(Audit and) Risk Committees

The committee’s assessment of risk exposures morphing into a discussion and decision on whether or not it’s acceptable to maintain that exposure or overall risk profile.  Yes, the committee will want to look at the risk exposures otherwise it can’t judge how they need to be managed.  But, at least for the big exposures, the decision as to whether they are acceptable should probably be a full board discussion in a board meeting – unless the risk appetite has clearly been stated and agreed by the full Board.

Producing short aspirational statements of risk appetite which become meaningless when you try to make operational sense of them (with operational risks particularly prone to this).  This doesn’t help management, or the committee, judge how far the current risk exposure is out of line with where we want to be – or the business can support.  Risk appetite statements – whether quantified or directional – work well if they are supported by good analysis, some detail and a narrative description of where the business needs to head.  And often it can be best communicated by referring to decisions actually taken or case studies – rather than through conceptual statements.  Too often we see boards giving up on the concept of “risk appetite” before they’ve really got stuck into it – often because the discussion is at too high a level, and usually too short.

Expecting a quickish discussion in the board meeting to result in something useful.  It can do – but only if the committee members have acted as “sherpas” in thinking through the objective, the detail and the way it needs to be presented.

The “risk committee” discussion becoming the board discussion.  Many of the same people might be in the room but (1) some directors might not be – and they need a proper opportunity to be involved (2) the chairman is a different person with a different style, perspective and (possibly) set of priorities and (3) it’s a different forum with a different atmosphere and dynamics and objectives.  So if it’s strategic discussions around appetite and acceptability – make sure there’s a proper discussion in the full board meeting, not just a quick “we’ve already dealt with this in the committee”.

Letting attendance by non-committee member directors just come about informally – and become something which non-members slide in and out of.  Yes, it might be one of the more interesting committees (although you might have to endure sitting through a lot of accounting stuff) and it’s probably useful as an information source too.  But the dynamics change when there are more bodies around the table – and especially when not everybody’s there and attendance across meetings (or for the whole of a meeting) isn’t consistent.  Also, it can mean that board days become even more compressed for all the directors, with a possible impact on energy levels and attention span in other meetings.  Furthermore, NED time is a scarce resource and needs to be used sparingly eg there might be less time spent on preparing for the other meetings or sitting down with management.  And scheduling can become even more fraught.

Allowing wider attention to dilute the sense of a committee working as just that – a small group of people with a specific, specialist focus who base their discussion on detailed preparation and recognise their particular responsibilities as a member of the committee.  So when others are there, particular consideration needs to be given by the committee chairman to where the members sit and how they are included in the discussion: they need to feel like a committee, not just individuals mixed up with their other colleagues.

Accepting lengthy reports with management detail which is provided to the committee “because it’s available”.  Non-executive oversight committees don’t need to know the ins and outs of the mitigation approach – and they certainly don’t find it useful to be given detailed definitions of risks.  Put simply, they want to know how we’re exposed and what we’re doing about it.  (On the other hand, they’re not going to be happy with glossing over along the lines of “don’t worry – we’re managing it”.)  Just because the committee asked for more detail on one thing on one occasion, that doesn’t mean it must become a standard part of the report.

Accepting a report from the CRO which simply provides data and fails to set out his/her opinion on whether the risk profile, a developing trend or a particular material risk position is acceptable.  Someone in that role should be providing an opinion (and a solution), not just information.

Relying too much on the CEO or the “second line”.  It’s “first line” management’s responsibility to manage the risks – so bring them into the meeting to hear first hand if it’s practical rather than treating the CRO as the intermediary.  If the executive directors are in the meetings they may well take responsibility – but do they have the detailed picture?

Losing sight of some big risks.  With “cyber” being a hot topic, nowadays most “risk committees” have it firmly on the agenda.  But other areas might be falling between the cracks – the integrity of non-financial information systems is a good example, the “culture/behaviour” programme another – along with “change risk”. So stand back from time to time and ask: what are the significant threats to our business performance – and where is the board-level oversight sitting?”

Skimming over the risks at considerable height and never really getting to an adequate understanding of how we are exposed and what we are doing about it.  Bring the right management in and look forward to an in-depth lesson and discussion.

Equating having good processes with effectiveness.  Just because we have an ERM system that looks and feels like everybody else’s doesn’t mean to say that we have good risk management.   The system may be “state of the art” and work as a process, but does it have much impact on what we do or the outcomes?

Thinking the HIA is all about the audit committee.  He/she will have very good insight into the control environment and emerging threats/risks – as well as a picture of the risk culture.  That’s important information that needs to form part of the risk oversight discussion.