OPINION: Risk committees’ crucial oversight role
Risk is inseparable from doing business, and risk mitigation has always been a key function of boards. There’s a case to be made that globalisation has raised the bar both in terms of quantum and quality of risk, so it’s no surprise that the King codes on corporate governance have emphasised risk governance as a key principle.
Before we look at the role of risk committees, it’s worth taking a step back to consider how King IV conceptualises board committees in general, as this article will be followed by a series of articles on each recommended board committee.
The differences in approach between how King III and King IV in relation to board committees neatly encapsulate the shift towards the outcomes-based thinking that characterises King IV.
King III proposed that boards should delegate certain functions, one of them being risk to designated committees. But in practice, it became apparent that there was a tendency to focus on the form (the committee) rather than the substance (achieving the goal).
To quote the Institute of Directors in Southern Africa’s (IoDSA) practice note on committees: “The process of managing risk was not the consideration, but merely whether the organisation had a risk committee.”
In line with its overall emphasis on outcomes, then King IV emphasises the need for the board to make a judgement call about which committees would be necessary to achieve the desired end results, also taking proportionality into account.
In King IV, the rationale for the delegation of power to committees is to promote independent judgement, achieve a balance of power, and assist with the effective discharge of duties.
King IV recommends that boards consider allocating oversight of risk governance either to a dedicated committee or adding this responsibility to another committee. JSE regulations require listed companies to have a risk committee.
But it’s interesting to note that research by PwC entitled, “How your board can understand if it needs a risk committee”, shows that only 14percent of companies listed on Standard & Poor’s 500 Index have risk committees, while 55percent of directors say that their companies don’t have a risk committee and don’t need one. The point is not that a risk committee is necessary, but that risk governance actually occurs.
A crucial recommendation in King IV is that if risk governance is not being handled by the audit committee, some individuals should be members of both committees.
King IV recommends that the committee that handles risk governance should have both executive and non-executive members, with the majority being non-executive members of the governing body. The chair of the governing body can serve on this committee and can also be its chair. This makes the committee for risk governance one of the few on which executives should serve as members, and on which the governing body chair can serve.
Once the board has decided if a separate risk committee is warranted or whether risk governance could best be handled by another committee, the following should be considered:
The role of the committee. The governing body should set out the role and reporting process for the committee in a charter, reviewed regularly.
Some of the key deliverables would be a risk policy and plan, the organisation’s risk tolerance and appetite, regular risk assessments based on a continuous risk-assessment process, benchmarking and evaluation of risk governance.
Assurance relating to the risk-assessment process should be obtained from both internal and external sources. Risk committees should be prepared to make site visits to ensure they understand the link between value creation and risk.
King IV explicitly recognises that risk is the flip-side of opportunity, so the committee’s mandate should incorporate this concept.
The composition of the committee. King IV recommends a mix of executive and non-executive members, given the close link between risk and reward. Members should have experience in the industry. Inviting independent risk-management experts to attend some meetings could also make sense.
The governing body should stipulate how the membership of this committee should be rotated, and how its performance should be evaluated.
The integration of risk management into the organisation. The risk committee and the way it operates should be designed to encourage risk management to become an integral part of how the organisation conducts its business.
Key initiatives here would be to ensure that risk management is incorporated into how the organisation defines and implements strategy, so that the relationship between risk and value is understood, ensuring that every part of the business is aware of risk, and factors it into what they do - benchmarking the risk committee’s performance would aid in this.
Embedding risk management into the organisational DNA would also be assisted if the governing body spends time debating the recommendations coming from the risk committee.
Parmi Natesan and Dr Prieur du Plessis are respectively chief executive and former chairperson of the Institute of Directors (IoDSA)