The Role Of A Risk Committee

Thomas Frenehard

Remember the dinosaurs from your history books? Extinct, right?

Well, this is the way some companies are going because they focus all their efforts on looking backwards. And to me, this is precisely where audit and risk committees  have a crucial role to play: not to focus on the same issues, but have a different mindset.

By nature, the audit committee will focus on the findings from the audit report, looking backwards at what’s already happened. I personally think that the risk committee should focus on forward-looking uncertainties… and how to best leverage potential opportunities.

This risk committee can then have a true advisory role to the board. It should, of course, be able to discuss the most important threats that would prevent an organization from achieving its objectives and it should also be able to recommend a course of action to flip downsides into opportunities.

Most likely the board is not the right instance to discuss and review the multiple risk scenarios, test new assumptions, and so on. But if it relies on a knowledgeable risk committee, it will be able to make the right decision for the business and increase value for the shareholders.

So, how can this work?

Last week I was lucky to attend a workshop on the specific topic of risk committees, which sparked many discussions and exchange of opinions among participants. Here are my summarized thoughts from the event:

1. A clearly defined mandate is needed

A risk committee can be successful only if it is given a clear mandate by the board — its roadmap and mission statement, if you wish. Here, I would suggest that the board define expectations for the risk committee that would be relevant to supporting true business decision making.

In association with the mandate, and for the risk committee to be realistic in its assumptions, I would expect the board to share its risk appetite and how it reached this conclusion, as this will guide most of the scenario work.

2. On-board knowledge

To have an active risk committee, I think it has to embed a risk culture. This might happen because the committee is at least partially composed of risk experts or because it’s engrained in the DNA of its members.

I would also suggest involving industry experts in the risk committee as this is the only way to have realistic – and probable – scenarios

3. Sufficient tools and information

The role of this committee will be to review risks and to simulate potential negative and positive outcomes. If its participants are not given sufficient risk information, how can they do that?

In addition to providing risk information, I would also recommend authorizing this committee to interview risk owners when necessary, as they are the business experts that can shed light on business contexts.

4. Report to the board and then take action on their recommendations

To my mind, if such a process is defined, then the  board needs to set some time aside to debate on the recommendations from the risk committee. And here, it can’t be a passive presentation from the committee to the board; it must be a two-way street with some questioning. The board needs to challenge the assumptions and needs to provide feedback on whether expectations have been met or the risk committee won’t be able to adjust its next reporting.

Also, the board needs to take action on the recommendations. And keep in mind that deciding to wait until more information is gathered or that events start to unfold is already a decision, provided it is documented and agreed upon.

How does this sound to you? Would you agree that immobility is a great threat to many of our organizations?

I look forward to reading your thoughts and comments either to this blog or on Twitter (@TFrenehard)!

Want more insight on risk management? See Risk Management: Why You Should Not Automate, Or Only With Great Caution.

Thomas Frenehard

About Thomas Frenehard

Thomas Frénéhard is a director in the Governance, Risk, and Compliance Solution Management team at SAP. His particular responsibility is with SAP Risk Management. Thomas's other functional areas of focus are in internal control and compliance management and audit management. In this role and in constant interactions with SAP’s network of partners, clients, and internal stakeholders, Thomas is responsible for bringing together technology, skills, and products to deliver an always-compelling solution for enterprise risk management.