The emerging role of risk committees

An emerging trend at public companies and some private firms is the formation of stand-alone risk committees. Most of these are in the financial services and insurance 
industries, but an increasing number of public 
companies in other industries have been following suit. In addition, the recently enacted Dodd-Frank Wall Street Reform and Consumer Protection Act requires banks with greater than $10 billion in consolidated assets, as well as certain non-bank financial companies, to establish stand-alone risk committees.

Legal framework

One of the duties of the board of directors of a Delaware corporation, as found in the Caremark International Inc Derivative Litigation (698 A.2d 959 (Del Ch 1996)), is to provide oversight of the company’s risk management. Additional risk oversight and related disclosure obligations arise under the federal securities laws and applicable stock exchange listing standards.

The Delaware courts have held that the board’s fiduciary duties include a duty to attempt in good faith to oversee and monitor the operation of the company’s reporting or information systems designed to identify risks, including violations of laws or regulations.

The SEC has long required public companies to 
disclose the most significant risks relating to the ownership of the company’s securities and provide a qualitative and quantitative analysis of exposures to market risk. Additional risk management responsibilities were imposed on boards of directors in the Sarbanes-Oxley Act 2002, relating to the establishment and monitoring of policies and procedures for the preparation of the company’s financial statements and SEC reports.

The SEC recently added a number of required proxy disclosures that touch upon risk. First, as per Reg S-K Item 402(s), disclosure of the company’s 
compensation policies and practices as they relate to risk is required to the extent that risks arising from these policies is reasonably likely to have a material adverse effect on the company. Many firms disclose risk-related compensation policies even where those policies would not likely result in a material adverse effect. This type of practice is supported by the likes of RiskMetrics Group. Second, most public companies are required to disclose the extent of the board’s role in risk oversight, such as how the board administers that oversight function and the effect it has on the board’s leadership structure.

Public companies will likely see more frequent shareholder action pertaining to risk management in the future. Until recently, a company could exclude shareholder proposals relating to the subject of risk on the basis that risk management is an ordinary business matter. In late 2009 the SEC released legal bulletin No 14E clarifying that they may not routinely grant 
exclusions for shareholder proposals relating to risk if the proposal raises significant policy issues and there is a sufficient nexus between the nature of the proposal and the nature of the company.

The NYSE corporate governance rules require audit committees of listed companies to perform certain risk oversight duties. NASDAQ requires listed companies to form an audit committee with an audit committee charter, but the NASDAQ rules do not specifically require risk oversight to be a duty of the audit committee enunciated in that charter. At the NYSE, a listed company’s audit committee is required to discuss policies with respect to risk assessment and risk management. These rules do not preclude the formation of a separate risk committee as long as its oversight process is reviewed by the audit committee and the audit committee continues to 
perform the duties required by the NYSE rules.

The Dodd-Frank Act created the first US statutory requirement to form a risk committee responsible for oversight of the enterprise-wide risk management 
practices of the company. It must also have at least one risk management expert with experience of identifying, assessing and managing risk exposures in large, complex firms. Furthermore, the board of the Federal Reserve System is directed to enact independence requirements for the members of the risk committee.

At least two other bills, the Shareholder Bill of Rights Act and the Shareholder Empowerment Act, that would impose even stricter risk management requirements upon boards have been introduced in Congress, including one that would require all public companies to establish a risk committee composed entirely of independent directors.

The role of risk committees

As noted above, it is the responsibility of the board of directors to provide oversight of the company’s risk 
management systems. A risk committee would not supplant this oversight role; rather, the creation of a risk committee is a means of assisting the board in exercising those duties.

If a change is not mandated by the Dodd-Frank Act or other laws or listing standards that may be adopted in the future, the board may decide to form a separate committee devoted to risk based on several considerations, including the level of overall 
operational risk and the complexity of managing it, the company’s growth strategy, appetite for risk and ability to tolerate losses, and whether the company is seeking to improve its credit rating.

If the board determines to establish a separate risk committee, one of the key considerations for counsel establishing the committee structure and charter will be ensuring that the risk committee functions properly within the context of the rest of the board and management, and to ensure there is not significant overlapping of duties between the risk committee and the other board committees. There are various issues to take into 
consideration when forming a risk committee:

• While the charter of a new risk committee is being drafted, the company may wish to consider also amending the charters of the audit committee and compensation committee.

• The risk committee should have one member who is also on the audit committee, and possibly one member who is also on the compensation committee. Having common members can help the committees as a whole to recognize areas of overlap, formulate plans and policies from a wider perspective, and prevent duplication of duties between committees.

• While the members of the risk committee ideally would be independent, it is important to have 
mechanisms to ensure open communication with both the board of directors and the company’s chief risk 
officer or other officers in charge of risk management. The committee may wish to have executive sessions with risk management employees, in much the same way as the audit committee would have executive 
sessions with the company’s independent outside auditors.

• When recruiting director nominees and committee members, the company may wish to take risk 
management experience into account.

• If the company is listed on the NYSE, the audit 
committee is still required to discuss policies with respect to risk assessment and risk management, but the risk committee could be used to assist the audit committee in performing these duties.

Given the increased focus on risk in many public companies, and the likelihood this trend will continue, directors and their counsel should consider the need to establish a stand-alone risk committee. If they decide one may be beneficial, its structure, role and activities should be carefully considered, in view of the legal framework for risk oversight by the board and the potentially overlapping responsibilities of the audit and compensation committees, to maximize its effectiveness.