Transcription
Risk CommitteeResource Guide
For related information and guidance, visit the Deloitte Centre forCorporate Governance website at:www.deloitte.co.za
ContentsIntroduction:Risk committees become reality. 3Section 1:Considerations in forming a risk committee. 6Section 2:Risk committee charter and composition. 15Section 3:Fulfilling risk-oversight responsibilities. 22Section 4:Risk Intelligent enterprise. 37Section 5:On-going education and periodic evaluation. 55Conculsion:Ever vigilant, continually improving. 58Appendix A:Sample risk committee charter. 63Appendix B:Ilustrative planning tool. 73Appendix C:Risk committee performance evaluation. 80Appendix D:Board-level Risk Intelligence map. 89Contacts.93Risk Committee Resource Guide1
Introduction2
Risk committeesbecome realityRisk Committee Resource Guide3
This guide aims to assist board members ofcompanies in designing, developing, andoperating a board-level risk committee. In termsof the King Report of Governance for SouthAfrica, 2009 (King III), it is recommended that theboard should assign oversight of the company’srisk management function to an appropriateboard committee (for example a risk committeeor the audit committee). This is in line withinternational developments, for example in theUnited States the Dodd-Frank Act requires suchcommittees for certain bank holding companies.Deloitte developed this guide in response togrowing interest in board-level risk committees.While many companies already have a riskcommittee (or in many instances a combinedaudit and risk committee), quite a few do not.Also, companies that do have risk committeesmay benefit from revisiting their risk committeecharters and activities. In doing so, the boardcan ascertain that the risk committee hasthe composition, reporting relationships, andresponsibilities that best suit the enterprise.This resource guide first presents considerationsfor a board contemplating the formation of a riskcommittee (Section 1). It then covers topics thata risk committee charter might include, as wellas guidance on developing and using the charter(Section 2). Next, the guide provides suggestionsrelated to how a risk committee may go aboutfulfilling its chief responsibilities (Section 3), andoverview of the Risk Intelligent approach to riskmanagement (Section 4) and educating andevaluating itself (Section 5). Most sections includeexample related questions to ask when developinga risk committee.While risk management is not a new concept,many companies are refreshing their thinkingwith regard to risk governance and oversightas disciplines for many board members. Wetrust that this guide will help improve boardmembers’ and senior executives’ knowledgeof risk committees and of risk governance andoversight. We encourage interested readers tomake use of the tools and resources mentionedand included in the appendix of this guide.1The Dodd-Frank Wall Street Reform and Consumer Protection Act is a federal statute in the United States signed into law by PresidentBarack Obama on July 21, 2010. It promotes the financial stability of the United States by improving accountability and transparency inthe financial system, ending “too big to fail,” protecting the American taxpayer by ending bailouts, protecting consumers from abusivefinancial services practices, and other purposes.4
OversightCommon RiskInfrastructurePeople Process TechnologyRisk Management ActivitiesRisk ClassesComponents of risk managementRisk Committee Resource Guide5
Section 16
Considerationsin forming arisk committeeRisk Committee Resource Guide7
According to King III the board is responsible forthe governance of risk through formal processes,which include the total system and process of riskmanagement. The board should show leadershipin guiding the efforts aimed at meeting riskmanagement expectations and requirements.Although the board remains ultimately responsiblefor the governance of risk, it may delegate thisfunction to a separate committee.The Listings Requirements of the JohannesburgStock Exchange (JSE) require listed companies tohave a risk committee comprising a minimumof three members. Membership of the riskcommittee should include executive andnon-executive directors. Those members of seniormanagement responsible for the various areas ofrisk management should attend the meetings. Thechairman of the board may be a member of thiscommittee but must not chair it.The role of the committee is to perform anoversight function. In doing so, it should considerthe risk policy and plan, determine the company’srisk appetite and risk tolerance, ensure that riskassessments are performed regularly, and ensurethat the company has and maintains an effectiveon-going risk assessment process, consistingof risk identification, risk quantification and riskevaluation. This risk assessment process (usinga generally recognised methodology) shouldidentify risks and opportunities, and measure8their potential impact and likelihood. Thecommittee should receive assurance from internaland external assurance providers regarding theeffectiveness of the risk management process.In turn, management is responsible for thedesign, implementation and effectiveness of riskmanagement, as well as continual risk monitoring.It is of vital importance that members of the riskcommittee have experience within the industry.This would allow them to identify areas of riskand be aware of the appropriate methods ofmanaging the company’s exposure via internal(the control environment) or external (such asthorough insurance cover) means.Risk management is an often misunderstooddiscipline within a company. Too often theresponsibility for ensuring that the significantrisks identified and adequately managed is notacknowledged, or is inappropriately delegated tothe audit committee. There are two reasons whythe risk management function should not reportto the audit committee, but should be monitoredby a separate risk committee. The first is that, asa consequence of the prescribed compositionof the audit committee (all members mustbe independent non-executive directors), thefunction will often have financial focus when riskmanagement should correctly extend far beyondthe finances of a company.
Secondly, the audit committee should act as anindependent oversight body. Having to directlyoversee the risk management function wouldgenerally involve a large amount of detailed reviewof the processes and workings of the company.This would necessarily have a detrimental effect onthe objectivity of the audit committee’s memberswhen considering reports of the risk managementfunction. The formation of a separate committeerecognises the fact that the identification andmanagement of risks impacting the business, andthe disclosure of these to the shareholders is vital togood governance.In addition, the JSE is aware that some listedcompanies combine the audit and risk committee.The JSE warns that, given the difference inthe membership of these committees, listedcompanies must ensure that in these instancesthat the membership of the combined committeemeets the more stringent independencecriteria of the audit committee as set out inthe Companies Act and King III. The result of acombined committee is that all the membersmust be independent non-executive directors.This precludes executive directors (such as theCEO and CFO) from membership. However, giventhe key role of the CEO in the risk managementprocess, best practice (as captured in KingIII) requires the risk committee to comprise acombination of executive and non-executivedirectors.Also, a combined audit and risk committee willinevitably have a strong focus on financial risks,which may result in inadequate attention tooperation and related risk.It is our recommendation that the responsibilityfor risk management be delegated by the boardto a separate risk committee, comprising bothexecutive and non-executive directors. Wheremore than one committee bears responsibilityfor risk management (i.e. the audit committeeoversees financial risks and the remunerationcommittee oversees risks pertaining tocompensation), it is paramount that theresponsibilities are clearly demarcated and thatcommunication channels are established to ensurethat the respective committees take cognisance ofand consider the reports and recommendations ofthe other relevant committees.In considering whether or not to establish a riskcommittee one might consider the following keyfactors: Inherent risk environment: The need for a riskcommittee may be precipitated by the inherentrisk environment. The extent, complexity, andpotential impact of risks should be considered,and weighed against the ability of the board ora board committee (e.g. the audit committee)to deal sufficiently with workload.Risk Committee Resource Guide9
The needs of stakeholders: The needs of theenterprise and its stakeholders should beconsidered. It may also behove the board toassess the quality and comprehensivenessof the current risk governance and oversightstructure, the risk environment, and the futureneeds of the organisation. The compositionand activities of the risk committee and itsrelationship with other board committeescould reflect the board’s assessment of thosefactors. Alignment of risk governance with strategy:The board should consider whether riskoversight and management are aligned withmanagement’s strategy. Enterprises varywidely in their business models, risk appetite,and approaches to risk management. A keyconsideration is that the board, management,and business units be aligned in their approachto risk and strategy - to promote risk-taking forreward in the context of sound risk governance. Oversight of the risk managementinfrastructure: A question to consider iswhether the risk committee is responsible foroverseeing the risk management infrastructure- the people, processes, and resources of therisk management program - or whether theaudit committee or entire board will oversee it.10 Scope of risk committee responsibilities: Theboard may need to decide whether the riskcommittee will be responsible for overseeingall risks, or whether other committees, suchas the audit committee or the remunerationcommittee, will be responsible for some.For example, oversight of risks associatedwith financial reporting may remain underthe audit committee, while those associatedwith executive remuneration plans mightremain with the remuneration committee.But because functional risks (such as tax orhuman resources risk) are often connected tooperational or strategic risks, it is important toconsider how the interconnectivity of risks isaddressed. In any event, the board will needto determine which committees will overseewhich risks. Communication among committees: Theboard should consider how the committeeswill keep one another - and the board itself- informed about risks and risk-oversightpractices. Efficiency and effectiveness call forclear boundaries, communication channels,and handoff points. This need may require theboard to define these elements clearly, makingadjustments as needed.
General role of the risk committeeThe risk committee will have specific responsibilities that include, but are not limited to, oversight andapproval of the enterprise risk management framework commensurate with the complexity of thecompany including (note that these responsibilities are performed by the committee on behalf of the board– ultimately the board remains responsible for the final approval of the risk policy and risk management): Oversight of risk appetite and risk tolerance appropriate to each business line of the company Appropriate policies and procedures relating to risk management governance, risk managementpractices, and risk control infrastructure for the enterprise as a whole Processes and systems for identifying and reporting risks and risk-management deficiencies,including emerging risks, on an enterprise-wide basis Monitoring of compliance with the company’s risk limit structure and policies and proceduresrelating to risk management governance, practices, and risk controls across the enterprise Effective and timely implementation of corrective actions to address risk management deficiencies Specification of management and employees’ authority and independence to carry out riskmanagement responsibilities, and Integration of risk management and control objectives in management goals and the company’scompensation structure.Risk Committee Resource Guide11
The risk governance infrastructureThe totality of the risk governance infrastructureincludes the oversight provided by boardcommittees in their risk-related roles. The riskgovernance infrastructure sets forth how theboard defines the role of board committees andthe full board in overseeing risk. For example,is there a separate risk committee of the boardor is risk oversight handled only by the auditcommittee or spread across committees,depending on expertise? And, finally, what is therole of the full board in overseeing risk?12To establish an appropriate risk governanceinfrastructure, the board might consider definingthe risk-related roles and responsibilities of eachcommittee as well as clear boundaries andcommunication channels among them. Theboard will need to understand and define whichcommittees are responsible for which risks andhow each committee oversees risks.
Sample questions to ask about forming a risk committee: How long is the term of service for members and for the chair? Will the chair position rotate, orwill he/she be appointed or reappointed by vote or other means? What are the responsibilities of the risk committee and of the committee chair? How will the chair, the committee, and its members be evaluated? Will the management risk committee report to the risk committee, the Chief Risk Officer (CRO),or the CEO? Are subsidiaries or other related entities subject to the risk committee? Which risks will the risk committee oversee and which will be left to other board committees? Which board members have the experience to be on the risk committee, and how can thecompany attract and cultivate appropriate risk committee members? How will the board keep abreast of changes in regulations and in risk governance andmanagement practices? How will the board ensure that the committee has access to the people and resources it willneed to carry out its responsibilities?Risk Committee Resource Guide13
14
Section 2Risk committeecharter andcompositionRisk Committee Resource Guide15
Risk committee charterOften, the board and its risk committee definetheir roles in risk oversight and governanceby means of the risk committee charter. Thecharter is also among the main tools the boardhas for disclosing its approach to risk oversight.In writing the charter, the board and the riskcommittee will determine the risk committee’srole and responsibilities in risk governance.Board committee charters specify thecommittee’s responsibilities and how it carriesthem out. The risk committee charter disclosesthe board’s involvement in and approach torisk oversight, the committee’s relationshipto the CEO, Chief Risk Office (CRO) and tomanagement’s risk committee, and other keyelements of risk oversight.16In developing risk committee charters, boardsmay wish to consider including provisions thatspecifies: The separate nature of the risk committeeand that it has been established to exerciseenterprise-wide risk-oversight responsibilities The risk-oversight responsibilities of thecommittee and how it fulfils them Who is responsible for oversight ofmanagement’s risk committee, for example,whether it is the CRO, the risk committee,the full board, or the CEO (although, typically,the full board is ultimately accountable andresponsible for risk governance) Who is responsible for establishing the criteriafor management’s reporting about risk to theboard (although the actual criteria need not beset in the charter, because they are expected tochange as the enterprise and risks change) The composition of the risk committee and thequalifications of risk committee members The board’s or risk committee’s responsibilitiesregarding the enterprise’s risk appetite, risktolerances, and utilisation of the risk appetite The board’s or risk committee’s responsibilityto oversee risk exposures and risk strategy forbroadly defined risks, including for examplecredit, market, operational, compliance, legal,property, security, IT, and reputational risks
The risk committee’s responsibility to overseethe identification, assessment, and monitoringof risk on an on-going enterprise-wide andindividual-entity or line of business basis The risk committee’s responsibility toapprove the charter of the management riskcommittee - if the board, in compliance withthe company’s Memorandum of Incorporation,delegates that responsibility to the riskcommittee The reporting relationships between therisk committee, the CEO, the CRO and themanagement risk committee The risk committee’s oversight ofmanagement’s implementation of the riskmanagement strategy The risk committee’s responsibility to ensurethat risk management is embedded in thebusiness and all decision making processes The use of specialist in areas where risks arecomplex Terms of service of risk committee membersand the chair, with incumbents subject toreappointment; term limits (which may precludemembers or chairs from having their termsrenewed) may not be desirable because theymay cause the loss of individuals in valued rolesIn general, the more precise the charter, thebetter positioned the risk committee will beto exercise oversight. For example, a detailedcharter should enable the committee to developan annual meeting calendar, based on theresponsibilities and required meeting frequency.The calendar might include, for example,specific risk issues (such as risk appetite) andactivities (such as risk committee education) fordiscussion, as well as meeting agendas, usingthe responsibilities in the charter as a guide.In addition, it may be appropriate to coordinatethe risk committee calendar with those ofthe audit, remuneration, and nominationscommittees so that the risk committee will, ata minimum, be made aware of the risk-relatedactivities of those committees. Coordinating theircalendars enables the committees to coordinatetheir activities and use of resources to maximiserisk-oversight efficiency.Tools and resources. Deloitte has developeda model risk committee charter as a guideand template for boards and committees thatare developing their charters. The model riskcommittee charter is located in Appendix A andcan be used with the calendar planning tool inAppendix B.Risk Committee Resource Guide17
Developing and using therisk committee charterThe following guidelines can be considered by aboard or risk committee as they develop and usea risk committee charter: Develop the charter as a group: Risk committeemembers, under the guidance and with theapproval of the full board, could developthe charter as a group (perhaps with theassistance of an external facilitator). While theactual writing of the charter can be delegatedto management, input from the board andcommittee members should be consideredregarding the key principles embedded in thecharter, which risks will be overseen, whetherthe CEO/CRO will report to the risk committee,and other key points. Ideally, all risk committeemembers would agree to the charter andapprove it - as would the board. Use the charter as a guide: A risk charter isnot to be written and shelved but instead putto use. When the committee is in doubt as toits responsibilities, or feels the need to assertits risk governance role with senior executives,it can reference the charter for guidance.Providing the charter as part of the orientationpackage for new members of the board andits committees may help on-boarding and maybe used in locating and hiring the committee’smembers, who may be recruited from amongexisting board members or elsewhere.18 Review the charter annually: An annual reviewof the charter to update the committee’srole in risk oversight by the board and riskcommittee may also be required. The chartershould be updated as needed to keep thecommittee’s structure and practices in line withregulatory requirements and the enterprise’sneeds. It could also be periodically reviewedby a qualified external third party to assesswhether the committee’s structure andresponsibilities reflect leading practices in theindustry. The results of a regular review ofthe effectiveness of the committee may alsoprovide useful guidance with respect to thecontent of the charter.
Composition of the riskcommitteeThe Companies Act provides the board with thepower to appoint board committees, and todelegate to such committees any of the authorityof the board. The authority of the board toappoint board committees is subject to thecompany’s Memorandum of Incorporation.If the company’s Memorandum of Incorporation,or a board resolution establishing a committee,does not provide otherwise, the committeemay include persons who are not directors ofthe company. However, it should be noted thatwhere non-directors are appointed to a boardcommittee, such persons are not allowed to voteon a matter to be decided by the committeeBoard committees constitute an importantelement of the governance process and shouldbe established with clearly agreed reportingprocedures and a written scope of authority. TheAct recognises the right of a board to establishboard committees but by doing so, the boardis not exonerated of complying with its legalresponsibilities.- King III principle 2.23 par 125Risk Committee Resource Guide19
Consider having risk committee members whoare knowledgeable about risk governance andmanagement and about the risks the enterprisefaces and methods of managing them. It may beadvantageous to have risk committee memberswith knowledge of business activities, processes,and risks appropriate to the size and scope ofthe enterprise, as well as the time, energy, andwillingness to serve as active contributors.The composition of the risk committee (asproposed by King III) is somewhat unique in thatit should comprise a combination of directors(both executive and non-executive directors) andnon-directors. The JSE (through the applicationof King III) echoes the requirement that bothexecutive and non-executive directors beappointed to the committee. (King III indicatesthat all other committees should comprise onlynon-executive directors, of which the majorityshould be independent). Neither King III nor theJSE requires the appointment of independentdirectors on the risk committee. The chairman ofthe board may me a member of this committeebut must not chair it.20Members of the risk committee, taken as awhole, should comprise people with adequaterisk management skills and experience toequip the committee to perform its functions.To supplement its risk management skills andexperience, the risk committee may inviteindependent risk management experts to attendits meetings.Those members of senior managementresponsible for the various areas of riskmanagement should attend its meetings.As with all matters related to board composition,the nominations committee typically has theauthority to define the qualifications of itsmembers. It can also help determine whethercurrent board members can provide the neededskills. In most organisations, the nominationscommittee would assist in recruiting, vetting,and approving risk committee members.Risk committee members may be recruited fromthe current board and should ideally include acombination of executive and non-executivedirectors.
Notes:As there is some overlap between the functionsof the audit committee (responsible for amongothers overseeing the management of financialrisks) and the risk committee (responsible forall other risks), we find that there is often anoverlap in membership of the audit committeeand the risk committee. Many companies findit appropriate to appoint one or two membersof the audit committee, one or two othernon-executive directors, as well as the CEO andthe CFO as members of the risk committee.Of course, the collective membership of thecommittee should account for the range of skilland experience required to guide managementand perform effective oversight with respect tothe risk management process. Other relevantmembers of the senior management team (forexample the Chief Internal Auditor, Chief RiskOfficer, Chief Information Officer, etc.) are invitedto attend all meetings.Asking questions and considerations relatedto the composition of the risk committee isone element of effective board succession anddevelopment plans.Risk Committee Resource Guide21
Section 3Fulfillingrisk-oversightresponsibilities22
Risk Committee Resource Guide23
Successful risk oversight depends,in part, on the ways in whichthe risk committee fulfils itsresponsibilities and interacts withthe executive team, CRO, board,and stakeholders.24ResponsibilitiesBroadly, the responsibilities of a risk committeemay include the following: Oversee the risk managementinfrastructure: The full board may oversee theorganisation’s risk management infrastructure(see sidebar below), or this oversightresponsibility can be delegated to the riskcommittee, rather than to the audit committee(the committee that historically has hadprimary responsibility for overseeing the riskmanagement infrastructure). The JSE ListingRequirements permit the board of a listedcompany to delegate this responsibility to a riskcommittee, rather than to the audit committee– where the responsibility is delegated to acombined audit and risk committee, listedcompanies must ensure that in these instancesthe membership of the combined committeemeets the more stringent independence criteriaof the audit committee as set out in King III(see comments above). Address risk and strategy simultaneously:Address risk management and governancewhen strategies for growth and valuecreation are being created and managementdecisions are being made. The purpose of thisresponsibility is typically not to promote riskavoidance, but the opposite - to promote risktaking for reward in the context of sound riskgovernance.
Approve the risk management policyand plan: The risk committee should beable to demonstrate that it has dealt withthe governance of risk comprehensively.This should include the development andimplementation of a policy and plan for asystematic, disciplined approach to evaluateand improve the effectiveness of riskmanagement, as well as the related internalcontrol, compliance and governance processeswithin the company. Management shoulddevelop both the risk management policyand the plan for approval by the committee.The risk management policy should set thetone for risk management in the companyand should indicate how risk managementwill support the company’s strategy. Therisk management policy should includethe company’s definitions of risk and riskmanagement, the risk management objectives,the risk approach and philosophy, as well asthe various responsibilities and ownership forrisk management within the company. The riskmanagement plan should consider the maturityof the risk management of the company andshould be tailored to the specific circumstancesof the company. The risk management planshould include: the company’s risk management structure the risk management framework i.e. theapproach followed, for instance, COSO, ISO,IRMSA ERM Code of Practice, etc. the standards and methodology adopted –this refers to the measureable milestones suchas tolerances, intervals, frequencies, frequencyrates, etc. risk management guidelines reference to integration through, for instance,training and awareness programmes, and details of the assurance and review of the riskmanagement process.The committee should review its riskmanagement plan regularly but at least once ayear. Approve the process for risk identification:The risk management plan should set outthe process for risk identification. This cantake various forms, e.g. scenario planning,a management workshop, etc. The riskcommittee should assess the robustness of theprocess for the identification of all risks, andreview and approve outcomes of the process.Risk Committee Resource Guide25
Assist with risk appetite and tolerance:The risk committee should help establish,communicate, and monitor the risk culture,risk appetite, risk tolerances, and risk utilisationof the organisation at the enterprise andbusiness-unit levels. Risk appetite defines thelevel of enterprise-wide risk that leaders arewilling to take (or not take) with respect tospecific actions, such as acquisitions, newproduct development, or market expansion.Where quantification is practical, risk appetiteis usually expressed as a monetary figureor as a percentage of revenue, capital, orother financial measure (such as loan losses);however, we recommend that less quantifiablerisk areas, such as reputational risk, alsobe considered when setting risk appetitelevels. Once the risk appetite is defined, thecommittee (in consultation with management)then should define specific risk tolerances, alsoknown as risk targets or limits, t
operating a board-level risk committee. In terms of the King Report of Governance for South Africa, 2009 (King III), it is recommended that the board should assign oversight of the company's risk management function to an appropriate board committee (for example a risk committee or the audit committee). This is in line with
