One of the highest priorities among board duties is oversight of the company's risk management. In today's environment, the breadth and complexity of risks is expanding, even for companies that are not entering into new markets, activities and/or locations. If a company is making such changes, those activities will typically include new risks and may alter existing ones. The board's oversight of risk management includes “atypical risks” that were historically deemed extremely improbable and therefore got little attention, with such lists including items like war, strikes and pandemics. (Surprise!) The time has therefore come for boards to take a fresh look at how they oversee risk management.
While oversight of risk management is a topic that should be considered by the entire board, the “deeper dive” at the committee level is typically assigned automatically to the audit committee, often without any discussion of alternatives. This “default setting” may fail to consider whether the audit committee has the bandwidth to handle more than oversight of accounting and financial statements and whether the audit committee includes board members who are knowledgeable about and capable of risk management oversight.
While the members of the audit committee — who are typically financial executives, CPAs, etc. — may also have the knowledge and experience to oversee risk management, it is possible (if not likely) that they do not. Effective oversight of risk management at the board committee level may benefit from having board members with experience in company risk management, relevant industry experience and perhaps even board experience in this area. So, boards may be missing a valuable opportunity to strengthen governance by not having a risk committee.
And yet, the notion of creating a separate risk committee is too infrequently addressed. If the idea is raised, it is often dismissed based on a desire to avoid the proliferation of board committees. But given the importance of risk management oversight, the creation of a risk committee should receive serious consideration. Even if the board decides against it, the discussion and the reasons for the decision should be recorded, and the question should be revisited annually — or sooner if there is a material change in the risks facing the company, such as through new products, activities or acquisitions.
The board's nom/gov committee typically reviews the board's committees and their composition on a regular basis, so that committee might initially weigh the pros and cons of creating a risk committee. To overcome the inertial forces, a good starting point might be the recognition that boards regularly create special committees whenever the need arises, such as for an important merger or acquisition, a board investigation or a material transaction involving insiders. Company bylaws usually provide for the board to easily create committees whenever deemed necessary, so there is typically no legal obstacle. But in the unlikely event that shareholder approval is required, it should be sought and obtained. Whether or not a separate risk committee is established, the nom/gov committee should include the requisite knowledge and skills for oversight of risk management when reviewing overall board composition.
A good reference point is to note that Dodd-Frank has required banks over a certain size since 2010 to have a separate risk committee, although it's noteworthy that most of those banks already had one. Many nonbank lenders also have a risk committee. I have chaired the risk committee of such a nonbank lender, as well as its operating committee, which focused on marketing and delivery of lending activities. This left our very capable audit committee to focus on our accounting and financial reporting.
The effectiveness of boards and board committees depends on their composition, and this is true of risk committees as well. Its members should understand risk management in general, as well as the company's activities and the risks it faces. The key elements of risk management are identifying risks, monitoring changes in existing risks and the emergence of new risks, and addressing risk through preparation, contingency plans and risk mitigation, which may involve costs.
Of course, formation of a risk committee does not prevent bad things from occurring. Silicon Valley Bank, Signature Bank and First Republic Bank each had a risk committee, although the composition of those committees may not have been optimal. A risk committee should ideally include one or more members with knowledge of the company's industry, directors with knowledge of risk management in general and perhaps members with board experience focusing on risk management oversight. As with all board committees, the risk committee should report to the full board with both the conclusions it has reached and the processes it followed to reach them and be prepared to address the board's questions and do further work, if necessary.
The board's responsibility is one of oversight, not management. So, support of management in its direct risk oversight duties is a key board responsibility.
I have chaired the risk committees of both financial and non-financial company boards and have seen firsthand how having a risk committee clearly enhances the board's oversight of risk management. One public company board on which I served — not a finance company — wisely established a committee focused on risk as well as strategic planning following the Great Recession. Our very capable audit committee was then free to focus on the company's annual cycle of K and Q reports, while we tasked management with assembling a list of every risk to which our company was potentially exposed. It was quite time-consuming at first, but updating the report quarterly gradually became easier. While the value of this “risk report” wasn't initially clear to either the board or management, a couple of years later, our COO was presenting a small acquisition to the board, and in the middle of the PowerPoint presentation he commented, “If we do this deal, there'll be two new line items on next quarter's risk report.” And I thought, “This is just what we wanted! Our board and management are thinking systematically about risk!” Of course, both management and the board had previously been fulfilling their duties regarding risk management, but this process emphasized and clarified this important area of board responsibility and made it easier to fulfill.
The activities of a risk committee should provide a “deeper dive” into oversight of risk management. This means engaging with management regarding its policies and procedures for identifying, monitoring and mitigating risk; participating in enterprise risk management activities and reports; and considering the company's overall risk appetite and ability to withstand unexpected outcomes and occurrences. The exact agenda of each risk committee will vary depending upon the company's industry, activities and geography, as well as other factors. Having a separate risk committee is an underutilized tool for boards to strengthen their governance, thereby potentially enhancing enterprise value and reducing — or at least more effectively managing — risk.