The resource guide, published by Deloitte, is designed to assist board members of publicly held banks, bank holding companies, and other financial services companies in the design, development, and operation of a board-level risk committee. The document is organized into four sections which provide an understanding of board-level risk committees. The overview ranges from the initial contemplation of establishing a risk committee, to ways of evaluating the effectiveness of the committee. In addition, more tools and resources are referenced throughout. While the guide largely addresses both board members and risk committee members at large banks and bank holding companies (BHC’s), it is useful for any company that wishes to obtain more information on risk governance and oversight. Some of the main messages from these four sections are described below.
1: Considerations in Forming a Risk Committee
This section outlines considerations when forming a risk committee. The following factors reflect important considerations when deciding whether a risk committee at the board is appropriate.
- The needs of the stakeholders- The needs of stakeholders should be considered. In doing so, the board should assess the quality of the current risk governance and oversight structure, the risk environment, and the future needs of the organization.
- Alignment of risk governance with strategy- It is key that the board, management, and business units be aligned with their approach to risk and strategy. Such consideration promotes better risk governance and ensures that risk oversight is value-adding.
- Oversight of the risk management infrastructure- Consider who will be in charge of the people, processes and resources of the risk management program. Also consider who the chief risk officer (CRO) will report to, whether it is to the risk committee, board, or the chief executive officer (CEO).
- Scope of risk committee responsibilities- Decide whether the risk committee will be responsible for overseeing all risks or just some. For example, the audit committee may maintain oversight of risks associated with financial reporting. Since risks are interconnected, it is important to consider how these relations should be addressed.
- Communication among committees- Consider how the committees will keep itself informed about risks and risk-oversight practices. This may call for the board to define clear boundaries and communication channels.
2: Risk Committee Charter and Composition
- The composition of the board risk committee
- Terms of service of the risk committee members
- Who will be responsible for the oversight of management’s risk committee
- The board’s or risk committee’s responsibility to oversee risk exposures and risk strategy, and
- Responsibilities regarding the enterprise’s risk appetite, risk tolerances, and utilization of the risk appetite.
Included in the resource guide is a model board risk committee charter, developed by Deloitte, which can be used by companies as a template. The risk committee charter should be developed as a group, referred to by the committee when uncertainties arise, and should be reviewed annually. The role of a risk expert on the board risk committee is comparable to that of a financial expert on the audit committee. Suggestions regarding a risk expert are also offered in the guide.
3: Fulfilling Risk-Oversight Responsibilities
The responsibilities of a board risk committee may include the following:
- Oversee the risk management infrastructure
- Address risk and strategy simultaneously, including consideration of risk appetite
- Monitor risks
- Oversee risk exposures
- Advise the board on risk strategy
- Approve management risk committee charters
- Oversee/Support the CRO
Deloitte has provided several resources to assist in the defining of risk committee responsibilities. It has also published a series of papers focused on the Risk Intelligent Enterprise, which provide an overall guidance on risk governance and management.
4: Ongoing Education and Periodic Evaluation
It is important to determine how the risk committee will stay informed on developments in risks so it can evolve in its response to them. Some guidelines that can assist in education and training initiatives are:
- Stay abreast of leading practices as risks evolve
- Understand the new risks associated with new businesses and locations and how changes in regulations increase or decrease risk
- Benchmark risk governance practices of peers
- Keep up to date on risk disclosure requirements
- Offer orientation programs for new risk committee members
Deloitte has included a risk committee performance evaluation, as well as illustrated sample governance documentation in the appendix of the guide.
Download this free report