• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / New guidance for risk committees

By Norman D. Marks, CPA, CRMA | 4 Minutes Read February 18, 2020

New guidance for risk committees

risk committees

A new publication by the Risk Coalition (a group of organizations in the UK that includes their Institute of Directors, a couple of risk management associations, and the organizations for internal and external auditors) merits our attention.

Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services Sector has some interesting content. For example, it says:

  • In financial services the real risk is to take no risks. We are in the business of managing financial risks.
  • While the concept of the Three Lines of Defence continues to provoke much academic and professional debate, the Risk Coalition believes the basic principle of requiring independent oversight and challenge of management risk-taking remains sound.

In addition, I like that the guidance talks about ‘risk taking’ instead of simply managing risk. It also defines risk as not purely a negative effect on objectives:

The possibility that events will occur that affect the likely achievement of an organisation’s corporate strategy or strategic objectives. Commonly considered as negative events (downside risk), there may be occasions where risks may be exploited to an organisation’s advantage (upside risk).

Its definition of risk culture is also useful:

The combination of an organisation’s desired ethics, values, behaviours and understanding about risk, both positive and negative, that influences decision-making and risk-taking.

There are some key phrases in its definition of a risk appetite framework (which I highlight):

A key, board-approved framework designed to aid effective management decision-making, risk monitoring and reporting, and through which aggregate risk appetite is translated and cascaded into meaningful, calibrated risk thresholds, limits, metrics and indicators aligned to strategic objectives, and embedded throughout the organisation.

I highlighted these sections because in my experience very few risk appetite statements or frameworks are developed in such a way that they influence risk-taking and decision-making at all levels of the organization. For example, how does an HR manager know how his or her decision on which candidates to present might affect enterprise strategic objectives? How does saying that the organization has no tolerance for compliance or safety failures affect decisions on investments in those areas?

The guidance says is it “evolutionary, not revolutionary” and I must agree.

It provides more clarity to traditional thinking about risk management, but doesn’t suggest how to step up to real value-add activities.

In other words, there’s quite a lot missing!

I set up a risk committee when I was CAE and CRO at Business Objects. The first question that had to be addressed was:

Why do we need a risk committee?

If the answer is that we need one to comply with the expectations of the regulators, then we are unlikely to get the full and enthusiastic support of the management team. The team is focused, as should be the board, on achieving the strategic objectives for the organization – in other words, they are focused on the success of the organization, not just its compliance obligations.

I vividly remember a conversation I had many years ago with a senior executive. He was responsible for the company’s trading desk and told me that he couldn’t spend much time answering my questions because he had to get back to running the business and making money.

We get the executives’ attention and support when they appreciate how what we are doing helps them do both – make money and run the business for success. In time, this executive learned how my team and I could help him do both and he became a huge supporter.

The answer to the question should be that the committee helps the board be assured that management is taking the right risks, seizing opportunities wisely, as a result of informed and intelligent decisions.

The answer should not be limited to any form of blinkered focus on managing the possibility of downside events and situations that ignores the need to weigh ALL the potential things that might happen. In other words, is management weighing ALL the pros and cons before making decisions, or is simply looking at the cons out of context? Even the COSO ERM framework explicitly recognizes that when justified by the opportunity, risk appetites should be exceeded.

So the next question is:

How does the risk committee contribute to success?

I struggle with this myself, in particular the next question:

Why do I need a separate risk committee when strategy and performance are discussed elsewhere?

Separating risk and strategy, or risk and performance management, makes little sense to me – unless your risk committee is there as window-dressing for compliance, rather than helping the organization both protect and create value in its pursuit and achievement of objectives.

I recall a panel discussion at an event years ago in Canada. The CEO of the Hudson Bay Company told us that his board had a Risk and Strategy Committee. I think this is a world-class practice.

So, what do you think? Does it make sense to have a committee that only focuses on the downside? If it is charged with assuring the board that due consideration is given to all the things that might happen during decision-making and risk-taking, how does that work?

I welcome your thoughts.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • We all need active listening skills - September 20, 2023
  • Factors frequently overlooked in risk assessments - August 16, 2023
  • How much to invest in a risk - July 19, 2023

Share this:

  • Tweet
  • Email
  • Print
  • More
  • Reddit
  • Share on Tumblr
  • Pocket
  • Mastodon

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting / corporate strategy, enterprise risk management, financial risk, risk committee, risk management, risk monitoring, strategic objectives

The Essential HR Policy Guide Banner

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy

 

Loading Comments...