Take risk committees more seriously
If an enterprise board in its perfect role has to govern the enterprise strategy and guide it, risk oversight is critical. Should the entire board take up the responsibility for risk management or should it form a sub committee for risk management?
Every strategy is a hypothesis and several underlying assumptions define its uniqueness. Understanding the risks is essential for guiding the CEO on the strategy and its management. Insights obtained from both internal and external sources help board of directors take informed decision and chart the direction. Depending on the size and quantum of work involved, a board can decide to constitute a risk committee within the board for smoother functioning of this critical role, as risk oversight is a responsibility no board can absolve from.
Many directors ask us why they should look at a separate risk committee and why the audit committee can’t do this as part of their work. Most often, the audit committee won’t have the required skills, time and the mindset to do this work. Boards will be ill-advised to assign risk management to audit committee given that it is probably overloaded already.
It is also better to have a risk committee when enterprises have special issues such as the ones we see in the power, banking, natural resources and such sectors where problems of credit, pricing, regulation, etc, can be ever-changing. Tech companies, for instance, will have disruptive forces combating all the time and will need special risk mitigation focus.
The role of a risk committee should encompass the entire organisation with a systematic approach to categorising, monitoring and guiding on risk issues. It should support the management to focus on risk mitigation processes.
The big financial panic of 2008-09 had scared boards across the world into evaluating much more deeply the risks facing their companies. At the tactical level, that meant building practical risk oversight and management into the board structure. Typically, this is done through the audit committee, but often it drove creation of a customised board-level risk committee.
It is now over a decade since the initial board awakening to risk, so let us take a look at how their risk oversight structures have evolved. (It is altogether another matter that most boards were not prepared for the Covid-19 pandemic, despite its best efforts at risk oversight).
Board risk oversight has become much more institutionalised over the past decade. Laws in most developed economies now mandate company disclosure not only of major risk factors but also how the board structures its oversight of them. This has driven improved corporate risk data gathering and reporting, plus more formalised board review and discussion.
A dedicated board risk committee has gained in popularity over the past decade, but still remains in the minority. Data vary by country and sector (the percentages are highest in Asia) but, overall, about 25 per cent of the corporations seem to have a distinct risk committee, mostly among large cap companies and financial services companies. Another survey found that 65 per cent of the responding companies make the audit committee their default on board risk oversight. Amidst the pandemic, SEBI had proposed that all the top 1,000 companies must have separate risk committees in boards at the earliest.
How board risk management is allocated today is not that simple. The risk oversight is being customised to each company’s needs and current risk climate, and integrated into board structures to fit. Creating a risk committee is seen as an insurance policy and any of the committees are able to put in the right processes and controls. As an example, compensation committees have added more charter space and agenda time to the specific risks their pay and incentive plans create for the company. Also, board risk consideration is a factor in creation of other new committees, such as ESG (environmental, social and governance), technology, disclosure or compliance.
Another reason for peeling risk oversight away from the audit committee is better prevention. Audit is tasked with a validating, backward perspective but it should be forward looking. Often, the forensic, numbers-driven structure of audit lacks the more dynamic, hypothetical approach needed to avoid dangers. In other words, just as in CAG of government, preventive audit is absent.
For companies that do create a specific, chartered risk committee, aspects have changed, as board risk oversight has matured. Rather than nominating members at random (or shaping a sort-of sub-audit committee), boards now need to ensure particular expertise, and people who are deep in areas the industry depends on. Technology is the hottest of these at the moment.
Every board needs a focus on digital maturity and impact, not to mention cyber security and AI. This closely aligns with risk management. Boards should consider not only the dangers of cyber attacks and data fumbles but also the positive risk of missing new digital strategic and marketing opportunities. This insight is a natural for any board risk committee.
Going forward, boards may want to set up a formal process of documenting the roles and responsibilities for the risk committees. Define what all will be overseen by the whole board and what all by the committee. Some of the key roles for the committee can include the following:
# Identify, monitor and manage critical risks and propose scenarios for the executive team;
# Every quarter, discuss with the executive team potential threats and evaluate the risk heat maps;
# Set up a process for regular risk reporting by the enterprise;
# Co-ordinate with other standing committees on key issues of risk; and
# Evaluate and appraise the cultural aspects of the enterprise that encourage premature or inappropriate risk-taking steps.
For instance, in some companies, health and safety aspects are not always as per the set norms and, in a typical Indian way, even the CEO thinks accidents do not happen to them.
Bottom line: The risk committee should eventually align with, and support, the board’s overall governance of risks.