by Thomas Frenehard, GRC Solution Management
Remember the dinosaurs from your history books? Extinct, right?
Well this is the way some companies are going because they focus all their efforts on looking backwards. And to me, this is precisely where Audit and Risk Committees have a crucial role to play; not to focus on the same issues but have a different mind-set.
By nature, the Audit Committee will focus on the findings from the audit report, looking backwards at what’s already happened. I personally think that the Risk Committee should focus on forward-looking uncertainties… and how to best leverage potential opportunities.
This Risk Committee can then have a true advisory role to the Board. It should, of course, be able to discuss the most important threats that would prevent an organization from achieving its objectives and it should also be able to recommend a course of action to flip downsides into opportunities.
Most likely the Board is not the right instance to discuss and review the multiple risk scenarios, test new assumptions, and so on. But if it relies on a knowledgeable Risk Committee, it will be able to make the right decision for the business and increase value for the shareholders.
So, how can this work?
Last week I was lucky to attend a workshop on this specific topic, Risk Committees, that sparked many discussions and exchange of opinions amongst participants. Here are my summarized thoughts from the event.
- A clearly defined mandate is needed
A Risk Committee can only be successful if it is given a clear mandate by the Board. Its roadmap and mission statement, if you wish. Here, I would suggest that the Board define expectations for the Risk Committee that would be relevant to supporting true business decision making.
In association with the mandate, and for the Risk Committee to be realistic in its assumptions, I would expect the Board to share its risk appetite and how it reached this conclusion, as this will guide most of the scenario work.
- On-board knowledge
To have an active Risk Committee, I think it has to embed a risk culture. This might happen because the committee is at least partially composed of risk experts or because it’s engrained in the DNA of its members.
I would also suggest involving industry experts in the Risk Committee as this is the only way to have realistic – and probable scenarios.
- Sufficient tools and information
The role of this committee will be to review risks and to simulate potential negative and positive outcomes. If its participants are not given sufficient risk information, how can they do that?
In addition to providing risk information, I would also recommend authorizing this committee to interview Risk Owners when necessary, as they are the business experts that can shed light on business contexts.
- Report to the Board and then, take action on their recommendations
To my mind, if such a process is defined, then the Board needs to set some time aside to debate on the recommendations from the Risk Committee. And here, it can’t be a passive presentation from the committee to the Board, it has to be a two-way street with some questioning. The Board needs to challenge the assumptions and needs to provide feedback on whether expectations have been met or the Risk Committee won’t be able to adjust its next reporting.
Also, the Board needs to take action on the recommendations. And keep in mind that deciding to wait until more information is gathered or that events start to unfold is already a decision, provided it is documented and agreed on.
How does this sound to you? Would you agree that immobility is a great threat to many of our organizations?