The practice of risk management requires management to take ownership for the risks through an effective and efficient risk committee.
Some organisations create a risk committee that oversees risk management because they must have one. However, a risk committee forms the backbone to support risk management practices. The risk practices are then the solid set of ribs.
Good governance is through a risk committee. However, the role of this body is not just the “visual” of risk management, but one that oversees, guides and directs the “ribs”.
Risk management is part of every decision made, every day across our organisations. The best approach is to make risk part of your decision thought process rather than just the decision approval process.
Decision Thought Process
The decision thought process involves all stages of decision-making, from the idea, business-case, design, build, and implementation process. These are the day-to-day decision making processes that occur to make an idea a reality.
Decision Approval Process
The decision approval process is the final-step that validates all of the decisions made during the process. It provides the final governance that these decisions are appropriate and within risk appetite.
A Risk Committee is Good Governance
Good governance is required but more importantly, and of much greater value, is the embedding of risk into the decision thought process.
This is not rocket science.
As outlined in a Deloitte paper, Deloitte developed a guide in response to
growing interest in board-level risk committees. Deloitte noted that boards may benefit from reviewing the composition, reporting relationships, and responsibilities that best suit the enterprise. This paper highlights this question from the perspective of the Board, but what about management?
So, assuming you have the appropriate foundation for your management risk committee, “we need key concepts in how to have an effective risk committee“.
Key Principles for a Risk Committee
Here are my thoughts on the “10 key principles for an effective risk committee“.
- Small focused group of executives, being your leadership team plus a few “outside” parties (i.e. General Counsel, Head of Compliance).
- Simple agenda which focuses on the key areas of the business, issues, risks, controls, and any actions to reduce risk.
- Clear oversight of the frameworks in place, ensuring effective and efficient risk management practices.
- Oversight over the project portfolio of the business from a risk perspective.
- Key approval for strategic projects that impact the risk profile of the business.
- Have 1 management risk committee, removing “unnecessary” committees.
- Sufficient pre-reading time for papers, the committee should focus on the discussion rather than “being read” papers.
- Focus on top-down “what keeps you up at night” requirements and bottom-up reporting and escalation.
- Keep the meeting to a maximum time equatable to the nature of the committee (ie. a smaller business should ensure no more than 1 hour long meetings, whilst a larger business might increase this to 2 hours).
- Decisions made in the committee must have members be an advocate for that decision (if a committee makes a decision and a member then “returns” from the committee and ignores the outcome, the entire committee loses its credibility).
This list could go on but this “Top 10” will hopefully help make your risk committee more effective and efficient.
We also recommend reading our article on the Four Lines of risk Management, which supports the activities required.
The risk committee is not the answer to managing risk for your business, this is up to leadership and embedding risk into the decision thought process.