Every strategy is a hypothesis and several underlying assumptions define its uniqueness. Understanding the risks is essential for guiding the CEO on the strategy and its management. Insights obtained from both internal and external sources help the board of directors make informed decisions and chart the direction. Depending on the size and quantum of work involved, a board can decide to constitute a risk committee within the board for smoother functioning of this critical role, as risk oversight is a responsibility no board can absolve from.

Many directors ask us why they should look at a separate risk committee and why the audit committee can’t do this as part of their work. Most often the audit committee won’t have the required skills, time, and the mindset to do this work. Boards will be ill-advised to assign risk management to the audit committee, given that it is probably already overloaded. It is also better to have a risk committee when enterprises have special issues such as the ones we see in the power, banking, natural resources, and such sectors where problems of credit, pricing, and regulation can be ever-changing. Technology companies, for instance, will have disruptive forces combating all the time, and will need special risk mitigation focus.

The role of a risk committee should encompass the entire organisation with a systematic approach to categorising, monitoring and guiding on risk issues. It should support the management to focus on risk mitigation processes.

The big financial panic of 2008 scared boards across the world into deeper evaluation of the risks their companies face. At the tactical level, that meant building practical risk oversight and management into the board structure. Typically, this is done through the audit committee, but often it drove the creation of a customised board-level risk committee. It is now over a decade since the company boards awakened to risk, so let us take a look at how their risk oversight structures have evolved. (It is altogether another matter that most boards were not prepared for the Covid-19 pandemic despite its best efforts of risk oversight).

Board risk oversight has become much more institutionalised over the past decade. Laws in most developed economies now mandate company disclosure not only of major risk factors but also how the board structures its oversight of them. This has driven improved corporate risk data gathering and reporting, plus more formalised board review and discussion.

A dedicated board risk committee has gained in popularity over the past decade, but still remains in the minority. Data varies by country and sector (the percentages are highest in Asia), but overall about 25 percent of corporations seem to have a distinct risk committee, mostly among large-cap companies and financial services companies. Another survey found that 65 percent of responding companies make the audit committee its default onboard risk oversight. Amidst the pandemic, the Securities and Exchange Board of India (Sebi) had proposed that all the top 1,000 companies must have separate risk committees in their boards at the earliest.

How board risk management is allocated today is not simple. The risk oversight is being customised to each company’s needs and current risk climate, and are integrated into board structures to fit. Creating a risk committee is seen as an insurance policy, and the committees are able to put in the right processes and controls. As an example, compensation committees have added more charter space and agenda time to the specific risks their pay and incentive plans create for the company. Also, board risk consideration is a factor in creation of other new committees, such as ESG (Environmental, Social and Governance), technology, disclosure, or compliance.

Another reason for peeling risk oversight away from the audit committee is better prevention. An audit committee is tasked with a validating, backward perspective but it should be forward-looking. Often, the forensic, numbers-driven structure of audit lacks the more dynamic, hypothetical approach needed to avoid dangers. In other words, just as in CAG of government, preventive audit is absent.

For companies that do create a specific, chartered risk committee, aspects have changed, as board risk oversight has matured. Rather than nominating members at random (or shaping a sort-of sub-audit committee), boards now need to ensure particular expertise, and people who are deep in areas the industry depends on. Technology is the hottest of these at the moment. Every board needs a focus on digital maturity and impact, not to mention cyber security and artificial intelligence. This closely aligns with risk management. Boards should consider not only the dangers of cyber attacks and data fumbles but also the positive risk of missing new digital strategic and marketing opportunities. This insight is a natural for any board risk committee.

Going forward, boards may want to set up a formal process of documenting the roles and responsibilities for the risk committees. Define what all will be overseen by the whole board and what all by the committee. Some of the key roles for the committee can include the following:

• Identify, monitor, and manage critical risks and propose scenarios for the executive team
• Discuss potential threats and evaluate the risk heat maps with the executive team every quarter
• Set up a process for regular risk reporting by the enterprise
• Coordinate with other standing committees on key issues of risk
• Evaluate and appraise the cultural aspects of the enterprise that encourage premature or inappropriate risk-taking steps. For instance, in some companies, health and safety aspects are not always as per the set norms, and in typical Indian behaviour, even the CEO thinks accidents do not happen to them

Bottom line: The risk committee should eventually align with, and support, the board’s overall governance of risks.

Muneer is co-founder of the non-profit Medici Institute and a stakeholder in the Silicon Valley-based deep-tech enterprise Rezonent Corp. Ralph is global board advisor, coach, and publisher. Twitter @MuneerMuh

The thoughts and opinions shared here are of the author.