Many companies have a management risk committee as part of their risk infrastructure. While not a part of the board, such committees nonetheless can contribute to the board’s risk oversight. Protiviti’s Jim DeLoach speaks to how to maximize the MRC’s effectiveness.
Whether organized in the form of a designated management risk committee (MRC) or a de facto risk committee, MRCs have been used increasingly over the years. This likely is due to the growing complexity of the risks inherent in the organization’s strategy and business model, escalating pace of change, advent of powerful digital capabilities and increasing sophistication of risk management infrastructure – matters the agendas of most executive committees are simply too crowded to cover sufficiently. Extenuating circumstances may also be a contributing factor (e.g., history of unexpected surprises, substantive improvements required in the company’s risk management capabilities and/or a need to strengthen risk culture). Worse, there may be a lack of confidence in certain risk management areas.
A number of factors justify consideration of an MRC, including ensuring successful implementation of the organization’s approach to enterprise risk management (ERM), focusing management’s attention on specific risk areas (e.g., technology, litigation, environmental, social and governance issues), identifying emerging risks in a timely manner and helping the company anticipate and react to disruptive events and trends. Also, the committee can support the executive team’s and the board’s focus on critical enterprise risks, enhancing the risk dialogue in the C-suite and boardroom.
MRCs come in all shapes and sizes and with different objectives. The cliché of no one size fits all applies here, as well.
For some companies, the MRC’s responsibilities may be focused on managing specific risks inherent in the enterprise’s business model that either are not managed by the business units or are more effectively managed enterprise-wide, consistent with a portfolio view. The objective of these specialized committees – which may in some firms be characterized as a distinctive risk unit – is to make the management of its “in scope” risks an organizational core competency.
If there is a chief risk officer (CRO), the committee may support and be chaired by that individual. More commonly found in financial institutions, commodity-based businesses or operations with hazardous activities, such committees may be responsible for managing a variety of risks – such as interest rate risk; currency risk; commodity price risk; credit risk; catastrophic risk; and health, safety and environmental risk – within the company’s risk appetite and established risk tolerances and limit structures.
With the assistance of support staff and working in cooperation with the business units, they evaluate, pool, reduce, transfer and exploit the risks for which they are accountable. An important contributor to the execution of the organization’s strategy, the committee may have veto and/or escalatory authority when new deals are considered or new exposures emerge. Often, this type of committee shares the responsibility for managing the specific risks with the business units and has direct face time with the board of directors.
Other MRCs may be more focused on the risk management process and assume no day-to-day responsibility for mitigating risks. Functioning under the auspices of the chief executive and/or executive committee or under a CRO (or equivalent executive), they assess and monitor the organization’s internal and external environment and provide insights and recommendations to executive, operating and functional leaders, all in the spirit of improving the company’s risk management capabilities continuously in a changing business environment. These committees often support the board in the appointed manner to facilitate directors’ risk oversight. As this type of MRC is most common and applies to many industries, we will use it as a context for the remaining discussion.
As both the board and executive team can benefit from an effective MRC, here are seven suggestions for forming and operating such committees.
1. Clarify MRC Responsibilities Through the Charter
An effective charter specifies the committee’s mission or purpose, membership, duties and responsibilities, authorities (if any), and, if necessary, specific activities. Driven by the executive team’s direction, the committee’s responsibilities vary from company to company. They may include:
- Identifying and prioritizing risks
- Monitoring changes in the external environment for strategic risk implications
- Understanding mitigation activities for specific risks and making recommendations to improve them
- Periodically assessing the entity’s risk culture
- Benchmarking peers and best-of-class organizations for best practices
- Ensuring that critical enterprise risks are being considered by the executive team and the board
- Enhancing the firm’s risk awareness
If the entity is implementing ERM, the committee may provide guidance regarding ERM infrastructure, including enhancements to policies, processes, organizational structure, reporting, methodologies and systems. While these suggested responsibilities are intended as illustrative rather than prescriptive, the ones actually included in the charter should be approved by the executive team and reviewed with the appropriate committee of the board.
2. Include the Right People
Depending on its scope, the committee’s composition should combine a diverse range of strategic, operational and functional perspectives. If operating unit and functional leaders should serve on the committee but are unable to do so due to time constraints, they should appoint direct reports who have access to them. The selection criteria might include experience, knowledge of the business, special expertise and fit. Desirably, at least one member of the executive committee should be a member (e.g., the executive sponsor). It may make sense for the general counsel and a representative from the disclosure committee to be present. Some companies rotate MRC members to bring a fresh perspective and create risk awareness across the entity. Size is also a factor; too large a group can inhibit dialogue.
3. Conduct Effective Meetings
Regarding the appropriate meeting frequency, consider the nature and volatility of the organization’s strategy, operations and risks, as well as the scope of responsibilities outlined in the committee charter. MRCs can meet quarterly, monthly or more frequently as necessary. Meeting agendas should be aligned with the charter and developed by the committee chair, considering suggestions from committee members. They might include specific risk issues (e.g., drilldowns on specific risks or evaluation of the risk appetite statement in view of the current environment), as well as open discussion of new internal and external developments and other activities (e.g., risk awareness education). Briefing materials should be provided in advance of each regularly scheduled meeting.
One key point: When meeting attendance declines or senior personnel who are supposed to attend start sending delegates, that’s a sure sign something is wrong with the substance of the meeting agendas or the way the meetings are conducted. In such instances, MRC sponsors need to get to the root of the issue and make the necessary adjustments to refresh the committee’s focus.
4. Focus Group Dialogue on What the Executive Team and Board May Not Know
From the standpoint of the board and senior management, the MRC’s real value comes from focused dialogue around what’s new, what’s changing and the implications in terms of emerging opportunities and risks. Heads turn when the committee escalates insights and issues that aren’t on the radar of the organization’s leaders.
Meetings should be inclusive so that everyone is engaged. Cluttering meetings with presentations is a mistake. If the right group is assembled, it makes sense to hear what members have to say. While presentations by different risk owners explaining how they are addressing risks for which they are responsible are OK, sufficient time should be allowed for discussion and input.
5. Focus on the Right Questions
At a webinar recently hosted by my firm, a participant observed in a question to our panel that during an enterprise risk assessment, the risk of a pandemic was dismissed, as no one within the management team could envision what a pandemic might look like. Now, of course, the COVID-19 experience has given everyone an object lesson as to the potential impact of a pandemic on the economy – whole industries and companies in general. Unfortunately, few management teams were prepared. The reality is that many high-severity, high-velocity and high-persistence risks with low probabilities assigned to them – those in the upper left hand corner of a risk or heat map – get disregarded because of a leap of faith that they are unlikely to happen. Thus, the emphasis on probabilities creates a false sense of security. “Will it happen?” is the wrong question when evaluating so-called extreme but plausible events. For these events, the correct question is, “What will we do if it happens?”
The MRC’s job is to ask the right questions. Response readiness is key and should be emphasized in the MRC agenda as directors and senior executives seek to make their companies more resilient market players. If an ERM program is in place, the MRC should steer its focus to improving and sustaining organizational resiliency. Agile competitors that adapt and change are the odds-on favorites to be more successful than peers that cling to the status quo.
6. Don’t Allow the Committee to Become Stale
Too broad of a focus and doing the same things over and over can sap the MRC’s energy over time. Consider mixing things up and refocusing committee activities depending on the organization’s needs at the time. For example, if the economy is in recession, the committee’s focus might be on liquidity and monitoring the impact and extent of cost-cutting and terminations on high-priority digital initiatives, risk management process and internal control structure. If the company is growing rapidly, the committee may want to focus on changes to the overall risk profile and the emergence of potential risks.
It is a good idea to revisit the committee’s emphasis periodically – at least annually – in view of current circumstances and the business environment. A sharp focus aligned with the times creates clearer expectations, drives energy, establishes stronger accountability with the organization’s leaders and delivers greater value to the firm.
7. Watch Out for the Warning Signs of a Deteriorating Risk Culture
The committee should monitor signs of a dysfunctional culture and be sensitive to operating units taking risks recklessly or foregoing attractive market opportunities through risk-averse behavior. A pattern of limits violations, near misses, noncompliance incidents, internal control deficiencies and foot-dragging on remediation of issues are other signs of potential cultural issues that may warrant escalation.
The above points are illustrative and are neither intended to be exhaustive nor prescriptive. The CEO and the executive committee dictate the scope of the MRC, delegating responsibilities consistent with the priorities of the business. The board can provide input into this direction.
Questions for Senior Management and Boards of Directors
Senior executives and their boards may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- If the company doesn’t have an MRC, why not? Is it because of the nature of the business, the ability of the executive team to deal with significant risk matters or other factors?
- If the company has an MRC:
- Does the committee have access to the people, resources and information it needs to carry out its responsibilities?
- Do the executive team and board have sufficient transparency into the committee’s charter and activities? Is the scope of the committee’s charter responsive to their needs from a risk oversight standpoint?
- Are the executive team and board satisfied that the committee is fulfilling its chartered responsibilities? Do they receive periodic updates from the committee?
 A de facto risk committee may exist through allocating executive committee agenda time to risk matters, a subcommittee of the executive committee or an equivalent group with a name other than “management risk committee.”
 According to “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices,” by Mark Beasley, Bruce Branson and Bonnie Hancock, published by NC State University’s ERM Initiative in March 2017, in the United States, 80 percent of the largest organizations (greater than $1 billion in revenue) and 83 percent of public companies had a management risk committee in 2016. Furthermore, usage of these committees since 2014 increased across all types of organizations and specifically for the largest organizations and public companies by 17.6 percent and 18.6 percent, respectively. Since 2009, usage of these committees increased dramatically (by 164 percent) for all organizations.