It is generally accepted that the full board has overall responsibility for risk oversight, mirroring the board’s responsibility for overseeing strategy. In deciding how to organize itself to oversee risk and risk management, the question arises as to whether the board should establish a separate risk committee. This article explores that question and provides examples to clarify the role and responsibility of a separate risk committee in situations where the board decides to establish one.
Through the risk oversight process, the board of directors obtains an understanding of the critical risks inherent in the corporate strategy, accesses useful information from internal and external sources about the critical assumptions underlying that strategy, remains alert to organizational dysfunctional behavior that can lead to excessive risk taking, and provides input to executive management regarding critical risk issues on a timely basis. How the board views risk oversight as a process should dictate how it chooses to organize itself for purposes of executing that process. The risk oversight process enables the board and management to develop a mutual understanding regarding the risks the company faces over time as it executes its business model for creating enterprise value. In organizing itself for risk oversight, what are some of the factors for boards to consider and when should boards establish a separate risk committee?
Overall Responsibility for Risk Oversight
The full board should retain overall responsibility for risk oversight, mirroring its overall responsibility for strategy. If the board is to fully understand the company’s corporate strategy, it also needs to determine the risks inherent in that strategy. If the full board is responsible for monitoring execution of the strategy, it needs to understand whether the critical risks are being managed effectively. This oversight can be carried out either by the full board or through delegation to one or more standing committees, provided that overall responsibility for the process remains with the full board.
Except where there are statutory requirements dictating otherwise, the board has the flexibility to organize itself in a manner that makes sense in view of the company’s size, structure, complexity, culture, and risk profile, as well as the board’s size, composition, and structure. To enhance effectiveness and efficiency and address specific regulatory requirements, specific risk oversight responsibilities can be allocated to various standing committees in keeping with the specific risks germane to each committee’s responsibilities. This delegation of responsibility can be accomplished in different ways, including a separate risk committee and expansion of the role of the audit committee and the various other committees of the board (finance, strategy, etc.).
Should Risk Oversight Be the Responsibility of the Audit Committee?
In determining whether to designate the audit committee as the body responsible for risk oversight, the board must consider a critical question: Does the audit committee have the time, the skills, and the support to do the job, given everything else it is required to do? In our experience, when audit committees assert that they are addressing risk management, their scope tends to be all over the map. If the board decides that the audit committee is the right choice to provide risk oversight, it should acknowledge that the audit committee already has many responsibilities focused on financial reporting and is, in effect, the last line of defense for financial reporting risk—a point that should not be taken lightly if the enterprise’s financial reporting issues are complex. The so-called “audit committee financial expert”— a fixture on many audit committees of public companies as a result of the Sarbanes-Oxley Act—may not necessarily have the skills needed to evaluate policies for assessing and managing the range of business and operational risks the enterprise faces. In fact, off-balance sheet reporting and other financial reporting practices sanctioned by companies and their audit committees have often obscured the very transparency so necessary for effective risk management and risk oversight. Therefore, the complexity of the company’s risks may justify a different approach than delegating primary responsibility for risk oversight to the audit committee.
Determining Whether to Establish a Separate Risk Committee
The Dodd-Frank Wall Street Reform and Consumer Protection Act requires a separate risk committee composed of independent directors for publicly traded bank holding companies with $10 billion or more in assets and publicly traded nonbank financial companies supervised by the Federal Reserve. Over time, we may see some “trickledown effect” from this approach to the board risk oversight of nonfinancial companies. Given this context, the question arises as to whether the board should establish a separate risk committee for the board.
A separate risk committee of the board is not a one-sizefits- all solution, and it may be a better fit for companies with special circumstances. For example, the boards of financial institutions, power companies, and other organizations with complex market, credit, liquidity, commodity pricing, regulatory and other risks that require special attention may find a risk committee useful. Companies with rapidly changing business environments and expecting significant emerging risks, such as quickly evolving technological innovation and cybersecurity risks, might also find a separate risk committee of value.
A risk committee focuses director attention on the company’s most critical risks and risk management capabilities. To this end, the board will want to be sure that the directors assigned to this committee have the requisite knowledge and expertise to provide effective oversight over the risks falling within the committee’s scope. A risk committee fosters an integrated, enterprise-wide approach to identifying and managing risk and provides an impetus toward improving the quality of risk reporting and monitoring, both for management and the board. This approach can assist the board in focusing on the “big picture.” A risk committee can also provide greater support for company executives who are given broad risk management responsibilities, resulting in a stronger focus at the board level on the adequacy of resources allocated to risk management. Finally, it allows the audit committee and other board committees to focus on their respective core responsibilities.
A separate risk committee, however, is not a panacea. A number of issues can arise during the formation of a separate risk committee:
- Without a sufficient number of independent directors who possess deep knowledge and experience in dealing with the industry and its critical risks, a risk committee will lack effectiveness.
- A risk committee cannot cover any gaps in the company’s risk management process and is highly dependent upon the quality of inputs to and outputs from that process and information and insights from external sources.
- Redundant activity can arise as risk management issues are considered through the work of other board committees.
- Most board members serve on several committees already; therefore, adding one more committee can dilute the board’s focus.
When deciding whether to form a separate risk committee, it is important to consider the extent to which risks are already inherent in the scope of each standing committee’s activities as set forth in the respective committee charter. For example:
- Audit committees typically oversee financial reporting risks and certain compliance-related risks that can have financial reporting implications. For companies listed on the New York Stock Exchange (NYSE), the audit committee is required to include in its charter a responsibility to discuss with management the company’s policies around risk assessment and risk management, even if the board sees fit to set up a separate risk committee.
- Governance committees oversee such governance risks as board leadership and composition, board structure, and other matters.
- Compensation committees oversee risks related to how the compensation structure drives behavior within the organization.
- Strategy and finance committees oversee strategic risks.
Defining the risks that fall within the purview of a separate risk committee will tend to vary widely based on the nature of the industry and the complexity of the organization’s risks, requiring focused expertise to provide appropriate oversight. Therefore, whether to establish a separate risk committee is a facts-and-circumstances decision based on many factors. Regardless, the full board has the responsibility to provide effective risk oversight. With that in mind, the board must decide how best to organize itself for risk oversight. If a separate risk committee is formed, the board needs to be careful that the existence of a risk committee does not result in the rest of the board neglecting risk matters because of a view that risk is an issue only for the separate risk committee to consider.
Some companies form a separate committee to address specific company risks but don’t call the committee a “risk committee.” The idea is to charter a committee to deal with the unique, complex, and volatile risks the company faces. To illustrate, the boards of Dow, Ashland Inc., and Veresen Inc. have an environmental, health, safety and technology committee, and the board of Chiquita Brands has a food innovation, safety and technology committee. Hewlett-Packard’s board has a technology committee and Monsanto’s board has a science and technology committee. Separate risk committees have been the norm for years in financial institutions and are becoming commonplace at companies that fall under the provisions of Dodd-Frank, as well as among many smaller institutions. Risk committees are emerging in nonfinancial services companies as well. For example, according to disclosures in their respective proxy statements, GE has a risk committee, GM has a finance and risk policy committee, Owens-Illinois, Inc. has a risk oversight committee, and The Hershey Company and Duke Energy both have a finance and risk management committee. Many companies have an audit and risk committee (or conversely, a risk and audit committee), including a number of financial services companies, as well as Intuit Inc., Ameren Corporation, BHP Billiton, and many others.
As dramatic global events continue to bring home the reality that it is, indeed, a risky world out there, interest in increasing the board’s focus on risk oversight is prompting more consideration of the merits of a separate risk committee. The U.S. Securities and Exchange Commission rules now require disclosure of the board’s risk oversight process, providing transparency to institutional investors so they can understand more about what boards are doing in overseeing risk. Those disclosures and the interest they create has encouraged boards to think about how they are organizing for risk oversight.
Role and Responsibilities of a Separate Risk Committee
To enhance the transparency of the oversight process, organizations may want to consider documenting formally the roles and responsibilities related to risk oversight in the board and/or committee charters. Specifically, they may want to clarify which responsibilities and duties will be handled by the full board and which of these will be delegated to the responsible standing committees to ensure major gaps and overlaps in oversight of top risk exposures do not occur.
If a separate risk committee is deemed appropriate given the risk oversight responsibilities outlined in the various standing committees’ charters, it might take on some of the following roles:
- Determine that there is a robust process in place for identifying, managing, and monitoring critical risks; oversee execution of that process; and ensure it is continuously improved as the business environment changes.
- Provide timely input to executive management on critical risk issues.
- Engage management in an ongoing risk appetite dialogue as conditions and circumstances change and new opportunities arise.
- Oversee the conduct of, and review the results of, enterprisewide risk assessments, including the identification and reporting of critical enterprise risks.
- Oversee the management of certain risks having the complexity and significance to warrant the attention of a separate board committee composed of directors with the requisite expertise.
- Help coordinate activities of the various standing committees for risk oversight.
- Watch for dysfunctional behavior in the company’s culture that could undermine the effectiveness of the risk management process and lead to inappropriate risk-taking, such as (in cooperation with the compensation committee) the nature and balance of the compensation structure and its potential to encourage inappropriate risk-taking.
The risk committee charter should clarify that the committee’s activities support the board’s overall risk oversight objectives. With respect to risks the risk committee is assigned to oversee, care should be taken to watch for overlaps (e.g., compliance risk with the audit committee).
However the board decides to proceed in organizing risk oversight, it must have a balance of qualified directors. Knowledge of the industry and its critical risks is vital for companies with significant financial and commodity-based risks. If that knowledge is lacking, it won’t matter which risk oversight option the board selects.
It is also imperative that directors have access, from both internal and external sources, to the information and insights conducive to effective risk oversight. Ineffective risk reporting renders moot any discussion about organizing for risk oversight. The findings of a December 2010 survey of more than 200 directors regarding the current state of board risk oversight point to an opportunity to enhance risk reporting to the board. The survey, sponsored by the Committee of Sponsoring Organizations (COSO) and published by Protiviti, showed that the most common types of risk reporting received at least annually by boards include a high-level summary of top risks for the enterprise as a whole and its operating units; a periodic overview of management’s methodologies used to assess, prioritize, and measure risk; and a summary of emerging risks that warrant board attention.  The types of risk reporting not received annually by most boards include scenario analyses evaluating the effect of changes in key external variables affecting the organization; a summary of exceptions to management’s established policies or limits for key risks; and a summary of significant gaps in capabilities for managing key risks and the status of initiatives to address those gaps. The findings reveal an opportunity for organizations to improve the risk reporting process and increase the regularity of reporting according to the nature of the organization’s operations and risk profile as well as the board’s specific needs.
Finally, if various standing committees are used for the purposes of risk oversight with no enterprise-wide focus, there is the danger that boards will miss the big picture. The use of various committees can lead to a fragmented and silo-driven approach, which can result in critical risks being omitted from consideration. That is why the risk oversight approach should be carefully orchestrated at the full board level.
Questions for Boards
Boards of directors may consider, in the context of the nature of the risks inherent in the company’s operations:
- Has the board considered how it should organize for risk oversight? Is a separate risk committee mandated by regulation or regulatory expectation? Has the board articulated its risk oversight objectives and are those objectives incorporated into the board’s charter? Has the board evaluated the effectiveness of its risk oversight processes in achieving its risk oversight objectives? Is the board actively taking steps to address any gaps that may impede its risk oversight effectiveness?
- Is the board satisfied that its current complement of directors has the requisite expertise and industry knowledge to provide effective oversight of the company’s most critical risks?
- Are the board and/or responsible committees, including a separate risk committee, if one exists, confident that directors are receiving the comprehensive, objective information they need to perform effective risk oversight? Is sufficient agenda time allocated to the discussion of the enterprise’s risks with the appropriate company individuals?
- Is there a robust process in place for identifying, prioritizing, sourcing, managing, and monitoring the enterprise’s critical risks in a changing business environment? Does that process adequately support the board’s risk oversight?
- Does the board understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
 “Board Risk Oversight – A Progress Report: Where Boards of Directors Currently Stand in Executing their Risk Oversight Responsibilities,” Protiviti, December 2010 (www.coso.org/documents/Board-Risk-Oversight-Survey-COSO-Protiviti_001.pdf).