With risk high on board agendas, should boards be thinking about having a separate risk committee, in addition to their audit committee?
Last month, a KPMG Board Leadership Centre FTSE 350 non-executive director discussion event, facilitated by the Risk Coalition, helped to weigh up the pros and the cons.
In 15 years as a non-executive director, I’ve chaired audit committees, audit & risk committees, risk & audit committees, also standalone risk committees! While regulated and part-regulated firms may be required to have a risk committee, the Risk Coalition’s research demonstrates that boards have rarely put in place a separate risk committee where this is not required by the regulators. But is that starting to change and, if so, for what reasons?
The availability of the Risk Coalition’s principles-based guidance, Raising the Bar, has certainly prompted a number of boards to check whether they are sufficiently aware of – and adequately carrying out – their risk oversight accountabilities. Some boards even perceive these accountabilities as a technical or executive matter for consideration elsewhere in the organisation, but not necessarily by themselves.
Despite the headline failures of Carilion, Patisserie Valerie and other cross-sector organisations, the FRC Corporate Governance Code still says very little about risk – but, in a code revision planned soon and following the Brydon report to BEIS, that may change substantially.
The FTSE 350 debate at the discussion event explored how and why risk committees are now being adopted more frequently, including how ESG assurance, digital technology transformations, cyber risks and other drivers are coming to the fore. As the assurance expected by stakeholders is increasing, expected to come from sources independent of the company, and expands in non-financial areas, the terms of reference of a risk committee becomes more clearly separated from audit and financial controls matters.
Was there a conclusion to the debate? Well perhaps only that each governance situation is different and proportionality and comply-or-explain still apply – but the steady march towards ESG plans and proofs, also the increased time spent on emerging risks, digital transformation, business resilience and the avoidance of terminal cyber risks implies that a separated risk committee probably becomes inevitable.
A detailed summary of the debate, facilitated by Chris Burt and Bryan Foss from the Risk Coalition, can be found here.
Bryan Foss is an experienced non-executive director, FRC advisor and co-author of the Risk Coalition’s guidance. He also mentors high-growth technology company founders and senior executives of blue-chip companies into their early NED roles.