Effective risk management requires management to take accountability for taking risks, and an essential tool for achieving this is an efficient and effective risk committee. Unfortunately, many organisations view risk committees as a box-ticking exercise, rather than an opportunity to embrace positive risk-taking.
Too often, committee members go through the motions and fail to engage in meaningful discussion and debate. Further, this can be assigned a reason relating to time constraints or, in some cases, the belief that the chair or a single member knows best. Even worse, members represent in the meeting concern and even call for action, but outside the meeting remain passive and uncommitted to real action.
However, an effective risk committee should form the backbone of an organisation’s business practices. It should encourage open and constructive debate, and ensure that accountable members take action where necessary. The committee should set the tone from the top, inspiring and empowering individuals and teams to take calculated and managed risks that support the organisation’s goals.
Ultimately, an effective risk committee is critical to achieving great governance. However, it is important to recognise that the committee’s role goes beyond simply providing a visual representation of risk management. Instead, it should oversee, guide, and require action from all parts of the organization, working in tandem with other business and risk management practices to create a solid foundation that supports positive risk-taking.
Decision-making Process
Every day, risk management is an integral part of the decision-making process across all organisations. Rather than just being a part of the decision-approval process, it’s best to incorporate risk management as part of the decision-making process. The risk committee plays a critical role in supporting this process.
An effective risk committee must support debates, and challenge accountable managers to ensure that actions taken are well-thought-out and lead to the best outcomes from taking risks. It’s important to note that the committee is not there to just rubber-stamp decisions or accept recommendations presented. Instead, the committee should provide valuable advice and, in some circumstances, disagree with the recommendation and recommend taking an alternative action.
Contrary to the notion that there is “no such thing as a bad decision, just a bad recommendation” when it comes to risk committees, an effective and valued risk committee plays a crucial role in the organisation. Such committees must engage in the topics presented, make changes, and drive action. Typically, the most senior and experienced members of an organisation, whether at the board or executive level, form the committee. This talent is there to make a real difference and, most importantly, make things happen.
An effective risk committee not only helps make better decisions but also makes the organisation better. By having such a committee, organisations can ensure that they make informed decisions and minimise risks while maximising opportunities. The committee’s role goes beyond providing recommendations to actually driving action and leading to better outcomes.
The Risk Committee is Good Governance
Effective governance is crucial, but an even more critical aspect is incorporating risk into the decision-making process. Although it may not be a complicated task, it requires careful attention to detail. Deloitte, in response to the increasing interest in board-level risk committees, has developed a guide that outlines the key factors necessary for the committee’s success. Specifically, Deloitte recommends that boards review the committee’s composition, reporting relationships, and responsibilities to ensure they align with the organization’s needs.
Once the foundation for a risk committee is in place, it is essential to incorporate key concepts that promote its effectiveness.
Key Principles for an Effective Risk Committee
To have an effective risk committee, it is crucial to adhere to these ten key principles:
- Keep the committee small and focused, with executives and directors from both within and outside the organisation. For an executive committee, the most powerful message is having all executives as members of the risk committee.
- Create a simple agenda that addresses key areas of the business process, issues, risks, controls, controls monitoring (control self-assessment and assurance), and actions to mitigate risk.
- Provide clear oversight of the frameworks in place, ensuring effective and efficient risk management practices.
- Oversee the change portfolio of the business from a risk perspective.
- Obtain alignment, through challenge and debate, and support from a risk perspective of the strategic projects that impact the risk profile of the business.
- Consolidate multiple risk committees into a single management risk committee that covers all material risks. Leaving a material risk off the table at the risk committee reduces the benefit of having the talent at the table to challenge risks more broadly.
- Provide sufficient pre-reading time for papers, so that the committee can focus on discussions rather than reading papers during meetings.
- Focus on top-down “what keeps you up at night” requirements and bottom-up reporting and escalation.
- Ensuring accountability among all members for the recommendations made during meetings is crucial. The purpose of these meetings is to manage risk and ensure that actions taken align with the appetite and expectations of the committee members. It’s important to remember that not all recommendations will be accepted and implemented as-is; the risk committee is not simply a rubber-stamp for recommendations.
- Ensure that all members of the committee advocate for decisions made during the meeting. The debate and challenge must happen in the room, not afterward.
To gauge the effectiveness of the committee’s decision-making process, consider tracking the number of recommendations presented and how many of these recommendations are modified or changed during the deliberation process. This can serve as a key performance indicator for the committee, helping to identify areas for improvement and encouraging greater collaboration among members
In summary, while the risk committee is an essential component of managing risk for your business, it cannot replace effective leadership and embedding risk into the decision-making process. People and organisations do make incorrect decisions, the risk committee is there to ensure every possible challenge and debate occurs to reduce the potential of these decisions being incorrect.