Board Governance | Risk Management Whether organised in the form of a designated management risk committee (MRC) or a de facto risk committee,1 the use of MRCs has increased over the years.2 This increase is likely due to the growing complexity of risks inherent in the organisation’s strategy and business model and increasing sophistication of risk management infrastructure. The CEO’s executive committee agenda may be too crowded to cover certain risk matters sufficiently. Extenuating circumstances – e.g. a history of unexpected surprises, substantive improvements required in risk management capabilities, a critical risk meriting special attention and/or a need to strengthen risk culture – may also be a contributing factor. Formed by senior management, an MRC sometimes focusses on managing specific risks inherent in the enterprise’s strategy that either are not managed by the business units or are more effectively managed enterprise-wide by a central risk unit. With support-staff assistance and in cooperation with the business units, the MRC evaluates, pools, reduces, transfers and exploits the risks for which it is accountable. It may even have veto and/or escalatory authority with respect to certain business activities and may share responsibility for managing specific risks with the business units. Other MRCs may have less authority and be more focussed on the risk management process, with no day-to-day responsibility for mitigating risks. If there is a chief risk officer (or equivalent executive), he or she may support and even chair the committee. There is no standard one-size-fits-all model. MRCs are more commonly found in financial institutions, commodity-based businesses or operations with hazardous activities, where management of certain risks must be executed skilfully within the company’s risk appetite and established risk tolerances. These risks may include interest rate risk; currency risk; commodity price risk; credit risk; catastrophic risk; or health, safety and environmental risk. Functioning under the auspices of the CEO and/or executive committee, the MRC assesses and monitors the organisation’s internal and external environment and provides insights and recommendations to executive, operational and functional leaders, all in the spirit of improving the company’s risk management capabilities continuously as the business environment changes. Both the board and executive team can benefit from an effective MRC. The following are some suggestions for creating and operating this committee:
Use the MRC charter to clarify responsibilities Use the charter to articulate the committee’s mission or purpose, membership, duties and responsibilities, and authorities (if any), 64 Ethical Boardroom | Spring 2019
and, to the extent necessary, specific activities the committee is to perform. It should be approved by the executive team and reviewed with the appropriate committee of the board. Gain CEO and executive team support Don’t leave home without it. Consider the appropriate committee composition Seek a diverse range of strategic, operational and functional perspectives and experience as well as knowledge of the business. At least one senior executive should be a member (i.e. an executive sponsor). Keep it manageable Avoid too large a group, as it inhibits discussion. Manage the numbers by designating ex officio members who contribute when they have fresh insights to offer – e.g. it may make sense for the general counsel and a representative from the disclosure committee to be present from time to time.
responsible are appropriate, sufficient time should be allowed for discussion and input. Provide briefing materials in advance of each regularly scheduled meeting. Don’t let the committee get stale Consider mixing things up and refreshing the focus, depending on the organisation’s current needs. When attendance declines or senior personnel who are supposed to attend start sending delegates, it’s a clear sign something is wrong. Too broad a focus and doing the same things over time sap energy, engagement and enthusiasm. Focus dialogue on what executives and directors may not know The MRC’s value primarily comes from focussed dialogue around what’s new and what’s changing and the implications in terms of emerging opportunities and risks. Heads turn when the committee escalates insights and issues that aren’t on the radar of the organisation’s leaders. Spot the warning signs of a deteriorating risk culture The committee should watch out for signs of a dysfunctional culture and be sensitive to operating units engaging in unethical or irresponsible business behaviour or foregoing attractive market opportunities through risk-averse thinking. A pattern of limits violations, near misses, noncompliance incidents, internal control deficiencies and foot-dragging on remediation of issues is a sign of potential cultural issues that warrant escalation.
BOOST ENTHUSIASM AND ENGAGEMENT An effective management risk committee will need to be informed and motivated
Meeting frequency should match the risk profile Meet quarterly, monthly or more frequently, considering the nature and volatility of the organisation’s strategy, operations and risks as well as the responsibilities outlined in the charter. Conform the committee’s activities to specs Align meeting agendas with the requirements of the charter and suggestions from committee members and executive management. Agendas might include specific risk issues (e.g. drill-downs on specific risks or evaluation of risk appetite), as well as open discussions of emerging internal and external developments. Meetings should be inclusive Make sure everyone is engaged. While presentations by risk owners explaining how they are addressing risks for which they are
MRCs often facilitate the board’s risk oversight. The CEO and the executive committee dictate the MRC’s scope, delegating responsibilities consistent with business priorities. The board provides input into this direction and approves the MRC charter to ensure the committee’s activities are adequate to inform the board’s risk oversight.
The above points are illustrative and are intended to be neither exhaustive nor prescriptive. This article is also not intended to suggest that every board must have a risk committee and every company must have an MRC. Directors and senior management must decide how best to oversee and manage risks, and a risk committee is but one tool to consider. 1 A de facto risk committee may exist through a subcommittee of the executive committee or an equivalent group with a name other than ‘management risk committee’. 2According to The State of Risk Oversight: An Overview of Enterprise Risk Management Practices by Mark Beasley, Bruce Branson and Bonnie Hancock (March 2017), in the United States, 80 per cent of the largest organisations (greater than $1billion in revenue) and 83 per cent of public companies had a management risk committee in 2016. Usage of these committees since 2014 increased across all types of organisations and specifically for the largest organisations and public companies by 17.6 per cent and 18.6 per cent, respectively. Since 2009, usage increased dramatically (by 164 per cent) for all organisations.