The report, authored by William Atkinson, shows senior risk executives are the individuals traditionally charged with overall responsibility for risk management at the operational level within an entity. Boards typically have responsibility for risk, but only in general oversight terms, with audit or finance committees bearing many of the more specific risk responsibilities.

Now this trend is changing, with many organizations forming separate board-level risk management committees. These committees are able to help organizations in many ways. One benefit is some of the burden is removed from audit and finance committees. For organizations implementing ERM strategies, another benefit is that a separate committee can be more effective at overseeing that process. A third benefit for companies that must meet the New York Stock Exchange listing requirements is that the committee helps meet the requirement that boards oversee management’s policies and practices for managing risk associated with major financial exposures.

The formation of board-level risk committees began in Canada, Europe, and Australia, spread to many U.S. financial institutions, and is beginning to spread into nonfinancial U.S. companies as well. The committee’s usefulness is dependent on the industry, business size, and specific risk exposure. Companies that are large and highly regulated, such as financial institutions, pharmaceuticals, and health care businesses, are those most likely to form a board-level risk committee.

The article provides examples of companies that have benefited from forming board-level risk committees. National Penn Bancshares has a management-level Executive ERM Committee that reports to a board-level Directors ERM Committee, which in turn reports to the board of directors as a whole. The Directors ERM Committee ensures risk management activities are within policy and risk tolerance levels and has much more time to discuss important risk issues than the full board. Duke Energy also created a board-level risk committee about ten years ago that has increased the board’s awareness of risk issues and has put discipline into the risk process that the company has found very worthwhile.

Risk Concepts Relevant when Considering a Board-Level Risk Committee

There are several important risk concepts that need to be considered.

Risk content is an important concept when thinking about risk. Companies need to identify the specific enterprise-level risks that may threaten their organization’s existence, strategy, and business model. These are the risks that the board and senior management need to be aware of. Risk content tends to have widely distributed concerns and ownership. Therefore, this is a risk focus over which all board committees will have oversight, with appropriate board members and committees focusing on regulatory risks, compliance risks, financial risks, operating risks, and product risks.

Risk process is another central concept in thinking about risk. This details how the company identifies, evaluates, assigns responsibility for, reports, and structures itself around the risk content. Risk process is what organizations are putting their focus on with board-level risk committees. A risk committee is able to articulate reaction to risk, measurement and quantification of risk, and communication and reporting about risk.

The risk executive, a risk manager or chief risk officer, is often the individual driving change in a company. This risk executive pulls information together and communicates to both the management team and the board in many organizations, so that both can perform their functions and make informed decisions. When boards become more involved in risk management throughout their committees and with separate risk committees, it provides stronger governance over risk management for the organization.

Click below to read full article.

Link: William Atkinson, "Board-Level Risk Committees," Risk Management, p. 42, June 2008.

Read ERM articles as soon as we post them

Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.

Privacy Policy

ERM Enterprise Risk Management Initiative 2008-06-01