Discussing risk management with a group of senior risk managers from UK Plc’s recently, the diversity of views as to the usefulness and purpose of a risk committee was very evident. Only 20% of the companies represented by these risk managers had a risk committee in place even though risk committees are often cited as being an important component of best practice in risk governance.
The Walker report following the UK banking crisis – “A review of corporate governance in UK banks and other financial industry entities” - recommended that FTSE 100 financial services companies should have a separate risk committee. This is included in the Financial Reporting Council (FRC) guidance for directors of banks.
In the banking sector, the FRC expectation is that separate risk committees will review, and report their conclusions to the Board, on: the bank’s risk appetite and tolerance (i.e. the extent and categories of risk which the board regards as desirable and/or acceptable for the company to bear); and the bank’s risk management framework (for example, covering principles, policies, culture, organisation, behaviours, systems, processes and procedures).
The benefits of a separate risk committee are also supported by the Risk Management Society (“RIMS”) Executive report – “Exploring the Risk Committee Advantage” which sets out the key advantages provided by a risk committee:
“One of the greatest advantages to forming a risk committee is its ability to help create a more risk-aware culture throughout the organisation. With most or all of the business operations represented on the risk committee, communication about new projects, initiatives and information about other departmental exposures creates a more informed workforce, as well as one that incorporates risk management practices into daily routines.”
The RIMS report also notes that a risk committee can provide the means through which the company can formalise its process for addressing risks and can be a source of valuable information for the Board to consider when shaping its strategy.
The UK Corporate Governance Code (“the Code”) and related guidance on risk management published by the FRC does not require UK companies, except FTSE 100 financial services companies, to have a risk committee. The ultimate responsibility for risk management rests with the Board which should form its own judgement as to the most appropriate risk management framework for the business.
Boards have adopted the most practical risk management approach for their business, taking into account a wide range of factors including the structure of the company, its risk profile, the nature of the risks facing the business and the current work of the Board and its Audit Committee.
In many companies, the approach adopted does not include the establishment of a risk committee. As expected, the Board retains the ultimate responsibility to identify, evaluate and monitor the significant risks for the business but is supported in this by Executive Team meetings or Audit Committee meetings attended by Executive Directors, which serve as the mechanism through which risk registers and assessments are challenged and new emerging risks are identified and escalated. Where appropriate to the business, management meetings are also used to challenge risk registers at an operational level. The benefit of such an approach is that risk management is embedded within the established management structures of the business rather than being conducted in a risk committee separated from the wider governance framework.
The challenge for these companies is to ensure that sufficient time and attention is given to risk within meetings that already have a full agenda and the danger is that new and emerging risks or increases in risk are missed, which can have serious consequences. Those businesses that have established risk committees value them highly since they provide a forum to focus solely on risk management with sufficient time on the agenda to consider risks more thoroughly and a formal mechanism for reporting risk matters throughout the business.
In my experience, both approaches can work very well but risk governance structures alone will not guarantee effective risk management. It is, and will always be the case, that risk management is undertaken by individual managers and committee members, who can make errors of judgement.
Boards therefore need to ensure that whatever risk governance structure is adopted, these individuals are aware of the board’s appetite for risk, its values and priorities and recognise that it is their responsibility to alert the business to issues if they arise. Boards also need to be satisfied that whatever risk governance structures they have established, these enable decisions to be taken carefully at all levels following a thorough challenge and understanding of the potential consequences.