Many companies have management risk committees (MRCs) as part of their risk infrastructure. While not a part of the board, such committees nonetheless can contribute to the board’s risk oversight. The question arises as how to maximise their effectiveness.
Whether organised in the form of a designated MRC or a de facto risk committee,1 the use of MRCs has increased over the years.2 That increase is likely due to the growing complexity of the risks inherent in the organisation’s strategy and business model and increasing sophistication of risk management infrastructure. The agenda of the chief executive’s executive committee may be too crowded to cover these matters sufficiently. Extenuating circumstances may also be a contributing factor (e.g., a history of surprises, substantive improvements required in the company’s risk management capabilities, a critical risk meriting special attention or a need to strengthen risk culture). Worse, there may be a lack of confidence in certain risk management areas.
There are several merits to consider when evaluating whether to organise an MRC — for example, ensuring successful implementation of the organisation’s approach to enterprise risk management (ERM), focusing management attention on specific risk areas (e.g., technology, litigation and environmental issues), identifying emerging risks, and helping the company anticipate and react to disruptive events and trends. The committee’s deliberations can enhance the risk dialogue in the C-suite and boardroom by sharpening the focus on critical enterprise risks and emerging risks.
MRCs come in all sizes and shapes and with different objectives. The old cliché of no one-size-fits-all applies. For example, in financial institutions, commodity-based businesses or operations with hazardous activities, the MRC may focus on managing specific risks inherent in the business model that either are not managed by the business units or are more effectively managed enterprisewide, consistent with a portfolio view. Often, the objective is to make the management of its “in scope” risks — such as interest rate risk, currency risk, commodity price risk, credit risk, catastrophic risk, and health, safety and environmental risk — an organisational core competency.
Other MRCs may be focused on the risk management process and assume no overall or day-to-day responsibility for mitigating risks. Functioning under the auspices of the chief executive and/or executive committee, they assess and monitor the organisation’s internal and external environment and provide insights and recommendations to executive, operating and functional leaders for improving the company’s risk management capabilities continuously in a changing business environment.
As both the board and executive team can benefit from an effective MRC, we offer six suggestions for forming and operating such committees below:
Clarify MRC responsibilities through the charter — The charter should specify the committee’s mission or purpose, membership, duties and responsibilities, authorities (if any) and, if necessary, specific activities it is to perform. As directed by the executive team, the MRC’s responsibilities vary from company to company and may include identifying and prioritising risks; monitoring changes in the external environment for strategic risk implications; periodically assessing the entity’s risk culture, and benchmarking peers and best-of-class organisations; and ensuring the executive team and the board are considering critical enterprise risks.
The committee may provide guidance regarding ERM infrastructure, including enhancements to policies, processes, organisational structure, reporting, methodologies and systems. The charter should be approved by the executive team and reviewed with the appropriate board committee, giving directors an opportunity to ensure it addresses issues germane to the board’s risk oversight.
Include the right people — The committee, depending on its scope, should combine a diverse range of strategic, operational and functional perspectives. The selection criteria might include experience, knowledge of the business, specialised expertise and fit. At least one senior executive should be a member, e.g., an executive sponsor, who may also serve as committee chair. It may make sense for the general counsel and a representative from the disclosure committee to be present. Some companies rotate MRC members to bring a fresh perspective and create risk awareness across the entity. Size is also a factor; too large of a group can inhibit dialogue.
Conduct effective meetings — Considerations for meeting frequency include the nature and volatility of the organisation’s strategy, operations and risks as well as the scope of responsibilities outlined in the committee charter. MRCs can meet quarterly, monthly or more frequently as necessary. Meeting agendas should be developed by the committee chair with suggestions from committee members. They might include specific risk issues (e.g., drill-downs on risks or evaluations of risk appetite) as well as open discussions of new internal and external developments and other activities. MRCs should also gain input periodically from the chief audit executive as well as second line function executives, e.g., risk management and compliance. Briefing materials should be provided in advance of each meeting.
A key point: When meeting attendance declines or senior personnel who are supposed to attend start sending delegates instead, that’s a sure sign something is wrong with the substance of the meeting agendas or how the meetings are conducted. In such instances, MRC sponsors need to get to the root of the issue and make the necessary adjustments to refresh the committee’s focus.
Focus group dialogue on what executives and directors may not know — The MRC’s real value comes from focused dialogue around what’s new, what’s changing, and the implications regarding emerging opportunities and risks. Heads turn when the committee escalates insights that aren’t on the radar of the organisation’s leaders.
Meetings should be inclusive so that everyone is engaged. Cluttering meetings with presentations is a mistake. If the right group is assembled, it makes sense to hear what they have to say. While presentations by different risk owners explaining how they are addressing risks for which they are responsible are acceptable, sufficient time should be allowed for discussion and input.
Don’t let the committee get stale — Taking too broad of a focus and repeating the same activities can sap the committee’s energy over time. Consider mixing things up and refocusing MRC activities depending on the organisation’s needs. For example, if the economy is in a recession, the committee’s focus might be on liquidity and monitoring the impact of cost-cutting and terminations on the risk management process and internal control structure. If the company is growing rapidly, the committee may want to focus on changes to the overall risk profile and emergence of potential risks. It is a good idea to revisit the committee’s emphasis periodically — at least annually — given the company’s circumstances and the current business environment.
Spot the warning signs of a deteriorating risk culture — The committee should watch for signs of a dysfunctional culture and be sensitive to operating units taking risks recklessly or foregoing attractive market opportunities through risk-averse behavior. A pattern of limits violations, near misses, noncompliance incidents, internal control deficiencies and foot-dragging on issue remediation are other signs of potential cultural issues that may warrant escalation.
The above points are illustrative and are neither intended to be exhaustive nor prescriptive. The chief executive and executive committee dictate the scope of the MRC, delegating responsibilities consistent with the priorities of the business. The board can provide input on this direction.
Questions for Boards
The board of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- If the company doesn’t have an MRC, why not? Is it because of the nature of the business, the ability of the executive team to deal with significant risk matters, or other factors?
- If the company has an MRC:
- Does the committee have access to the people, resources and information it needs to carry out its responsibilities?
- Does the board have sufficient transparency into the committee’s charter and activities? Is the committee’s scope responsive to the board’s risk oversight needs?
- Does the board receive periodic updates from the committee? Is the board satisfied the committee is fulfilling its chartered responsibilities?
How Protiviti Can Help
We assist boards and executive management in identifying and assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We also help public and private companies with the integration of their risk assessment process and core business processes, including strategy-setting and execution, business planning, and performance management. We provide an experienced, unbiased perspective on issues separate from those of company insiders to help organisations improve the functioning of and the value contributed by management risk committees.
1 A de facto risk committee may exist through allocating executive committee agenda time to risk matters, a subcommittee of the executive committee or an equivalent group with a name other than “management risk committee.”
2 According to The State of Risk Oversight: An Overview of Enterprise Risk Management Practices by Mark Beasley, Bruce Branson and Bonnie Hancock, March 2017: In the United States, 80 percent of the largest organisations (greater than US$1 billion in revenue) and 83 percent of public companies had a management risk committee in 2016. Furthermore, use of these committees since 2014 increased across all types of organisations and specifically for the largest organisations and public companies by 17.6 percent and 18.6 percent, respectively. Since 2009, use of these committees increased dramatically (by 164 percent) for all organisations.
(Board Perspectives: Risk Oversight - Issue 112)