After the financial crisis of 2008, Dodd-Frank mandated enhanced risk management standards for larger financial institutions. Included in the legislation was a risk committee requirement applicable to publicly traded U.S. and foreign banking organizations with more than $10 billion in total consolidated assets. All organizations meeting this requirement were required to have a standalone risk committee operating under a formal, board-approved, written charter. Fundamentally risk oversight has always been the responsibility of the board; however, mandating a separate risk committee essentially meant that the regulators were going to expect a heightened level of expertise and put the role of risk management on par with other designated committees of the board, like audit. The rule was prescriptive in that it required institutions to establish a formal written risk governance framework, approve a risk appetite statement annually, as well as set forth an approval mechanism for material changes in an institution’s business model, strategy, risk profile or market conditions.
While this rule does not apply to the average community financial institution, the regulators have been adopting a broader view of risk management and are migrating some of the concepts of enterprise risk management down to smaller institutions. Traditionally, risk management in the community institution setting has been the job of the audit committee with the focus clearly on the assurance function. While audit plays a key validation role, and should not be underestimated, the concept of the risk committee is something entirely different. With the growing level of uncertainty about the future, heightened risk from disruptive technologies, and greater customer expectations, it may be that these risks are too great to be handled by the board alone, or its audit committee, and a risk committee would be an added benefit to be considered.
Everyone can agree on one point, and that is the goal of any committee is to get the valuable information management needs to manage the institution. It helps to first understand the difference between a risk committee and the traditional audit committee. Overall the two committees serve two separate purposes and review different, although complementary, information. The audit committee is dealing with what HAS happened. Its primary purpose is to provide oversight of the financial reporting process, including the audit process, and the system of internal controls. This committee is the third line of defense and spends most of its time focusing on compliance risks related to the integrity of financial statements. The audit committee typically operates in a box governed by strict guidelines and timing requirements. Audit committee members are chosen based on their financial acumen, which does not necessarily make them well suited to discussions of risk. A Google search of an average audit committee charter reveals that the primary function of the audit committee is to assist the board of directors in fulfilling its oversight responsibilities by reviewing financial reports and other financial information, the system of internal controls, and the auditing, accounting and financial processes. The primary duties are to serve as an independent and objective party to the financial reporting process, review and appraise audit efforts from independent accountants and internal auditing departments, communicate with independent accountants and the board of directors and monitor legal and regulatory requirements.
Contrast that with a typical risk committee’s objective, which is to deal with what COULD happen. To illustrate, the charter of a risk committee lists its primary purpose as assisting the board in overseeing the risk management activities of the institution and reporting to the board on the effectiveness of its risk management framework. The committee will assist the financial institution in meeting its strategic directives by identifying, assessing, monitoring, and managing risks within the risk framework to identify the most significant risks and implement effective responses. The risk committee’s primary responsibilities include oversight of the risks identified by the financial institution, review of management reports with respect to key risks, evaluations of the enterprisewide risk framework, and approval of a risk appetite statement. In short, the purpose of the risk committee is to employ strategic thinking and risk awareness so that management can make better decisions about the risks and opportunities that lie ahead.
The audit committee operates in a box dictated by accounting standards, but the risk committee can be more dynamic. One focuses on periodic audits and the other on continuous risk monitoring allowing the institution to remain nimble as risk awareness is elevated. While the audit committee remains focused on financial reporting risk and controls, the risk committee can focus on the most critical risks to the institution and whether risk management capabilities are in place. As previously mentioned, the audit committee has information about what has happened, whereas the risk committee gets information on an enterprisewide basis on both current and emerging risks to the larger mission of the institution.
Risk discussions require a different type of expertise and a higher level of understanding of the risks and the threats and opportunities that are inherent in those risks. A risk committee, if effectively employed, can enhance the effectiveness of the board by bringing greater insight to the risks that stand in the way of strategic goals, which is the principal reason for contemplating the development of a risk committee.