“We are looking to review the risk information presented to our Board and would be interested to see examples from other companies of the format of reporting and depth of coverage given to risk management within Board meetings.”
We have a Group Risk Manager who meets with the key business risk owners across the Group every 6 months to review their risks and assess the likelihood and impact. These meetings also identifies the key controls for each risk and the control owner. Annually the Group Risk Manager asks the control owners to evaluate the effectiveness of their controls and this is reported to the Audit Committee.
The Group Risk Manager records all risks in a risk register and reports this to the respective divisional MDs for their prioritisation and action within their teams.
The top divisional risks are discussed monthly with the Chief Executive and from this a schedule of the Group’s main corporate risks are reported to the Audit Committee at each of their scheduled meetings for review and discussion. The Audit Committee in turn provide a verbal update to the Board of any major changes or issues. Annually, the main risks are submitted to the Board for consideration and review of the effectivensss of key controls in the business.
Happy to talk this through further if it would help.
We have a process whereby we grade the severity/likelihood of the risk materialising with no controls, with existing controls and with our desired controls (ie, original/current/future states). The board then focuses on the tasks needed to move from the current to future states of the control environment and reviews whether we are on track (in connection with our major (top 10/20) risks).
The bigger question is whether the risk register captures the right issues with the “right” ranking. We haven’t found an easy way for the board to do this – workshop-style sessions are not popular as some directors worry about potentially showing their lack of in-depth knowledge, but simply presenting management’s list is not sufficiently engaging for the directors. There is definitely a holy grail here – has anyone found it?
The Risk Committee produces a short report of its activities for each Board meeting which is tabled for information. The Board itself is responsible for reviewing annually the effectiveness of the system of internal controls.
Just over a year ago we established a Risk Coordination Committee. This has produced a register of risk and ranked them in terms of impact on both a unmitigated and mitigated basis. This register is presented to the Audit Committee to allow discussions on risk management. Specific issues can also be raised with the Audit Committee by the Risk Coordination Committee chairman and the Head of Group Compliance who meets with the Audit Committee members with no one else present at each Audit Committee meeting. The result is reported to the Board through the Audit Committee chairman’s report and circulation of the Audit Committee minutes. If the Audit Committee has any specific concerns which it considers should be considered by the Board a specific paper would be produced and discussed at the next Board Meeting
Leave a Reply