The Dodd-Frank Act requires a separate risk committee composed of independent directors for publicly traded bank holding companies with US$10 billion or more in assets and publicly traded nonbank financial companies supervised by the Federal Reserve. Over time, we may see some “trickle-down effect” from this approach on the board risk oversight of nonfinancial companies. Given this context, the question arises as to whether the board should establish a separate risk committee of the board.
The full board should retain overall responsibility for risk oversight, mirroring its overall responsibility for strategy. Except where there are statutory requirements, the board has the flexibility to organize itself in a manner that makes sense in view of its company’s size, structure, complexity, culture and risk profile, as well as the board’s size, composition and structure. To enhance effectiveness and efficiency and to address specific regulatory requirements, specific risk oversight responsibilities can be allocated to various standing committees in keeping with the specific risks germane to each committee’s responsibilities.
A separate risk committee of the board is not a one-size-fits-all. For some companies, it may be a good idea – in certain circumstances. A risk committee allows the audit committee to focus on its core financial reporting-related responsibilities. It enables focused director attention on the company’s most critical risks and risk management capabilities, particularly for companies with complex market, credit, liquidity and commodity pricing risks. A risk committee also fosters an integrated, enterprisewide approach to identifying and managing risk and provides an impetus toward improving the quality of risk reporting and monitoring, both for management and the board. This approach can assist the board in focusing on the “big picture.” It also can provide strong support for company executives who are given broad risk management responsibilities, resulting in a stronger focus at the board level on the adequacy of resources allocated to risk management.
However, a separate risk committee is not a panacea. It may be more important to evaluate whether a sufficient number of independent directors possess deep knowledge and experience in dealing with the industry and its critical risks. A risk committee won’t cover any gaps in the company’s risk management process and is highly dependent upon the quality of (a) inputs to, and outputs from, that process, and (b) information and insights from external sources. Redundant activity can arise as risk management issues are considered through the work of other board committees. Most board members serve on several committees already; therefore, adding one more committee can dilute the board’s focus. For New York Stock Exchange (NYSE)-listed companies, the audit committee is required to include in its charter a responsibility to discuss with management the company’s policies around risk assessment and risk management, even if the board sees fit to set up a separate risk committee. The board needs to be careful that the creation of a risk committee does not result in a subconscious attitude of delegation by the rest of the board on risk matters, such that the non-committee members begin to view risk as a matter for the committee and not the full board.
If a separate risk committee is deemed appropriate, given the risk oversight responsibilities outlined in the various standing committees’ charters, it might take on some of the following roles:
- Determine that there is in place a robust process for identifying, managing and monitoring critical risks; oversee process execution; and ensure continuous process improvement as the business environment changes.
- Provide timely input to executive management on critical risk issues.
- Engage management in an ongoing risk appetite dialogue as conditions and circumstances change and new opportunities arise.
- Oversee the conduct, and review the results, of enterprisewide risk assessments, including the identification and reporting of critical enterprise risks.
- Oversee the management of certain risks having the complexity and significance to warrant the attention of a separate board committee composed of directors with the requisite expertise.
- Help coordinate activities of the various standing committees for risk oversight.
- Watch for dysfunctional behavior in the company’s culture that could undermine the effectiveness of the risk management process and lead to inappropriate risk-taking, such as (in cooperation with the compensation committee) the nature and balance of the compensation structure and how it may encourage inappropriate risk-taking.
The risk committee charter should clarify that the committee’s activities support the board’s overall risk oversight objectives. With respect to risks the risk committee is assigned to oversee, care should be taken to watch for overlaps (e.g., compliance risk with the audit committee).
Questions for Boards
Following are some suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- Has the board considered how it should organize for risk oversight?
- Are the board and/or responsible committees, including a separate risk committee, if one exists, confident that directors are receiving the comprehensive, objective information they need to perform risk oversight?
How Protiviti Can Help
As the board evaluates how to organize for risk oversight, Protiviti can assist it and executive management with assessing the enterprise’s risks and implementing strategies and tactics for managing risk. We help organizations improve their risk reporting, which can better inform the risk oversight process – a key to the success of any oversight process, regardless of how the board chooses to organize itself.
Board Perspectives: Risk Oversight (Issue 24)