The Dodd-Frank Act requires a separate risk committee, composed of independent directors, for publicly traded bank holding companies with $10 billion or more in assets, and for publicly traded nonbank financial companies supervised by the Federal Reserve. Over time, we may see some "trickle-down effect" to the board risk oversight of nonfinancial companies. Thus the question arises as to whether a board should establish a separate risk committee.

The full board should retain overall responsibility for risk oversight, mirroring its overall responsibility for strategy. Except where there are statutory requirements, the board has the flexibility to organize itself in a manner that makes sense in view of its company's size, structure, complexity, culture and risk profile, as well as the board's size, composition and structure.

To enhance effectiveness and efficiency and to address specific regulatory requirements, specific risk oversight responsibilities can be allocated to various standing committees in keeping with the specific risks germane to each committee's responsibilities.

No Single Solution

A separate risk committee is not a one-size-fits-all proposition.

For some companies, it may be a good idea - in certain circumstances. A risk committee allows the audit committee to focus on its core financial-reporting-related responsibilities. It enables focused director attention on the company's most critical risks and risk management capabilities, particularly for companies with complex market, credit, liquidity and commodity pricing risks.

A risk committee also fosters an integrated, enterprise-wide approach to identifying and managing risk and provides an impetus toward improving the quality of risk reporting and monitoring, both for management and the board. This approach can assist the board in focusing on the big picture. It also can provide strong support for company executives who are given broad risk management responsibilities, resulting in a stronger focus at the board level on the adequacy of resources allocated to risk management.

However, a separate risk committee is not a panacea. It may be more important to evaluate whether a sufficient number of independent directors possess deep knowledge and experience in dealing with the industry and its critical risks.

Beware Overlaps

A risk committee won't cover any gaps in the company's risk management process and is highly dependent upon the quality of (a) inputs to, and outputs from, that process; and (b) information and insights from external sources. Redundant activity can arise as risk management issues are considered through the work of other board committees. Most board members serve on several committees already; therefore, adding one more committee can dilute the board's focus.

For companies listed on the New York Stock Exchange, the audit committee is required to include in its charter a responsibility to discuss with management the company's policies around risk assessment and risk management, even if the board sees fit to set up a separate risk committee. The board needs to be careful that the creation of a risk committee does not result in a subconscious attitude of delegation by the rest of the board on risk matters, such that the non-committee members begin to view risk as a matter for the committee and not the full board.

If a separate risk committee is deemed appropriate, given the risk oversight responsibilities outlined in the various standing committees' charters, it might take on some of the following roles:

• Determine that there is in place a robust process for identifying, managing and monitoring critical risks; oversee process execution; and ensure continuous process improvement as the business environment changes.
• Provide timely input to executive management on critical risk issues.
• Engage management in an ongoing risk appetite dialogue as conditions and circumstances change and new opportunities arise.
• Oversee the conduct, and review the results, of enterprise-wide risk assessments, including the identification and reporting of critical enterprise risks.
• Oversee the management of certain risks having the complexity and significance to warrant the attention of a separate board committee composed of directors with the requisite expertise.
• Help coordinate activities of the various standing committees for risk oversight.
• Watch for dysfunctional behavior in the company's culture that could undermine the effectiveness of the risk management process and lead to inappropriate risk-taking, such as (in cooperation with the compensation committee) the nature and balance of the compensation structure and how it may encourage inappropriate risk-taking.

The risk committee charter should clarify that the committee's activities support the board's overall risk oversight objectives. With respect to risks that the risk committee is assigned to oversee, care should be taken to watch for overlaps (e.g., compliance risk with the audit committee).

Boards of directors may consider, in the context of the nature of the entity's risks inherent in its operations, questions such as the following: Has the board considered how it should organize for risk oversight? Are the board and/or responsible committees - including a separate risk committee, if one exists - confident that directors are receiving the comprehensive, objective information they need to perform risk oversight?

Jim DeLoach is a managing director with consulting firm Protiviti. The firm has a network of more than 70 offices around the world and is a subsidiary of Robert Half International.