The Dodd-Frank law mandated that major, public financial firms operate separate risk committees of the board with at least one risk management expert – a reaction to the 2008 financial crash, which so many financial firms didn’t see coming. Now, non-financial companies are increasingly looking around the threat landscape, especially on the fast-moving cyber side of risk, and concluding that they too need a separate risk committee (among them GE and Owens-Illinois).
It’s a smart move. Mandates for risk and audit committees are actually quite different. To put it succinctly:
Audit thinks in the box
The main focus of the audit committee is fixed on the books and the regulations. Are the financial records accurate? Are the public disclosure requirements being met? Are Sarbanes-Oxley, FASB and other compliance requirements under control?
Risk thinks out of the box
The risk committee looks at probabilities of loss events – even disasters -- and the preparedness of the company to face them. And as legal and disclosure requirements increasingly extend into risk management – see the recent guidance on cybersecurity from the Securities and Exchange Commission – this committee also defends against legal liability.
In fact, the two committees come at their roles from entirely different mindsets: the periodic audit vs. continuous monitoring.
In his book Implementing Enterprise Risk Management, eTrade Director James Lam outlines the key business decisions for a risk committee:
Lam breaks the risk committee’s mandate down into three primary areas: risk governance, risk policy and risk assurance.
There’s another good strategic reason for boards to elevate risk to committee level: Effective risk management can become a competitive advantage. Just look at the sorry parade of companies severely damaged by unforeseen cybersecurity crises in the last couple of years: Equifax, Uber, Yahoo, Merck, Maersk and FedEx. The alternative to high level attention to risk management might well be... crisis management.