Risk committees: designing a horse and getting a camel?

When we examine what’s required of them, do risk committees hold water, asks ex-SEC risk oversight chief

camel puzzle - Getty - web.jpg

It is often said that a camel is a horse designed by a committee. It has all the parts required – and then some – but the result does not necessarily meet the objective.

A risk committee is an integral component of an overall risk management programme – long viewed as a necessary forum for complex risks to be identified, evaluated and managed by experienced committee members.

Yet, as we attempt to respond to a global pandemic – which we were arguably ill-prepared to prevent or manage – it is time to re-evaluate the perception of their necessity and examine what risk committees actually do. Whether they serve a useful role or are perhaps – like the camel – being asked to accomplish a goal that is unachievable.

Such questions are important because they address the fundamental value and structure of risk management programmes. If they are inadequate, they can expose an organisation to significant financial loss and serious damage to its reputation.

We have seen this many times. HSBC, for example, was prompted to introduce no fewer than 24 separate risk committees – for individual national subsidiaries, regions, and businesses, and along product lines – after being severely penalised in the US in the aftermath of widespread money laundering by Mexican drug cartels through its branch network.

Typically led by a chief risk officer or a senior risk manager, risk committees usually take the form of regular meetings, with members representing legal, compliance and operations groups as well as business unit leadership.

While some organisations have one general risk committee, others have separate committees for different risks, including credit, market, operational and reputational risk. Some maintain related committees that address specific topics such as fraud, conflicts and new products.

A committee can be helpful in promoting consensus, but it can shift accountability away from individuals – and can create ambiguity about who is accountable for decisions

Charles Fishkin

These committees differ from board-level risk and audit committees, which are formal subcommittees of a board of directors and perform an oversight role on behalf of the shareholders.

Risk committees also vary in their scope. Some review errors and operational risk incidents; some review aggregate credit or market risk exposures; and some discuss key trends and emerging issues. Many have formal agendas with detailed handouts and minutes.

Yet risk committees, like many other corporate committees, are limited in what they can accomplish.

A committee can be helpful in promoting consensus, but it can shift accountability away from individuals – and can create ambiguity about who is accountable for decisions. This can be a concern, for example, when there is disagreement among committee members, or if a member with a diverging view misses a particular meeting.

It is also worth considering whether – as in the current pandemic – video meetings can affect outcomes for better or worse.

Committees meet only periodically, naturally, but this can be an issue if an organisation needs an immediate answer on a pressing issue or pending trade, as is often the case in transactional businesses such as investment banking. It is important to consider alternative ways to obtain approval – such as contacting an available member of senior management – that serve as an adequate substitute.

Committees are also a direct reflection of their participants – including their personalities, backgrounds, agendas and biases. They are not, therefore, inherently distinct structures that perform consistent roles over time.

Committees, moreover, can be cautious and passive. They are inclined to reaffirm existing practices – a trait General Motors CEO Mary Barra described as “the GM nod”.

Consider what occurs at too many risk committee meetings that we have attended, observed or heard about. They are often ‘scripted’ and do not allow for discussion of controversial themes. Committee members might be concerned that they will be perceived as argumentative if they raise concerns. Individual members may not attend or carefully read the handouts. They may be distracted by emails or interruptions – or they may just be thinking about other matters.

Meetings can also consume precious time and prevent individuals from attending to other important matters. “I spend my day in meetings and can’t get any work done” – this is a common reaction of senior professionals, who increasingly now need to work longer hours to perform their roles.

There are indeed challenges associated with any committee. That is, however, why we need to carefully understand who is responsible for the management of specific forms of risk and uncertainty. There may be a perception that the risk committee is performing such a role – creating a process that is inherently flawed.

What should they look like?

Risk committees should not be a substitute for clearly delegated authority of individuals to assume distinct forms of risk and uncertainty – subject to agreed limits, whenever possible.

One familiar example is the flexibility provided to portfolio managers to make investment decisions subject to written investment policies. Another example is an approval of a derivatives dealer to incur unsecured credit exposure to a counterparty up to a certain limit, a level beyond which requires the posting of collateral.    

The most valuable purpose of a risk committee is arguably to provide a forum for individuals across the organisation to discuss emerging trends and issues that span divisions and operating units. Another useful purpose is to discuss organisational implications of issues such as regulatory developments, strategic trends and changes in market practice.

There is no simple solution or template for a risk committee because each organisation is different. We can, however, begin to adjust our thinking and practice by asking essential questions. Do we need another committee? Are the existing committees effective? Do they have a clear purpose? Do we understand their value and limitations? It is perhaps illuminating that HSBC’s response to widespread evidence of risk management weaknesses was to institute more committees.

Risk committees have a purpose and a role, but we must adjust our expectations of what they can achieve

 Charles Fishkin

We can also strive to make the meetings useful for the participants. This involves planning by the committee organiser, who should allow time for candid discussion of controversial issues.

In addition to what the committee does, it should be clear who has the authority within an organisation for taking risk and in what amounts. We should also avoid sessions with predetermined outcomes – why have them?

Risk committees have a purpose and a role, but we must adjust our expectations of what they can achieve. To be thoughtful managers of risk and uncertainty, organisations need clearly defined risk management programmes.

The pandemic has demonstrated how much risk management matters. Every aspect of a risk programme must be effective and serve a valuable purpose. Organisations will otherwise struggle to respond to another global crisis we have yet to consider.

Charles Fishkin is the former director of the Office of Risk Assessment at the US Securities and Exchange Commission. He is an adjunct faculty member in the Master’s Programme in Financial Engineering at Bernard M Baruch College of The City University of New York. The views expressed here are his own, and do not necessarily reflect the views of any other organisation.

 

Editing by Louise Marshall

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: