Most boards are organized into standing committees such as audit, finance and compensation.
Dodd-Frank legislation calls for nonbank, public financial companies administered by the board of governors of the Federal Reserve System, and public bank-holding companies with total assets in excess of $10 billion, to form a dedicated "risk committee."
The very idea of a dedicated risk committee has sparked debate in the risk management community. It has called into question whether it is truly appropriate, and could this possibly hinder proper execution of board oversight obligations and overstep boundaries between management and directors.
On one side of the debate, we hear of the great benefits of creating a risk committee. Such a committee could improve oversight of management and the company. The committee would be responsible to report risks to the board, and the board would thereby be better informed of the organization's threats and mitigation plans.
Board meetings do not provide adequate opportunity or time to debate underlying assumptions and risks embedded in a company's strategy or operational direction, some say. As such, a risk committee would ensure that critical risks receive enough attention especially if an audit committee is overburdened.
On the opposing side, we hear that having a dedicated risk committee is a very bad idea. Boards should be counting on management to have a risk management program that spans all forms of risk, and to report routinely on key risks including strategic risks.
It is felt that the board should continually probe the company's risk management program, query management to ensure that risk management is an ongoing daily activity, and that the practices are embedded into the organization's decision-making process. This kind of oversight is one of the core functions of the full board, and this responsibility should not be delegated to a new committee. No one committee should have full responsibility for risk oversight, the argument goes.
Added angst exists around the effect of injecting another new committee. This could lead to ambiguity as to where one committee's responsibility begins and another's ends. Traditionally policies and disciplines around risk assessment and response plans are discussed with the audit committee.
With such disparate views, could the sheer creation of a board "risk committee" end up being a risk in itself? Could too many board committees result in them tripping over themselves? Or worse, will committees unknowingly give way to other committees and ultimately big things may get missed?
Companies and boards should take time and discuss whether a risk committee is right for them. They should consider their risk position, organizational direction, and historical performance with managing risk.
Clearly, it is a decision not to be taken lightly.
JOANNA MAKOMASKI is a specialist in innovative enterprise risk management methods and implementation techniques.
October 1, 2011
Copyright 2011© LRP Publications