Overall Responsibility for Risk Oversight

A basic tenet of risk management to be remembered, even if a risk committee is created and designated as part of the board, is that the full board should retain the overall responsibility for risk management.  Oversight is the responsibility of a separate committee (if one is created), but determining what inherent risks are present in strategy should be the responsibility of the full board.

The paper, which is authored by Carol Beaumier and Jim DeLoach, Many companies have automatically given the responsibility of risk oversight to the audit committee, citing the fact that they have experience on financial reporting and finding the risks in that process. However, the audit committee might not have the time, skills, and support to do a thorough job in assessing the risks of the enterprise as a whole.  For example, the audit committee “financial expert” might know GAAP like the back of his/her hand, but if they were evaluating marketing or reputational risks, they might not be able to handle the whole portfolio of risks well.

Should There Be a Separate Risk Committee

The Dodd-Frank Wall Street and Reform and Consumer Protection Act (Dodd-Frank) requires publically traded banks with over $10 billion of assets to have a separate risk committee which is comprised of independent directors. Analysts predict that a trickle-down effect will cause nonfinancial service companies to create these separate committees. However, this has not been proven to work in every industry or company. Financial institutions, power companies, technology companies, and other complex organizations that require special attention to risk have often found a committee useful. Other companies have had mixed results with the separate risk committees.

The main goal of the risk committee is to have attention drawn to the company’s most critical risks. To be able to do this properly, the committee must have an intimate knowledge of the business. However, they cannot lose sight of the forest because of the trees. A high-level, enterprise wide view of the company is required.

What a Risk Committee is Not

When a separate risk committee is created, that doesn’t mean all the risks associated with the environment and strategy of a business suddenly disappear. A number of issues commonly come up in the formation of a separate risk committee:

  • Members of the new separate committee do not have a deep knowledge and experience within the company.
  • The committee is highly dependent on what is given to them. This goes back to the principle of “garbage in, garbage out.”
  • Redundant activities can occur if meetings are not planned well and coordinated with other committees on the board.
  • Focus of members can be diluted by focusing on other, “more important”, committees.

Risk management can be effective within an organization without having a special committee that is simply focused on risk. For example, audit committees look at the risks associated with financial reporting. Governance committees oversee governance risks like board leadership and composition. Compensation committees usually look at the risks associated with the ways the company rewards its employees. Strategic and finance committees look at strategic risks. Some major companies like Dow, Chiquita, and Hewlett-Packard simply incorporate risk considerations into existing committees. On the flip side, General Electric, General Motors, Hershey, and Duke Energy have separate committees considering risk.

Roles and Responsibilities of a Separate Risk Committee

The authors of the article have suggested various roles of a strong separate risk committee. They are listed as follows:

  • Determining whether or not there are robust processes to identify, manage, and monitor critical risks.
  • Overseeing the identification, management, and monitoring processes and ensure it is continuously being improved should be a
  • Reports and communication is done on a timely basis on the topic of risk.
  • Engaging management in discussions about risk appetite on an enterprise-wide basis.
  • Oversight responsibilities over certain risks.
  • Coordinated activities that assist divisions in their risk management processes.
  • Being a watchdog for dysfunctional behavior in the risk management realm to watch for expectation gaps, redundancies, and cost sinks.


Questions for Boards to Consider

In order to determine whether a board should create a separate committee to consider risk, the authors go on to suggest a few questions that the board should ask itself before moving forward in the process.

  • Does the board know whether having a separate committee is required by regulators and how it should be organized to be in accordance with any governance?
  • Is there sufficient experience on the board to effectively manage enterprise-wide risks?
  • Can this committee get the information needed to do its job well?
  • Is there a robust process already in place to identify, prioritizing, sourcing, managing, and monitoring the most critical risks associated with the business?
  • Does the whole board understand the risks associated with just being in business along with the risks associated with the strategies of the business?
  • Are the assumptions that underlie the strategy understood by the whole board?


Deciding if a separate committee handling risk management is a very customized process that will go down various paths for different companies. Information flow is essential in making this decision. If the board does not believe that a committee would be able to get the information needed in order for a separate risk committee to be effective, there is not really any point in having one.

Read the full article at: http://www.conference-board.org/publications/publicationdetail.cfm?publicationid=2073

Link: The Conference Board

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2012-02-01