In traditional board of directors committee structure, each of the board’s five main functions (strategy, executive selection and compensation, governance, audit, risk and compliance) is assigned to a different committee, except one: risk, long handled by the audit committee.
The Dodd-Frank law mandated that major, public financial firms operate separate risk committees of the board with at least one risk management expert – a reaction to the 2008 financial crash, which so many financial firms didn’t see coming. Now, non-financial companies are increasingly looking around the threat landscape, especially on the fast-moving cyber side of risk, and concluding that they too need a separate risk committee (among them GE and Owens-Illinois).
It’s a smart move. Mandates for risk and audit committees are actually quite different. To put it succinctly:
Audit thinks in the box
The main focus of the audit committee is fixed on the books and the regulations. Are the financial records accurate? Are the public disclosure requirements being met? Are Sarbanes-Oxley, FASB and other compliance requirements under control?
Risk thinks out of the box
The risk committee looks at probabilities of loss events – even disasters -- and the preparedness of the company to face them. And as legal and disclosure requirements increasingly extend into risk management – see the recent guidance on cybersecurity from the Securities and Exchange Commission – this committee also defends against legal liability.
In fact, the two committees come at their roles from entirely different mindsets: the periodic audit vs. continuous monitoring.
In his book Implementing Enterprise Risk Management, eTrade Director James Lam outlines the key business decisions for a risk committee:
- Reviewing and approving risk appetite statements proposed by management
- Reviewing specific risk assessments, such as for cybersecurity, anti-money laundering, third party oversight
- Reviewing and approving management recommendations regarding capital reserves
- Reviewing and approving strategic risk management decisions such as budgeting and major investments
- Overseeing overall development and effectiveness of risk and compliance programs.
Lam breaks the risk committee’s mandate down into three primary areas: risk governance, risk policy and risk assurance.
There’s another good strategic reason for boards to elevate risk to committee level: Effective risk management can become a competitive advantage. Just look at the sorry parade of companies severely damaged by unforeseen cybersecurity crises in the last couple of years: Equifax, Uber, Yahoo, Merck, Maersk and FedEx. The alternative to high level attention to risk management might well be... crisis management.