Setting up a risk committee is crucial, but how does a large group from across a company decide when to meet, who should be there, and what they should discuss? We have crowd-sourced terms of reference from risk professionals across our network and collated these to produce a “better practice” template.
While terms of reference for board committees are publicly available in board reports, terms of reference for risk committees or councils (at a management level) are not so readily available.
However, before being able to test and measure resilience, companies need to decide what the terminology means to them.
For many heads of risk, deciding what constitutes “best practice” for these terms of reference can be a challenge (which forms part of a greater challenge concerning organisational governance).
With little benchmarking material available in the public domain, we recently asked members for the terms of reference documents they use to outline risk committee rules and procedures at their organisations (this can fall within an organisation’s resilience framework).
Keen to support each other and learn more by benchmarking against peers, members submitted documents that we have anonymised and made available to the whole network.
Taking things one step further, we’ve consolidated this input from practicing risk managers and created a master template for risk committee terms of reference. As part of this project, we identified eight key areas that a terms of reference document should cover.
There were several common threads that emerged – in addition to the three notable ones we included in our previous insight on this topic (People, Purpose and Parameters), we have added two more Ps based on further discussions between risk leaders around the challenge of standing up a board risk committee.
Be clear about what the committee has been set up to do – what are the duties and responsibilities of the committee as a collective and of its individual members? Our members tend to split this element into sections: for example, what are the responsibilities in relation to risk culture? Or, what are the committee responsibilities in terms of risk review?
Outlining the full scope of your committee – in terms of business functions, as well as region or geography – will ensure full understanding of who should attend meetings and what will be expected of them.
Similarly, outlining how the committee will work also helps attendees prepare to participate in discussions effectively. For example, establish how and when minutes or agendas will be distributed.
Related to the above aspect of parameters, there are several planning considerations that should be reflected in a board risk committee terms of reference or “charter” – one example, as shared by members, is to align your risk management calendar (and the overall business planning calendar) with upcoming board risk committee meetings.
According to one risk leader, their terms of reference specified that meetings of the risk committee should be scheduled at least 15 days before the full board meeting. Furthermore, the risk team at this organisation ensure that they complete quarterly reporting activities at least a month before the risk committee meets, so that they have adequate time to prepare.
It’s important to specify who should attend these meetings and what roles and responsibilities they have in their day-to-day jobs. Several members also aspire to delegate substitutes within their terms of reference, should a member be unable to attend a meeting.
Specifying job titles rather than employee names will make your committee terms of reference more evergreen – a document listing “Julia from accounting” may not quite stand the test of time!
The committee should be led by a chairperson, and you may also want to appoint a secretary to create and distribute the minutes and agendas for each meeting.
When setting up a calendar of meetings for the risk committee to attend throughout the year, it can also be helpful to form a general outline of topics that the committee will discuss. This may not be formally documented in a terms of reference document, but will help the committee to prioritise what is most important.
On the point of priorities and setting expectations, committee members’ assumptions need to be kept in line with what management can reasonably deliver by way of detail – this means, for instance, setting a standard for the length and depth of risk reporting during meetings of the board risk committee.
Our terms of reference master template, which breaks down the terms of reference document into eight key areas, has been reshared among our network members and, like our other content, is iterative: we will continue to update it as we receive additional information and new insights from members.
Our members often provide us with examples of documents, policies and templates, which we then collate and anonymise to reshare within our network – including our Key Risk Indicators Library; Key Performance Indicators Library; Business Requirements Template; and our Insurance Renewals Questions Collection, plus more.