Committees and Risk

Allowing risk committee meetings to become, in part, board meetings. That happens when discussions on risk exposures drift into strategic “risk acceptance” decisionmaking, particularly when the approach becomes “we’re all here anyway so we might as well discuss it now rather than again at the board”. Whilst pragmatism needs to be applied, at the same time there needs to be a constant awareness that full board meetings are different and are the right forum for strategic decisionmaking. The committee chairman needs to be very alert to the need to defer at least part of the discussion – and, for certain, any decisions – to the board meeting.

Assuming that anything containing the word “risk” falls within the risk committee’s remit. Inevitably, a committee has to review risk exposures in order to assess the adequacy of the risk response. But there’s a difference between assessing the level of exposure and the way it’s being managed, and making a decision that it’s strategically acceptable.

Going through “risk appetite” setting at the board level – and then not doing anything with it for the rest of the year. Imperfect though the concept of risk appetite might be, it can still be useful in helping the committee assess how far the risk exposure is in line with the board’s intentions and as a way of tracking developments against a fixed point.

Thinking that simply leaving the principal risk and appetite discussion to an hour’s slot each in the occasional board meeting (if that) will be enough. It might be – but only if the committee has worked with management in setting out beforehand the issues, options, analysis, implications…. It also needs to set these out clearly for the board, ideally in a well-structured paper – so that means doing it a few weeks ahead, not the day before the board meeting.

Losing sight of the core responsibility of the risk committee to look at the effectiveness of risk management processes, structures and systems.  It’s probably more interesting to look at the exposures and how much risk to take, but the agendas and discussions need to keep the right balance and not tilt unduly towards the more engaging topics.

Thinking that “risk management effectiveness” is all about processes and structure. That’s part of it – but risk management is only effective if it’s having the desired impact. So, you need also to look well beyond the process and look at the strategic direction given to risk management, the behavioural angles (“risk culture”), management monitoring – and what actually happened and how lessons are learnt.

Thinking that we’re still working along the lines of “Turnbull statements”. That annual review was never particularly effective in encouraging a close look at how well risk management is working and soon lapsed into inevitably positive boilerplate statements, often “evidenced” by unconvincing effectiveness reviews. Much more is now expected – especially from regulated entities.

“Losing the will to live” when it comes to risk reports. Whether that’s when you’re actually trying to get through the report and working out what it’s trying to communicate (or even trying to read it at all, when the font is so small and the “information” so crammed on to the page). Or whether you feel you’ve asked so many times for less detail and more evaluation and still aren’t there – but opt for the line of least resistance by accepting something you’re still not happy with.

Allowing the risk discussion to be dominated by discussion of “risk issues”, a popular euphemism for “something that has already gone wrong”. Yes, problems need to be addressed. But it’s even more important to spend time on how the likelihood of future problems is to be reduced. Learning from past problems in order to avoid repetition is important, but not enough.

Just engaging with the Second and Third Lines. They are not the ones ultimately responsible for risk taking and risk management. Yes they have important roles in the risk management framework and need to be held accountable for their performance of those responsibilities. But to understand the reality of how the business is managing risk, you need to speak directly to management – so, bring them into the room from time to time to look them in the eye and hear first-hand about what’s happening.

Opening the meeting to all-comers. Sometimes it’s a compliment – the discussion is really getting into meaty issues. But sometimes it’s because executives feel the need to keep an eye on what the NEDs are up to. Or, more creditably but equally unhelpfully, because the meeting is always allowed to drift into interesting discussion about business issues and this is a good opportunity for executives to get together to discuss them.

Leaving them out because they’re responsible to the Audit Committee. Yes, that’s the primary reporting line but the Head of Audit will (or should) have a lot of insight to share. Operational risk is largely mitigated by internal controls and that’s Internal Audit’s territory. So, in the same way that it’s common for the risk committee and the audit committee chairmen to sit on each other’s committee in order to minimise the risk of confusion over the boundaries, the HIA and the CRO should also cross over.