Five Questions About Risk Committees
Board members have expressed increasing concern about their risk-oversight roles and responsibilities — and how best to fulfill them. This isn’t just an issue for financial services firms, where recent regulations have started to require (not just suggest) board-level risk committees. These days, a range of large organizations have begun exploring how risk committees can help them better navigate an uncertain economic and regulatory environment.
Here, Henry Ristuccia answers questions about the value of board risk committees, and what’s involved in establishing one. Afterward, Maureen Errity, Director, Deloitte LLP, Center for Corporate Governance Governance, lends her perspective, based on recent Deloitte¹ research that analyzed trends around risk governance and oversight practices.
A closer look: Proxy disclosures
|Question||Henry Ristuccia take|
|Why would an organization need a board-level risk committee?||Well, for certain banks, it will be a requirement under Dodd-Frank through the Federal Reserve’s notice of proposed rulemaking on enhanced prudential supervision². But any large company in any industry — should consider the benefits of a board risk committee. There are just so many risks that can undermine an organization today. And they’re so complex and interrelated that a board risk committee can be more effective at oversight than the audit committee and other board-level committees.|
|Why would a board risk committee provide enhanced oversight?||
Breadth and depth of focus. A board risk committee can focus on the full range of risks the enterprise faces — everything from strategic, financial, operational, regulatory, IT, security, health and safety, and reputational risks, and beyond. A risk committee can develop a wide-angle view of risks across the enterprise and see how they relate to one another.
A risk committee can achieve depth of focus when it keeps the issue on management’s and the board’s agenda, and stays current on risks and regulations in a way that can be hard for other committees to achieve. The committee can also make sure the organization stays focused on the right risk management priorities.
|How does a board risk committee really work?||
The full board typically maintains responsibility for risk, while delegating actual oversight to the risk committee. The risk committee coordinates risk oversight with the audit and other committees, draws up the meeting calendar and agendas, and provides input to management on the enterprise’s risk appetite and tolerances. Often the chief risk officer (CRO) reports to the board risk committee.
Also — and this is key — the risk committee holds an ongoing discussion with management about risk, risk exposures, and risk management.
|How important is it to have a charter?||
A clear charter is the key to establishing any board-level committee. The risk committee charter has the usual items — number of members, their qualifications, whether the chair is appointed or elected, and so on. But also, when they develop the charter, the members think through how they will define and implement their risk oversight roles and responsibilities.
Because this can be complicated, Deloitte recently published a Risk Committee Resource Guide³ to assist boards that are considering establishing a risk committee.
|So, how does a risk committee really define its responsibilities?||
Start by asking a lot of questions. Will the CRO report to the risk committee, the full board, or to management? What will be the committee’s role regarding risk appetite? How will the committee monitor risk? What size transactions or exposures must management bring to the committee’s attention? Addressing those and other specific questions enables the committee to define and implement its responsibilities at the action level.
These are things every board should be clear about, whether or not they are forming a risk committee.
A Closer Look: Proxy Disclosures
Maureen Errity, Director, Deloitte Center for Corporate Governance Governance
Recent proxy disclosures by companies reveal an increasing focus on risk governance. Our review of 2010 and 2011 proxy statements4 found that 90 percent of the S&P 200 analyzed had disclosed that the full board is responsible for risk. When it comes to board-level committees, two-thirds stated that the audit committee is responsible for risk, and 91 percent stated that other board committees are involved. One-third of financial services companies had board-level risk committees — a number that will increase sharply in 2012.
A separate Deloitte analysis of bank board risk committee charters5 revealed that 80 percent of the banks studied have the risk committee oversee management’s implementation of the risk management strategy. In almost half, the CRO reports to or has direct access to the board or the risk committee.
For boards that are working to define and fulfill their risk oversight roles, here are a few guiding principles:
- Take a Risk Intelligent approach
Our concept of the Risk Intelligent Enterprise™ embodies principles of sound risk governance and management, such as identifying all risks, looking across silos, and holding business units accountable for risk management.
- Establish clear risk-related roles
With or without a risk committee, the board should clearly define its role in risk oversight. Guidelines for board risk committees can help boards do this, even if they are not establishing one.
- Look to the risk management infrastructure
Risk governance depends on the people, processes, and technology that support risk management.The right expertise, controls, and information can help ensure that the board and management fulfill their risk-related responsibilities.
The bottom line? Companies are increasingly disclosing their risk oversight practices to shareholders in response to regulation and to increasing shareholder interest in boards’ risk governance practices. Better to embrace this new reality than resist it. Not only will it be easier to comply with tightening regulations with a more formal approach to risk oversight in place, but it can help raise the Risk Intelligence of the whole organization. In a world where risks can directly shape business outcomes, that’s a big deal.
Download the Risk Angle below.
1 As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
2 The Dodd-Frank Wall Street Reform and Consumer Protection Act is a federal statute in the United States signed into law by President Barack Obama on July 21, 2010. It promotes the financial stability of the United States by improving accountability and transparency in the financial system, ending "too big to fail," protecting the American taxpayer by ending bailouts, protecting consumers from abusive financial services practices, and other purposes.
3 The Risk Committee Resource Guide for Boards
4 Risk Intelligent Proxy Disclosures – 2011: Have risk-oversight practices improved?
5 Improving Bank Board Governance: The bank board member’s guide to risk management oversight