In November 2009 I contemplated "Should Board Audit and Risk Committees be Separate?" and today I question "Should a Board have a risk committee at all?"
In 2009 I concluded:
- Management's responsibility is to identify, manage and report on risk with a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board.
- The Board has an "assurer role" to provide stakeholders with assurance that management has done their job on risk.
- The Board has a "mentoring role" to provide oversight of the risk management process.
- Therefore there should be separate Audit and Risk committees fulfilling different roles, in particular for larger organisations with much larger amounts of information to process.
Since 2009 a few things have caught my attention that have caused me to consider whether the Board should have a risk committee at all. An example is APRA's requirement for Boards "... to understand the risks of the institution, including its legal and prudential obligations, and to ensure that the institution is managed in an appropriate way taking into account these risks."
Although APRA's requirement only applies to organisations they regulate, I believe it is applicable to all boards. How then can a Board delegate risk to a sub-committee of the Board? Surely it is necessary for each and every director to understand the risk profile of the organisation.
My advice to Boards is:
- Have a Board Assurance Committee which, through audits and other means, is responsible for ensuring the risk management framework put in place by management is appropriate and working, just as it does with all the other key processes of the business.
- The Board collectively should be in discussion with management to ensure the Board and Management understand the implications of strategic, business unit and major project risk profiles presented to the Board and whether or not risk levels are within the risk appetite set by the Board and Management.