Board Risk Committees I

Why have Risk Committees been established?

Risk Committees have emerged as a response to the shift from tangible measurable risks to intangible risks, such as reputational and cyber risks. 

Since the Global Financial Crisis, financial institutions have faced heightened scrutiny and public expectations, leading to increased focus on risk governance. Establishing separate risk committees allows boards to effectively oversee these evolving risks and adhere to the changing societal expectations and regulations, ultimately enhancing corporate governance.

What does effective risk management entail?

The responsibility for monitoring the effectiveness of risk management and internal control systems may be delegated by the Board to the RC.

In the UK, the 2018 Corporate Governance Code, principle O, states that:

“The board should establish procedures to manage risk, oversee the internal control framework and determine the nature and extent of the principal risks it is willing to take in order to achieve its long-term strategic objectives.”

Effective risk management involves a three-level escalation process, with frontline management addressing risks, a central risk team ensuring adherence to policies, and business unit risks escalated to senior management and company-level risks to the Risk Committee (RC). 

The RC assesses and advises the board on risks, monitors risk management infrastructure, and ensures the company's culture aligns with risk strategy and appetite. Additionally, the RC engages in compliance oversight, adapting to the company's risk profile and conducting systematic reviews while emphasising employee training and a compliance mindset.

What resources are required by the Risk Committee (RC)?

Risk Committees (RCs) help establish and disclose risk appetite and tolerance, aligning risk oversight with a company's objectives and require various resources to effectively fulfil its duties. 

These include management reporting, which serves as the main information channel, covering enterprise risk appetite, risk tolerance, and risk exposures. 

RCs also need updates on legal and regulatory developments and investigations, typically provided by the company's general counsel or external counsel. 

Furthermore, professional advice is essential, particularly regarding legal, tax, listing, and regulatory changes, as well as access to industry experts for sound benchmarking and best practices.

What should the composition of the RC be?

A well-composed Risk Committee (RC) requires members with expertise and experience in managing risks. The chair should be independent, and members should have diverse backgrounds, including experience in finance, accounting, and risk management methodologies. The RC should anticipate future vulnerabilities, promote a strong ethical culture, and enhance the company's reputation through effective risk oversight.