Do Risk Committees Improve Strategic Risk Management?
Sunday, September 26, 2010

Risk committees continue to garner attention as a vehicle to raise risk issues high enough in the organization that they can be managed in a more strategic manner. But has their increased popularity led to enhanced oversight? Or are they just the flavor of the month?

In recent months, the Securities and Exchange Commission (SEC) has issued proposed rule making that states that corporate "disclosure might address questions such as whether those who oversee risk management report directly to the board as a whole, to a committee, such as the audit committee or to one of the other standing committees of the board, and whether and how the board, or board committee, monitors risk."  

This begs the question of whether this -- and other recent legislative and regulatory trends -- is a mandate to establish risk committees? Even without a clear answer, executive-level leadership throughout the business world is now pondering the formation of risk committees to address real or perceived weaknesses in governance. In essence, boards are now becoming compelled to respond to the changing risk landscape.  

The notion of heightened enforcement has emanated from increasing regulatory scrutiny. Specific examples include Standard & Poor's established risk culture criteria relative to credit rating performance and the SEC's ruling to ensure the protection of investors by maintaining fair, orderly and efficient markets. The reference to enforcement is important because it signifies a shift by regulators to actively impose regulatory authority that in the past has not been enforced. 

There is also evidence that companies have likely made assumptions that their corporate governance is stronger than it may actually be. If board and executive management level oversight is not sufficient to address increasing regulatory demands, what and how can they organize or execute differently to provide the assurance necessary for the shareholders, the markets and their regulators?

Risk management methodologies like enterprise risk management (ERM) have been implemented by many companies as a means of improving risk management processes, but this has not generally addressed the increasing role of boards and committee risk management capabilities. While some consider the formation of risk committees to be an additional layer of risk oversight that adds redundancy, some argue that it may also add confusion regarding who should own management of risk. And in some cases, risk committees have not proven to be effective no matter who ultimately "owns" risk management.

Most agree, for example, that the financial meltdown was the result of an absence of good corporate responsibility and risk oversight. Risk management capabilities were simply insufficient to mitigate the events that unfolded. Interestingly, however, risk committees, which are more common in the financial services arena, do not seem to have helped thwart the financial crisis.  

Many of the larger banking and investment companies had risk committees to address the types of risks that audit committees might otherwise address. The result, according to some, is that this may only be creating overlap -- not additional risk oversight functions that improve risk capabilities. Hence the questions: should the audit committee have expanded responsibility, should the board undertake an expanded role or should a risk committee be formed? If multiple functions have risk oversight responsibility, how is accountability delineated? Is there adequate independence and perspective with respect to risk? 

There are many questions to answer. And depending on the individual company and its current approach to corporate governance and risk oversight, there could be various correct answers.

There are two primary considerations a company should make, however. First, is the board or senior level management comfortable that they can develop and implement GRC, ERM or some form of control to meet their strategic risk management objectives? Second, is there a compelling need to meet increased independence and or rigor where existing functions or processes fail to achieve strategic risk management objectives?

If the answer is a resounding yes to either or both, then formation of a risk committee at the board or executive management level may be the appropriate response.

What is clear is that many companies of all sizes have not formed risk committees and appear to effectively manage enterprise risk with success. This may be related to the board's willingness to take on a larger role in risk management and oversight. Hence, if there is a perceived mandate to form risk committees, it may largely be due to the increased awareness surrounding today's heightened risk concerns.

__________

Written by Craig Snyder: 

Craig Snyder is senior manager of risk at Ernst & Young.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins