Many companies have a
management risk committee (MRC) as part of their risk infrastructure. While not
part of the board, such committees, made up of the appropriate executives at
the company and reporting to the board, nonetheless can contribute to the
board’s risk oversight. How can your organization reap the benefits of this
added oversight tool and maximize their effectiveness?
Identify the Company’s Needs
Whether organized as a designated or de facto committee, MRCs have
increasingly been used in recent years, likely due to the growing complexity of
risks inherent to the organization’s strategy and business model and the increasing
sophistication of risk management infrastructure. Additionally, the agenda of
the executive committee may be too crowded to sufficiently cover these matters
and extenuating circumstances may exist (e.g., a history of surprises,
substantive improvements required in the company’s risk management capabilities,
a critical risk meriting special attention, or a need to strengthen risk
There are several merits to consider when evaluating whether
to organize an MRC—for example, ensuring successful implementation of the
organization’s approach to enterprise risk management focusing management
attention on specific risk areas (e.g., technology, litigation, or environmental
issues), identifying emerging risks, and helping the company anticipate and
react to disruptive events and trends. The committee’s deliberations can
enhance the risk dialogue in the C-suite and boardroom by sharpening the focus
on critical enterprise risks and emerging risks.
When it comes to MRCs, the old cliché of one-size-fits-all does not apply. For example, in financial institutions, commodity-based businesses, or operations with hazardous activities, the MRC may focus on managing specific risks inherent to the enterprise’s business model that either are not managed by the business units or are more effectively managed enterprise wide, consistent with a portfolio view. Other MRCs may focus on the risk management process and assume no overall responsibility for mitigating risks.
As both the board and executive team can benefit from an
effective management risk committee, here are six suggestions for forming and
operating such committees:
1. Clarify MRC responsibilities through the
charter. The charter should specify the committee’s mission or
purpose, membership, duties and responsibilities, authorities (if any), and if
necessary, specific activities it is to perform. It should be approved by the
executive team and reviewed with the appropriate board committee. As directed
by the executive team, the MRC’s responsibilities may include identifying and
prioritizing risks; monitoring changes in the external environment for
strategic risk implications; periodically assessing the entity’s risk culture,
benchmarking peers, and best-of-class organizations; and ensuring the executive
team and the board are considering critical enterprise risks. An MRC offers the
board an opportunity to periodically review the committee charter to ensure it
addresses issues germane to the board’s risk oversight.
2. Include the right people. The
committee, depending on its scope, should combine a diverse range of strategic,
operational, and functional perspectives. The selection criteria might include
experience, knowledge of the business, specialized expertise, and fit. At least
one senior executive should be a member (e.g., an executive sponsor). It may
make sense for the general counsel and a representative from the disclosure
committee to be present. Some companies rotate MRC members to bring a fresh
perspective and create risk awareness across the entity. Size is also a factor;
too large of a group can inhibit dialogue.
3. Conduct effective meetings. Considerations
for meeting frequency include the nature and volatility of the organization’s
strategy, operations, and risks, as well as the scope of responsibilities outlined in the
committee charter. MRCs can meet quarterly, monthly, or more frequently as
necessary, and meeting agendas should be developed by the committee chair with
suggestions from committee members. They might include specific risk issues
(e.g., drill-downs on risks or evaluations of risk appetite), as well as open
discussions of new internal and external developments and other activities.
Briefing materials should be provided in advance of each meeting.
4. Focus the group dialogue on what executives
and directors may not know. The management risk committee’s real
value comes from focused dialogue around what’s new, what’s changing, and the
implications regarding emerging opportunities and risks. Heads turn when the
committee escalates insights that aren’t on the radar of the organization’s
leaders. Meetings should be inclusive so that everyone is engaged. Cluttering
meetings with presentations is a mistake—if the right group is assembled, it
makes sense to hear what they have to say. While presentations by different
risk owners explaining how they are addressing risks for which they are
responsible are acceptable, sufficient time should be allowed for discussion
5. Don’t let the committee get stale.
Taking too broad of a focus and repeating the same activities can sap the
committee’s energy over time. Consider mixing things up and refocusing the
committee’s activities depending on the organization’s needs. For example, if
the economy is in recession, the focus might be on liquidity and monitoring the
impact of cost-cutting and terminations on the risk management process and
internal control structure. It is a good idea to revisit the committee’s
emphasis periodically—at least annually—given the company’s circumstances and
the current business environment.
6. Spot the warning signs of a deteriorating
risk culture. The committee should watch for signs of a
dysfunctional culture and be sensitive to operating units taking risks
recklessly or forgoing attractive market opportunities through risk-averse
behavior. A pattern of limits violations, near misses, noncompliance incidents,
internal control deficiencies, and foot-dragging on issue remediation are other
signs of potential cultural issues that may warrant escalation.
It’s important to note these six points are illustrative and
are intended to be neither exhaustive nor prescriptive. The chief executive and
executive committee dictate the scope of the management risk committee,
delegating responsibilities consistent with the priorities of the business. The
board can provide input into this direction.
Jim DeLoach is managing director of Protiviti.