The new Risk Coalition guidance clearly sets out the duties of a risk committee, composed of Non-Executive Directors. It has eight principles as an advisory body however, as principle one notes this does not include ownership and responsibility for risk decisions: ‘The board retains ultimate accountability for the organisation’s principal risks’. The committee is designed to ensure compliance with the Corporate Code and consequently to promote good governance. The committee does not set risk strategy or risk appetite but advises on what is appropriate.
The guidance creates the case for a dedicated risk advisory committee, distinct from any responsibility for audit or finance but solely focused on risk. It is not a risk management body and the guidance sets out a further nine principles for the function of risk management by the Chief Risk Office and his department. The risk committee has a duty to safeguard the independence and objectivity of the risk function. This is a welcome reminder of the distinction between risk governance and risk management in organisations where there is scope for conflation of the two.
While the guidelines have been welcomed for filling a void in the regulatory landscape and providing a best-practice template, there remain some fundamental challenges in how risk is treated within the boardroom agenda. The guide provides principles for a committee of non-executive directors to act as an oversight body, a kind of corporate conscience for the executive board. This of course is no bad thing, but there are two large elephants that remain in the boardroom. The first is the toxicity of risk as a topic itself, and the second is the temptation for deference to specialists. These are also two well-known and well documented cognitive bias areas.
Risk as a topic tends to viewed through the lens of threat, an estimated business interruption that must be avoided or mitigated. Consequently a typical main board response is to opt for safe decisions or ‘risk aversion’. The risk management function will focus on business continuity to negate harmful interruption, a risk register will itemise predictable outcomes for which there is some contingency plan. Risk lies in the future and so cannot be managed, only estimated with varying degrees of certainty. A control mind-set is understandable but unhelpful. Investment banks, hedge funds and entrepreneurs seek risk for reward, not all risk represents a threat.
The creation of a dedicated risk advisory committee allows the board to treat risk as a worthy agenda item, but like Sustainability or ESG it is a topic that runs across the whole board agenda. Boards must be encouraged to own collective responsibility for risk and understand its true nature. Relying on the opinion of the CRO or risk committee can encourage deference to experts or under-estimate board liability in risk decisions. Too many board members defer to a risk expert when any member can identify risk to the organisation: it requires only an ability to envisage a future outcome, a skill not confined to experts. A new committee is good for raising the bar, but is it good for stewardship if it doesn’t encourage collective board responsibility or promote risk literacy?
For more information contact info@chiron-risk.com