Does your company board need an independent enterprise risk management committee? This question comes up with some regularity in corporate governance circles. With changing regulations and a greater demand for transparency by public companies, risk committees are becoming more common around the world.
Risk committees are a new addition to the traditional three board committees that most large companies already have (the compensation committee, the corporate governance and nominating committee, and the audit committee).
Globally, standalone board-level risk committees exist at 22 percent of the 400 large public companies in eight countries analyzed by Deloitte in a recent report. The majority of these companies, however, do not have a risk committee.
Financial services companies are a bit of an outlier when it comes to having separate risk committees. This may be the result of the strict regulatory regime imposed by many countries on their financial services companies.
Companies in this industry use risk committees on the board 88 percent of the time globally; however, according to the Deloitte study, non-financial services companies have risk committees only 26 percent of the time.
Here in the U.S., 38 percent of financial services companies had a risk committee at the time of the Deloitte study. Another 38 percent took a hybrid approach to addressing risk. As we know, under the Dodd-Frank Wall Street Reform and Consumer Protection Act, large financial institutions are required to have an independent risk committee here in the U.S.
But what about non-financial institutions? According to Deloitte, only 2 percent of public companies in the U.S. had risk committees at the time of the study – a stark contrast against what we see for financial services companies.
Should non-financial services companies form a risk committee? The U.S. Securities and Exchange Commission (SEC) has made it clear that enterprise risk oversight is a board-level issue. In some cases, companies may need a mechanism to bring focus to risk issues. This is exactly what a board-level risk committee can do.
For example, if your company is involved in an especially high-risk sector like nuclear energy, the stakes are so high that it’s a good idea to bring focus to critical risk issues by having a risk committee.
A 2012 post at The Harvard Law School Forum on Corporate Governance and Financial Regulation blog recommends the following:
A separate risk committee of the board is not a one-size-fits- all solution, and it may be a better fit for companies with special circumstances. For example, the boards of financial institutions, power companies, and other organizations with complex market, credit, liquidity, commodity pricing, regulatory and other risks that require special attention may find a risk committee useful.
However, there’s a new threat that countless companies, no matter what type of business, are facing: cyber risk. With increasing cyber threats, SEC Commissioner Luis A. Aguilar is on record observing that a separate enterprise risk committee could be helpful.
If a separate enterprise risk committee is not right for your company, it is still useful to have clarity on where the responsibility lies when thinking about enterprise risk management.
While it is of course a full board responsibility, the “work” of enterprise risk oversight is often performed at the audit committee level. This hybrid approach is one that companies take 16 percent of the time globally, according to Deloitte.
If your company is not quite ready for a standalone committee today, it’s worth examining the issue from time to time to see if a separate risk committee is appropriate in the near future.
To be clear, I am not taking the position that every company needs a separate risk committee or that having a separate risk committee is, by itself, a magic bullet.
Rather, board engagement is the key. After all, many prominent financial institutions that suffered dire consequences in the financial crisis of 2007-2008, in fact did have separate risk committees.
The views expressed in this blog are solely those of the author. This blog should not be taken as insurance or legal advice for your particular situation. Questions? Comments? Concerns? Email: email@example.com.