Risk committees becoming more prevalent on boards, says Deloitte

What can happen, does, and sometimes so does the unthinkable. For companies, there are risks everywhere and the stakes are high, while the complexities of risk oversight and governance have never been greater.

The results of a new report show that risk is the topic du jour for corporations.  Deloitte Touche Tohmatsu Ltd. examined 400 large public companies in the US, Australia, Brazil, China, Mexico, the Netherlands, Singapore and the United Kingdom. Some 38 percent of all corporations have a board-level committee focused on risk, whether as a standalone committee (22 percent), or a hybrid (16 percent) where risk responsibilities are shared with other responsibilities, such as those of the audit committee. Hybrid committees are particularly prevalent in Australia and less so in Brazil, China, and the UK.

A key determinant in who does what is local regulations. Six of the eight countries studied require companies in the Financial Services Industry (FSI), to establish a risk committee at the board level, though rules may vary according to company size and type. Strikingly though, 62 percent of all companies analyzed don’t have a separate risk committee, which largely reflects most countries’ lack of regulatory requirements regarding board-level risk oversight, says Dan Konigsburg, managing director of the Deloitte Global Center for Corporate Governance.

China has ‘suggested’ guidelines and in the Netherlands, authorities monitor FSI and non-FSI compliance with the corporate governance codes on a ‘comply or explain’ basis. A common theme across all countries is the greater emphasis put on risk oversight within FSI companies than within firms in other industries.

In the US, 76 percent of FSI companies (38 percent hybrid and 38 percent standalone) report having a board risk committee. However, a scant 2 percent of non-FSI companies have standalone risk committees, compared with 11 percent of non-FSI companies globally.

‘US companies tend to spread their risk oversight responsibilities among multiple board committees, rather than having a risk committee. However, these practices vary across industries,’ Konigsburg notes. The general trend among FSI companies is to establish a separate board risk committee, provided the size and scope of the organization and the risks it faces warrant it), he adds.

Singapore stands out as the country with the highest percentage of companies with standalone board risk committees (42 percent), followed by China (30 percent).  The Netherlands and the US tied for last place, with just 8 percent of their companies having a standalone risk committee on the board.

One lesson that emerges from Deloitte’s study is ‘given that companies’ practices are highly influenced by local regulations, which are subject to change, both regulations and risk committee configurations warrant continued monitoring,’ says Konigsburg. That said, regulations have often lagged or failed to anticipate companies’ actual risk-related needs. Boards that fail to assess the risk oversight and governance needs of their organizations could fall behind in their risk management efforts, cautions Konigsburg.

Corporations need an even greater sense of urgency regarding identifying, measuring, tracking, mitigating and managing risk, Konigsburg says. Boards need to more forcefully assert their risk responsibilities, including by clarifying for management the scope of board oversight of operational, financial, compliance and other areas. Specific directors should be put in charge of risk oversight including ongoing interaction with the company’s chief risk officer. And recruitment of new directors must be done with a preference for candidates with relevant risk management experience and expertise.

Amid a tougher business and regulatory environment, Deloitte expects more companies to create standalone risk committees on their boards. ‘Risk has to be elevated as a management and organizational concern in day-to-day operations,’ says Konigsburg.