Board Governance | Risk Management
Jim DeLoach
Managing Director, Protiviti
Identifying and managing risk Making board and management risk committees effective Most directors and governance authorities agree that the full board should retain overall responsibility for risk oversight, mirroring its overall responsibility for strategy. In the absence of statutory requirements to the contrary, the board has the flexibility to organise itself for risk oversight as it sees fit, given its company’s size, structure, complexity and risk profi le, as well as the composition and structure of the board itself. The Dodd-Frank legislation in the US requires a separate risk committee consisting of independent directors for certain publicly traded bank holding companies. Over the years, we have seen a ‘trickle-down effect’ of this approach to other companies, particularly those with complex environments shaped by the nature of their industry, risks inherent in their strategy and business model and the sophistication of their risk management infrastructure. When the collective agendas of the full board and its standing committees are too packed to give risk oversight sufficient attention, directors may choose to form a focussed risk committee.
Making a board risk committee effective
When a separate risk committee is established, the question arises as to how to make it effective. The following are some suggestions:
1
Evaluate committee composition and service terms Select independent
62 Ethical Boardroom | Spring 2019
directors with the requisite qualifications to oversee the enterprise’s risks. Consider whether a ‘risk expert’ should serve on the committee – i.e. someone with a background in risk management or oversight relevant to the nature of the organisation’s operations, a role analogous to the audit committee financial expert. In defining the terms of service for members and the committee chair, note that for the sake of continuity term limits may not be desirable. The committee chair may be rotated, appointed or reappointed by the board chair, or elected by majority committee vote. Ensure risk is integrated with strategy-setting and business planning Evaluate whether appropriate risks are taken in creating value and challenge management’s assumptions underlying key strategies and decisions. Understand the company’s risk management infrastructure and capabilities and assess their alignment with management’s strategy and risk appetite, both overall and by line of business. Oversee and position the risk management organisation for success Approve company-wide policies with respect to risk assessment and risk management practices. If there is a chief risk officer (or equivalent executive), review his or her appointment and performance in consultation with the full board; ensure he or she has sufficient stature, authority and independence within the organisation; and oversee his or her activities through ongoing communications, risk reporting and periodic executive sessions. Periodically inquire as to the adequacy of resources allocated to risk management.
2
3
Oversee risk reporting and 4 monitoring Ascertain whether
management is identifying, prioritising and monitoring the appropriate types, levels and concentrations of risk, both by line of business and enterprise-wide. Ensure risk reporting is responsive to the needs of the committee and the board and is focussed on the critical enterprise risks and emerging risks, as well as the response strategies for addressing them. Advise management on critical risk matters on a timely basis Review the results of enterprise-wide risk assessments, including the identification and reporting of critical enterprise and emerging risks (the risks that matter). Engage management in an ongoing risk appetite dialogue as conditions and circumstances change and new opportunities arise. Review crisis management plans to ensure management has in place actionable response plans to address key risks, including plausible and extreme scenarios. Influence risk culture In cooperation with the compensation committee, watch for behaviour that could undermine risk management effectiveness, such as compensation incentives that may encourage inappropriate risk-taking. Oversee communications about escalating risks on a timely basis and pay attention to the warning signs of a dysfunctional
5
6
www.ethicalboardroom.com