Do risk committees serve a useful role or are they trying to attain a goal that is in fact unachievable? If risk committees are inadequate, they can expose an organisation to significant financial losses and seriously damage its reputation.
I was interested to read some critical reflections by Ex-SEC risk oversight chief Charles Fishkin regarding the role and effectiveness of Risk Committees.
In an article with the intriguing title Risk Committees: Designing a Horse and Getting a Camel? – Fishkin asks the question as to whether risk committees serve a useful role or are they trying to attain a goal that is in fact unachievable. According to Fishkin, it is important to address such questions as they address the fundamental value and structure of risk management programmes. If risk committees are inadequate, they can expose an organisation to significant financial losses and seriously damage its reputation.
Fishkin believes that a committee can be helpful in promoting consensus, but it can also shift accountability away from individual managers and create ambiguity as to who is accountable for key decisions.
Committees are a direct reflection of their participants – including their personalities, backgrounds, agendas and biases.
They are not, therefore, inherently distinct structures that perform consistent roles over time. Committees can, moreover, have a tendency to reaffirm existing practices leading them to be cautious and passive in nature.
In Fishkin’s view these and other limitations should lead to a need for organisations to have a thorough understanding of who is responsible for the management of specific areas of risk and uncertainty – in other words who is the risk owner. Some people may have the perception that this role is fulfilled by the risk committee – a perception which Fishkin defines as inherently flawed.
According to Fishkin, the most valuable purpose of a risk committee should be to provide a forum for individuals across the organisation to discuss emerging trends and issues that span divisions and operating units. Another useful purpose is to discuss organizational implications of issues such as regulatory developments, strategic trends and changes in market practice. Apart from a clearly defined role for the risk committee it needs to be defined who it is that has the authority within an organisation to take a specific risk and to what extent.
Fishkin concludes that risk committees do have a purpose and a role, but we must have realistic expectations of what they can achieve.
The pandemic has demonstrated how much risk management matters. Every aspect of a risk programme must be effective and serve a valuable purpose. Organisations will otherwise struggle to respond to the next global crisis we have not as yet considered.
The article is a timely reminder of the trap that organisations can fall into to believe that it is the risk management department or the risk committee who are responsible for risk, rather than that it is the business managers who own risks and are accountable for risk management.