Managing Risk

Advantages and Challenges of Risk Committees

Risk committees help identify risk, gather information, implement risk management programs and create risk-aware cultures.
By: | March 6, 2015
Topics: ERM | RIMS

Ever since the 2008 financial crisis, organizations across the country have been rethinking risk and how to manage it.

While many factors contributed to the crisis, not the least of them was a failure of the financial institutions at the center of the crisis to properly manage risk, which was aggravated by the growing complexity and velocity of the risks they were facing.

The Dodd-Frank Act, written and passed to prevent a repeat of the conditions that led to the financial crisis, addressed this issue head on. Recognizing the role inadequate risk management played in precipitating the crisis, Dodd-Frank included new regulations that require publicly traded financial institutions (other than banks) to establish risk committees.

While these requirements only apply to certain national and international financial institutions, the wisdom of the risk committee provisions has been accepted more broadly, and risk committees have come to be accepted as a best practice across other industries, as well.

A new report by the Risk and Insurance Management Society (RIMS), “Exploring the Risk Committee Advantage,” examines the benefits and challenges of the risk committee concept, and describes different types of risk committees and important considerations regarding implementation.

John  Phelps, director of business risk solutions, Blue Cross and Blue Shield of Florida Inc.

John Phelps, director of business risk solutions, Blue Cross and Blue Shield of Florida Inc.

“The mistake a lot of enterprise risk managers make is designing their risk committee and then using it to design their program. It should be the other way around,” says John Phelps, a contributor to the report.

Before determining the appropriate type of risk committee, it is important to determine an organization’s risk management needs, said Phelps, who is director of business risk solutions for Blue Cross and Blue Shield of Florida Inc., and was 2013 RIMS president.

“Once you have decided on the program … then you should think about forming a risk committee as a way to facilitate it,” he said.

Risk-aware Culture

Risk committees offer a number of tangible benefits, such as helping organizations identify risk, gather information and implement risk management programs. But according to the report, one of the biggest benefits is creating “a more risk-aware culture throughout the organization.”

Report contributor and RIMS board member Gloria Brosius, director of risk management and insurance programs, Farm Credit Council Services Inc., said risk committees “make everyone in the organization a little more aware that risk management is everyone’s job.”

Risk committees can take a variety of forms, from board level, focusing on long-term strategic risk; to C-suite; to operational risk committees that focus on identifying exposures and developing and implementing risk control programs.

Brosius said that many organizations could incorporate some combination of the three. The best type for a given organization depends on that organization’s size and needs.

Considerations like the number of the members and frequency of meetings are also dependent on the size and nature of the organization, but the report includes specific recommendations. Risk committees should ideally have eight to 12 members.

“If you have too few people you’re not going to be able to accomplish your goals,” said Brosius, “but if you have too many, it’s going to be counter productive.”

Best Practices

And while there is no consensus on the ideal frequency of risk committee meetings, the report recommended meeting more frequently at first. It also emphasized the importance of meetings being held in person.

Once the goals and configuration of the risk committee have been determined, it is important to define them, typically through a board-approved charter that spells out the committee’s purpose, focus and responsibilities, as well as specifics like meeting structure, schedule, and reporting requirements.

It is important to include enough flexibility that the committee isn’t unduly constrained, but Phelps added, “Having narrow expectations about reporting can add some teeth to what you are trying to do.”

Gloria Brosius, director of risk management and insurance programs, Farm Credit Council Services Inc.,

Gloria Brosius, director of risk management and insurance programs, Farm Credit Council Services Inc.,

The report is clear about the benefits of risk committees, but it also acknowledges the challenges.

Time constraints are always a concern. There is the potential for bias or skewed perceptions due to committee members’ individual backgrounds or the committee’s reporting structure. Junior members may feel inhibited from speaking freely in the presence of their superiors.

Perhaps the biggest challenge is getting adequate buy-in across the organization.

“Making something formal means you have to report on it, and it may require more administrative work as well as more work for those who are chosen to be on the risk committee,” said Brosius.

“They may be doing it informally now, but making it formal creates the illusion, if nothing else, of additional work.”

And it is crucial that the members understand the importance of the risk committee to the rest of their work.

“If they don’t see enterprise risk management and their role in it as integral to them achieving their area’s goals, then there is going to be a lot of apathy in the committee,” said Phelps.

As companies increasingly move toward an enterprisewide approach to risk management, risk committees will become an increasingly important tool, but Phelps said it is important to remember that it is just that — a tool.

“An enterprise risk management committee is no good without a solid enterprise risk management program,” he said.

To download a copy of the report, visit

Jon McGoran is a magazine editor based outside of Philadelphia. He can be reached at [email protected].

More from Risk & Insurance