Last month, I discussed the need for good risk governance in deploying a risk strategy. With governance rigor, successful execution is much more likely. The effective construction and use of risk committees can be central to effectively managing risk and can be a personal political disaster if not designed and implemented thoughtfully.
Multiple risk committees are used almost as commonly as a singular executive risk committee. There is no single approach to this because it depends heavily on the culture of the organization. The first question to consider is whether the culture is one in which committees are commonly used to govern. If so, are they used at multiple levels to address the various aspects of the work to be done?
If multiple levels are acceptable then you should consider at least two levels of risk committee; one at the highest level where you can secure real commitment and one at the mid-level of management. The former is ideally focused on strategic oversight risk management, which would include ensuring that policies and practices are developed, implemented and followed. It should ensure that risk appetite is both well defined, understood and used to monitor risk positions taken throughout the various business segments and on an aggregated basis on behalf of the enterprise. It should also ensure that the various risk stakeholders are aligned.
The key to oversight is commitment. Without the regular attendance and active participation of the right senior leaders, you're wasting your time.
The commitment boils down to priorities and understanding risk outcomes and realizing that risk can significantly impact corporate results. The evidence of true commitment is not limited to attendance and engagement in such a forum, but committing real resources to support the strategy. Oral and even written commitments aside, the proof is in the hiring and the funding.
Membership in the executive level risk committee ideally would include the chief financial officer, the general counsel, the chief operating officer, segment heads and key risk stakeholder function leaders such as audit, compliance, business continuity, among others.
All these players need to be both active and engaged as well as be willing to contribute to the resource allocation. All players must be willing to pony up the resources necessary to support participation.
If the executive level risk committee is going to be effective then its ideal condition would involve a working level committee which ensures execution by functional players at the tactical level. Examples of a typical meeting agenda would be policy and risk limit development, initial review of emerging risks and their assignment for mitigation and follow up.
Other responsibilities could include: risk officer vetting and appointment recommendation to the executive risk committee; periodic risk measurement review; risk aggregation reporting review; and other measures that support of the larger risk strategy.
Whether you use one or both of these forums to drive your risk strategy and tactical plans, you must have governance that drives accountability and commitment to your end goals.
CHRISTOPHER E. MANDEL is the president of Excellence in Risk Management LLC, a long-term risk management leader, and former president of the Risk and Insurance Management Society Inc.
March 1, 2011
Copyright 2011© LRP Publications