How to identify and mitigate threats – Ralph Ward and Dr. Muneer Muhamed

If a board has to govern an enterprise’s strategy and guide it, risk oversight is critical. But should the entire board take up the responsibility for risk management or form a subcommittee for that purpose?

Every strategy is a hypothesis and several underlying assumptions define its uniqueness. Understanding potential risks is essential for guiding the CEO on strategy and how to manage it. Insights obtained from both internal and external sources help a board to make informed decisions and chart the business’ direction.

Many directors ask us why they should look at a separate risk unit and whether the audit committee can’t do this as part of their work. Most often, the audit committee won’t have the required skills, time and mindset to do this job. And boards shouldn’t assign risk management to the audit committee since it’s probably overloaded already.

It’s also better to form a separate risk committee when enterprises face special issues – for instance, those in sectors such as power, banking and natural resources where problems of credit, pricing, regulation and so on can be ever-changing. For example, tech companies regularly face disruptive forces and would need special risk mitigation focus.

A risk committee must consider the entire organisation and use a systematic approach to categorise, monitor and inform the management on risks, and help it to focus on risk mitigation processes.

The current economic crisis in Sri Lanka is scary for most boards and they are all evaluating the risks facing their businesses much more deeply. At a tactical level, that means building practical risk oversight into the board structure. This is typically done through the audit committee; but often, it needs the establishment of a customised board level risk committee.

Laws in most developed economies now mandate organisational disclosure not only of major risk factors but also of how the board structures its oversight of the same. This has improved corporate risk data collection and reporting, and enabled more formalised board review and discussion.

Data varies by country and sector (the percentages are highest in Asia). But overall, about 25 percent of corporations seem to have a distinct risk committee – seen mostly among large cap and financial services companies. Another survey found that 65 percent of businesses make the audit committee their default entity for board risk oversight.

How board risk management is allocated isn’t that simple. Risk oversight is customised to each business’ needs and current climate, and then integrated. Creating a risk committee is seen as an insurance policy, and many of them are able to put in the right processes and controls.

For example, compensation committees have added more charter space and agenda time to the specific risks their pay and incentive plans create for the organisation. Further, board risk consideration is a factor in the creation of new committees such as environmental, social and governance (ESG), technology, disclosure or compliance.

Another reason for separating risk oversight from the audit committee is for better preventive action. Audit is tasked with a validating backward perspective while a risk committee should be forward-looking. Often, the forensic numbers driven structure of audit lacks the more dynamic, hypothetical approach needed to avoid dangers.

For businesses that do create a specific risk committee, aspects have changed as board risk oversight has matured. Rather than nominating members at random, boards now need to ensure that these nominees have the required expertise and knowledge in areas on which the industry depends.

Technology is hot at the moment, and every board needs a focus on digital maturity and impact, in addition to cybersecurity and the metaverse. This aligns with risk management; and boards should consider the dangers of cyberattacks and data theft, and the risk of missing new digital, strategic and marketing opportunities.

Going forward, boards may want to set up a formal process of documenting the roles and responsibilities of risk committees, and define what will be overseen by the board compared to the committee.

Risk committees must identify, monitor and manage critical risks, propose scenarios for the executive team, and meet with the members quarterly to discuss any potential threats and evaluate the risk ‘heat maps.’

The committee must also set up a process for regular risk reporting by the enterprise, coordinate with other standing committees on key issues of risk, and evaluate and appraise the cultural aspects of the enterprise that may encourage premature or inappropriate risk taking steps.

In some organisations, health and safety aspects are not always according to the set norms, and even CEOs think accidents do not happen to them. The bottom line is that a risk committee should eventually align with and support the board’s overall governance of risks.