Risk Management Committees–An Idea Whose Time Has Come

Earlier this year I wrote that directors have become much more educated in recent years about enterprise (not just financial) risk management and about their fiduciary responsibility to oversee ERM effectiveness. (See this Doug’s Note.) Directors are asking management to answer specific, substantive questions about how the company’s ERM functions and how they can (or must) become more involved. As a result, short, vague, infrequent ERM reports from management to the board are becoming a thing of the past. Management now must be more intentional in how it bridges the gap between the company’s detailed, operations-oriented risk management plan and the board’s strategic oversight perspective.

Some companies are addressing this challenge by adding a risk management committee to the board’s existing committee line-up. More companies are expected to follow that lead in the near future.

According to a recent E&Y study, the average S&P 500 company has one board committee in addition to its three key committees—audit, compensation and nominating/governance. The most common additional committees are finance (38% of S&P 500 companies) and executive (37%). Interestingly, the prevalence of executive committees has declined significantly in recent years, perhaps because board and key committee duties are now much more detailed and specific, which makes the traditional role of an executive committee somewhat obsolete.

Not surprisingly, as ERM is becoming mainstream and boards are becoming more involved, risk management committees are more common. Although the E&Y study reports that only 8% of S&P 500 companies currently have a risk management committee, another 11% have a compliance committee and 38% have a finance committee. Many companies have begun to add ERM oversight to the duties of those committees in recognition of its increased importance and to better define the board’s duties in that area.

The next step is to formalize ERM within the committee structure. Companies should begin by assessing current board ERM practices in light of the existing committee structure and duties. It may be that another committee should be added, whether due to the complexity of the company’s ERM, a history of troublesome risk management issues or overtaxed existing committees. Alternatively, companies might decide to combine and re-designate existing committees (creating, for example, a Risk and Compliance Committee or a Risk and Finance Committee).

So, what would a risk management committee do?

A risk management committee’s duties would include:

  • Understanding the company’s enterprise-wide risk exposure and risk management processes
  • Determining and articulating to management the company’s risk appetite in key risk areas, as well as enterprise-wide
  • Evaluating the overall effectiveness of management’s risk management processes
  • Articulating to management any changes in strategy that could impact risk management programs
  • Establishing a process for receiving regular reports from management, and interim communications as needed
  • Establishing the method and frequency of committee reports to the full board, as well as the extent to which the full board may itself be directly involved in risk management
  • Coordinating with other board committees to the extent that there are overlapping responsibilities (for example, with the audit, finance and compliance committees)

Enterprise risk management is mainstream and here to stay. It is also complex and time consuming. Companies should consider whether their current board structure and operation properly facilitate director fiduciary duties in this essential area.


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Parker Poe Adams & Bernstein LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.