In November 2009 I contemplated  "Should Board Audit and Risk Committees be Separate?"  and today I question "Should a Board have a risk committee at all?"

In 2009 I concluded:

  • Management's responsibility is to identify, manage and report on risk with a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board.
  • The Board has an "assurer role" to provide stakeholders with assurance that management has done their job on risk.
  • The Board has a "mentoring role" to provide oversight of the risk management process.
  • Therefore there should be separate Audit and Risk committees fulfilling different roles, in particular for larger organisations with much larger amounts of information to process.

 

Since 2009 a few things have caught my attention that have caused me to consider whether the Board should have a risk committee at all. An example is APRA's requirement for Boards "... to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks."

Although APRA's requirement only applies to organisations they regulate, I believe it is applicable to all boards.  How then can a Board delegate risk to a sub-committee of the Board? Surely it is necessary for each and every director to understand the risk profile of the organisation.

 

My advice to Boards is:

  • Have a Board Assurance Committee which, through audits and other means, is responsible for ensuring the risk management framework put in place by management is appropriate and working, just as it does with all the other key processes of the business.

 

  • The Board collectively should be in discussion with management to ensure the Board and Management understand the implications of strategic, business unit and major project risk profiles presented to the Board and whether or not risk levels are within the risk appetite set by the Board and Management.

 

www.rmpartners.com.au

 

Votes: 0
E-mail me when people leave their comments –

Bryan is a management consultant operating since 2001, specialising in risk-based decision making and influencing decision makers, born from his more than twenty years of facilitating executive and board workshops.

Bryan’s experience as a risk practitioner includes the design and implementation of risk management programs for more than 150 organisations across the public, private and not-for-profit sectors.

Bryan is the author of Risky Business : How Successful Organisations Embrace Uncertainty; Persuasive Advising : How to Turn Red Tape into Blue Ribbon, and Team Think : Unlock the Power of the Collective Mind [to be published in 2022].

He is licenced by the RMIA as a Certified Chief Risk Officer (CCRO) and is the designer and facilitator of their flagship Enterprise Risk Course since 2019.

<a href="http://www.bryanwhitefield.com">www.bryanwhitefield.com</a>

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead