Management-Level enterprise risk committees, often called Executive Risk Committees (ERCs) are a critical part of effective risk oversight framework, providing a cross-functional venue to better understand and manage key risks, improve management's focus on key risk mitigation activities and oversee risk reporting to the Board of Directors. Many companies establish an ERC but struggle to effectively conduct committee meetings and maintain effectiveness over time. The following suggestions may improve the results and sustainability of an ERC.

ERC Charter

Adopting a risk committee charter is a critical first step.  The charter should reflect the company’s operating model, business structure, and industry practices. The charter should articulate the organization’s overall risk strategy and help connect the enterprise risk process to corporate governance, strategic planning, budgeting and business management. The ERC structure, authority, approach, roles and meeting frequency should also be documented.

ERC Structure

Many risk issues require detailed discussion, analysis and coordination that may not require the time and oversight of the “C-Suite”. Therefore, many companies may benefit from a two-tier structure for their risk committee.  In the two-tier structure, a working team or a separate committee (Operational Risk Committee, Risk Council, etc.) may be established that operates under the oversight of the ERC. In this case, the ERC would be limited to a small group, typically less than 10 of the most senior executives in the company. The Operational Risk Committee would be a larger group of risk owners, geographic, business unit and cross functional leaders and would be tasked with providing the initial analysis, review, and approval of risk material before it is received by the ERC.

ERC Authority and Approach

The ERC’s authority and approach should be tied to the company’s overall organizational design and management approach, taking into consideration decision-making processes, and the organizational structure of business units, functions, and geographies.  Risk reporting processes may be structured to be informative in nature by reviewing risk mitigation status, or more decision-making oriented, where incidents are escalated, and resources are reallocated as needed. The authority and activities of the Operational Risk Committee should be aligned with the ERC authority and approach.

ERC Roles and Responsibilities

• Facilitate Cross-Functional Dialogue: Diverse committee members from representative departments, functions, geographies, etc. enable conversations with a deeper understanding of the cross-functional issues and therefore enterprise risks.

• Identify New and Emerging Risks: The ERC should help the organization stay ahead of potential issues by monitoring trends and changes in its external business environment and internal operations to spot new and emerging risks and respond accordingly.

• Assess Risks: Risk owners are responsible for the ongoing identification of risk trends, issues and challenges in their area of risk ownership. They should monitor both internal and external sources to have better visibility into risk trends they are facing.  Risk owners should have responsibility for escalating risk incidents and issues to the risk committee and leadership. The ERC should review those assessments as well as the overall enterprise risk assessment.

• Risk Updates: Evaluating the status of key risks and effectiveness of risk responses via risk update discussions is a key function of enterprise risk committees and critical to the continual improvement in managing specific risks and the organization’s risk management practices and capabilities. ERC members should be ready to ask risk owners questions and promote discussion.

• Approve Risk Mitigation Strategies: Risk owners should review key elements of the risk mitigation strategy with the ERC and report on mitigation plans periodically. In many cases the risk mitigation plans will include efforts in other functions or parts of the company outside the direct responsibility of the risk owner.  The risk owner plays a key role in ensuring that cross-functional or geographic processes and activities are coordinated and budgeted to reflect the risk appetite or mitigation plans approved by the ERC and company leadership.

• Key Risk Trends and Metrics: Risk owners should report risk trends, key risk indicators, and metrics to the ERC on a regular basis. The enterprise risk lead is often responsible for working with risk owners to collect risk updates and creating the report for the ERC. The enterprise risk lead may conduct further analysis on overall company enterprise risk status and success in managing key risks.

• Tone at the Top: Senior leadership is responsible for the overall effectiveness of the ERC and active participation in meetings is critical to effective risk management and oversight. Furthermore, the overall company culture is directly impacted by how senior leaders respond to risk issues presented during ERC meetings. Leaders can establish a culture where issues are openly discussed and addressed without assigning blame. Alternatively, the company culture can be negatively affected when risk owners are punished when they present a clear picture of the risks and risk mitigation issues.

Improvement Ideas

• Strengthen Risk Committee Meeting Execution: Meeting material should be distributed in advance, and time should be allocated during the meeting to read material to make sure everyone has a common background. Each ERC meeting should have an agenda; action items should be documented and communicated to risk owners and teams. Progress on previous action items should be reviewed, and risk mitigation obstacles should be addressed.

• Risk Updates: Effective ERCs require someone in the organization to coordinate the ERC meetings, obtain updates from risk owners, create materials and document ERC decisions and follow-up items.  This role is often led by the enterprise risk management team, or internal audit, acting within their designated role in the ERC charter. The enterprise risk lead should work to obtain updates from risk owners in a timely manner, allowing time for follow-up with risk owners if their submissions need clarification or lack quality consistent with other risk owners. Once the risk updates are compiled, analysis should be conducted to identify root causes, overarching trends or issues and other enterprise risk insights. Overall analysis all of the risks updates should be discussed with the ERC.

• Risk Owners: At times, others such as the enterprise risk management leader, head of Internal Audit or senior leadership may want to drive the conversation about specific risks. However, when risk owners lead the discussion regarding their risks, it encourages accountability and keeps all members of the committee actively involved.

• Resource Allocation: When risk owners articulate the need for additional support, collaboration or resources, senior leadership support is critical, even if details need to be worked out after the meeting. If the resources are not available to further mitigate a risk, the ERC may decide to accept the current risk levels, even though they would prefer to further reduce the risk. These decisions should be communicated to the Board as part of the risk oversight process.

See our Enterprise Risk Committee services page for more information or contact us to schedule a conversation.