Yes. No. Maybe so. Is your organization struggling to determine whether it should establish a board-level risk committee? If so, you’re not alone. In fact, unless your organization is subject to a regulatory requirement that demands such a committee exist, the struggle is real.
That’s why it’s important to weigh the pros and cons of forming and maintaining a dedicated risk committee, and to understand the tools that can better support your organization’s risk management efforts regardless of your approach.
Why the struggle?
Why would any organization take more than a millisecond to determine if it needed a committee to oversee risk? After all, such a committee could protect the organization from harm, as well as recognize the potential upsides of risk—thereby creating value.
Of course, nothing is that simple. Forming and maintaining a risk committee that is truly beneficial can be complicated. Challenges include:
Committee composition: Risk is best managed when analyzed from every angle, rather than in a vacuum. As such, a risk committee should be composed of members with expertise across a multitude of areas. This can be difficult, however, if the makeup of your board is not already diverse, or if those board members with diverse backgrounds are strapped for time because they are currently serving on other committees. Regardless of backgrounds, though, overburdened board members with limited availability is another hurdle organizations must overcome when establishing any new committee, including one dedicated to risk.
Committee scope: The purpose and responsibilities of a board-level risk committee should be clearly defined so members have an understanding of any specific risks that need to be overseen, and how they must integrate with other committees to capture a complete picture of risk. This helps prevent duplicative work, and protects against risks slipping through the cracks. Risk parameters must also be clearly defined for the committee so it can discern risks within and outside the organization’s appetite for risk. All of this can be a challenge, though, if committee overlap, politics or hampered communications limit the risk committee’s performance.
Reporting and communications: Speaking of communications, solid processes and procedures must exist to facilitate communication and effective reporting. This means the risk committee must be able to access and easily share relevant and timely data that helps the organization to foresee and act upon risks. Otherwise, it will not be able to easily integrate with other committees, or grasp the full range of risks affecting the organization. However, efficiently and effectively communicating and reporting is no small feat if a risk committee lacks the structure and tools needed to assist with these tasks.
Such challenges can impede a risk committee from achieving its ultimate goal of risk oversight and being able to identify interconnected, emerging, or forgotten risks, as well as identify risks worth taking. Still, plenty of organizations have formed risk committees with great success. So how do you know if a risk committee is for you?
Is a risk committee for you? Here’s how you know.
Unfortunately, determining whether an organization needs to establish a board level risk committee does not usually hinge on a finite set of yes and no criteria. The two simplest determining factors are:
- Are you subject to regulatory requirements that necessitate a dedicated risk committee? If yes, form a committee.
- Based on your definition of success, is your organization successfully managing risk without a risk committee? If yes, don’t form a committee.
Beyond that, organizations on the fence about starting a dedicated risk committee should base their decision on:
- The level to which risk management is a priority
- Whether enough time is being spent on risk management based on its priority ranking
- Whether board members have the resources—in terms of time, tools and support—to be on a dedicated risk committee
- Whether a culture of collaboration among all board committees exists so the risk committee can succeed
If your analysis seems to indicate your organization should avoid establishing a dedicated board-level risk committee, that doesn’t mean you have to merely roll the dice when it comes to risk management. Other effective ways to focus your board’s attention on risk include:
- Divide risk among separate committees, but have them come together occasionally to discuss how risks interconnect.
- Fold risk management into one other committee, like the audit or finance committee, but set parameters to ensure risk is discussed through a broader lens than finance or audit issues.
- Make sure integrated risk management is a topic discussed at multiple board meetings in a thoughtful and in-depth manner, as opposed to a two-minute line item to merely check a box.
- Improve risk management reporting efforts so the board has better and more understandable data at their fingertips, which they can quickly process to make more informed decisions.
Regardless of the route your organization takes when it comes to board-level risk oversight, the right tools and technology are critical to having an impact.
How Risk Management Technology Can Help
The right risk management technology, first and foremost, brings together all areas of risk effectively and efficiently, enabling insights that have previously been unobtainable. So whether you have a dedicated risk committee or multiple committees sharing risk oversight, all stakeholders have access to necessary, real-time risk management data.
This protects against a broad range of risks being overlooked because of the challenges previously mentioned, such as a dedicated risk committee that lacks members with diverse backgrounds; if risk is rolled into an already established committee like audit or finance; or when risk is spread out across various committees, making it a challenge to track who is watching what.
The right risk management technology can also serve as a regulatory and compliance management system, as well as an audit management system. It will automate and streamline the many activities related to managing these areas, along with traditional risk management.
All of this lessens the burden on board-level committee members. They will have more time to either jump on that new risk committee that they previously didn’t have enough bandwidth for; or, if they serve on a multi-purpose committee—like risk and audit management–they will have more time to focus on strategic risks, rather than get bogged down with audit work alone.
Finally, the right risk management technology will offer self-service analytics, make reporting seamless and more effective. Reports and dashboards can easily be configured to measure risk and visually demonstrate where your organization stands in relation to its pre-determined thresholds, KPIs and KRIs. Further, the system can automatically notify stakeholders when thresholds are met or are at risk for being met in real time.
As a result, reporting takes less time for your already time-crunched board members, whether they sit on a dedicated risk committee or on other committees where risk management partially their responsibility. It also opens the lines of communication among all committees as everyone has access to the same real-time, easy-to-understand information.
This way, getting up to date doesn’t hinge on an overworked committee getting a report out to the right people at the right time, but instead hinges on technology that automatically informs stakeholders that something needs to change if the organization wishes to continue to achieve its objectives.
Determining whether your organization would benefit from a dedicated risk committee is a big decision that requires a lot of thought and work to properly execute upon. But no matter your organization’s approach, be equally thoughtful about the technology and tools in which you invest to manage risk, as well as related areas like compliance, audit, safety and vendor management. It can have just as much or more impact on your program than committee structure.