More and more companies are creating them, although some choose not to have one at all.
Corporate risk committees are becoming more common than ever. And who should be on them is considered by many to be critical to the proper functioning and oversight of the ERM program. Still, despite their proliferation some of the most mature ERM programs have elected to not have risk committee, mainly because these companies believed their programs and processes were robust enough to not warrant this extra level of review.
To some degree, these risk-committee-free companies may be on the leading edge of trend. That’s because as ERM, or risk management in general, becomes more entrenched in a company that the formal risk committee could become less needed.
Follows are a few takeaways from the NeuGroup’s Corporate ERM group meeting along with one member who described how her company’s risk committee functioned.
Who should be on the committee?
Feedback from members via the pre-meeting survey indicates many companies have risk committees but at more than the board level. These other committees include at the executive management and the business units levels. Those positions within the organizations most often on the executive or BU committee include the head of internal audit, general counsel, business unit executives and the treasurer.
Formal credentials are not required
Among members it is unusual to have a formal vetting process to determine if potential committee members are qualified. Rather, it is presumed that if they are qualified for their position they are qualified for committee membership. However, informally, the preferred top characteristics considered for committee members include: experience, leadership, role in the organization, and being a stakeholder in the process.
One company’s process
One ERM member company has three risk committees: at the board level, executive level and at the business unit level. Each committee meets four times per year for three hours. Naturally the different groups have different views and responsibilities regarding risk. The presenting member provided the following description of those roles:
- Company leadership: evaluate risks against stated risk appetite and strategic company goals, review and decide on risk mitigation strategies.
- Functional owners: monitor risks against stated risk appetite and strategic company goals, implement risk mitigation strategies.
- Domain experts: provide insight and perspective to help evaluate specific risks presented, as well as inform potential risk mitigation strategies.
However, this member also noted that out of the three-hour meeting ERM only takes up about 30 minutes.
Bridging silos is a key objective
The primary goal in all of this activity is to generate a “robust discussion around business and cross-company risk,” noted the member. The core ERM activity is happening at the BUs where there are dedicated ERM leads who are in the trenches speaking with hands-on operators and engineers. The job of these leads is to “connect the dots across BUs,” she said.
Embedded ERM
Several members affirm that their companies have a strong risk culture. One member firm, which does not have a formal risk committee affirmed this and also attributed much of the company’s ERM success over the decades to its ingrained ability to manage risk. But to take it a step further, this member actually suggests that performance appraisals should include something intended to drive risk consciousness throughout the organization.
It isn’t clear if the notion of a risk committee is coming in or going out of favor as ERM matures. For now risk committees are more common than not and take similar forms where they exist. It would seem that there is a need for such a group (or groups) within companies. The key objective regardless of the approach is to ensure there is robust discussion that seeks to discover risk and that these discussions are crossing lines of business to bring greater awareness throughout the company.