Risk Oversight: Board or Committee?

Good practices to consider…

First, be clear about the separate responsibilities of management versus those of the board and committees as a whole. What type and significance of risk decision is delegated to management? What sort of thing needs to come to the board/committees for approval and/or oversight?

Things to avoid…

Getting so absorbed in the board/committee distinctions that you overlook the foundational distinction between management and board responsibilities.

Good practices to consider…

When the big picture is clear, work out the limits to the BRC’s oversight and what has actually been delegated by the board.

Things to avoid…

The BRC taking on responsibilities that should sit with the full Board (ie strategic issues – see several points below).

Good practices to consider…

When the big picture is clear, then you can think about how responsibilities are divided between board and BRC. Make sure the Terms of Reference define how far, and in what way, the Committee’s responsibilities extend to setting out the proposed risk appetite and where the responsibility for approving it lies.

Things to avoid…

Allowing vagueness to result in the BRC taking strategic decisions by default. It’s good for the BRC to have the initial debate and then outline and propose the risk appetite. But the appetite statement is part of the strategy, so approving it (ie confirming how much risk the organisation is willing to take on) is a strategic matter for the Board as a whole.

Good practices to consider…

Be clear that accepting a significant divergence from risk appetite might be a matter for the full board. The BRC should be monitoring the current and expected exposures, but if it’s the board’s job to approve the strategic risk appetite then it is also its job to approve significant departures from it.

Things to avoid…

Assuming that the BRC always has the authority to approve divergent risk exposures. It’s never going to be black and white and sometimes it might be right for the BRC to approve – it will need judgement. But in general it’s useful to draw a distinction between “risk acceptance” (a board responsibility where it is significant) and “risk management oversight” (a committee responsibility, especially at the detailed level).

Good practices to consider…

Bring to the board the BRC’s assessment of current exposures and any related weaknesses in risk management. This should be part of the Committee Chair’s report to the board.

Things to avoid…

Relying on the CRO’s periodic report to the board, probably separated from strategic discussions. And then letting the BRC Chair’s report slip into being a recital of topics covered. If there’s a significant exposure developing, the board needs to know and the committee should take the opportunity to raise the issue. Even if it’s covered by the CEO Report, the committee needs to give the board the comfort of knowing that it’s alert to it.

Good practices to consider…

Recognise the difference between a meeting of the BRC at which “all directors are there” and the board meeting itself. They are different in many ways so the different roles and strategic nature of board discussion should be recognised.

Things to avoid…

Adopting an attitude of “the whole board is at the BRC anyway”. For that argument to hold water, it needs to be wholly true every time, and it rarely is. Also it misses the point that there’s a different chair, the purpose of the meeting is not strategic, and the non-member attendees are different. It’s probably also a very large meeting, affecting its dynamics. Having a discussion at a committee meeting is not – and should not be – the same as having one at the board meeting.

Good practices to consider…

Expect a risk report for the board that is different from the one submitted to the committee. Well-meaning boards often try to save management work by encouraging them to recycle meeting papers – this is kind, but mistaken if it reduces the effectiveness of the board discussion.

Things to avoid…

Giving the board the same risk report, with all the detail, heat maps and risk register stuff that the committee enjoys. This isn’t what’s needed by all directors and it’s not a helpful way to set up a good discussion at the full board meeting. A short report flagging up major changes, developing exposures and material risk management concerns is much better preparation, especially if it comes with an explanation of the potential strategic implications and management’s suggested response.

Good practices to consider…

Work out the role of the CRO in the board meeting. The same size doesn’t fit all, and it doesn’t have to be set in stone. But it does need careful thought.

Things to avoid…

Limiting the CRO’s appearance at board meetings to a few set pieces across the year. It might not be necessary or desirable to involve the CRO in the whole meeting. But the board needs to ensure that the CRO is given the status the role merits, is able to understand directly board director points of interest and concerns and can be consulted directly by any board member during the discussion.