Risky Business: Is It Time for a Separate Risk Committee?

April 1, 2016 (Originally Published March 18, 2016)

Oversight of a company’s enterprise risks has recently evolved into one of the board’s most critical fiduciary duties and responsibilities. Since enterprise risks do not remain static and are often interrelated and complex, it is imperative that boards maintain continuous risk oversight. Risks relating to cybersecurity, regulations and corporate reputation, for example, now, more than ever, necessitate effective board oversight.1 A 2015 study revealed that nearly 60 percent of surveyed companies believe they are facing a greater volume and complexity of risks than they were five years ago, and less than half have boards that “extensively” or “mostly” include top risk exposures when discussing the company’s strategic plan.2 In response to this evolving and complex risk environment, corporate boards are increasingly considering whether it is in the best interests of the board, the company and its shareholders to establish a separate risk committee.

This article (1) provides general information concerning a board’s fiduciary duty to provide risk oversight, (2) summarizes the current risk oversight policies and positions of several large asset managers and pension funds, a leading proxy advisory firm and certain corporate governance advocates, to provide insight into the expectations of these parties with respect to board risk oversight duties and responsibilities and (3) presents practical considerations for boards to help facilitate discussion on whether they should establish a separate risk committee.

Risk Oversight and Corporate Governance


Current legal and regulatory frameworks impose a board’s general duty to provide risk oversight and disclosure relating thereto.3 Former commissioner of the U.S. Securities and Exchange Commission Luis Aguilar recently commented that a robust corporate governance framework is exemplified by effective risk oversight.4 Common practice among U.S. public company boards is to delegate the majority of this oversight duty to their audit committees, with oversight of certain specific risks to other standing board committees (e.g., compensation risk oversight being the responsibility of the compensation committee). The full board, however, is ultimately responsible for a company’s risk oversight.

In 2015, 12 percent of S&P 500 company boards had a separate risk committee (up from 9 percent in 2014 and 4 percent in 2010).5

Although still uncommon outside of the financial services sector, some boards are addressing both the importance of providing robust risk oversight and the heavy workload of their audit committees by establishing separate risk committees to which audit committees (and other board committees, as the case may be) delegate certain of their enterprise risk oversight responsibilities. In addition to certain financial institutions being required by the Dodd-Frank Act to have a separate risk committee, various institutional investors and corporate governance advocates, as further discussed below, are also encouraging boards to establish a separate risk committee.6

Arguments For and Against

Arguments for and against creating a separate board risk committee include the following:



  • Enterprise risks are too numerous and complex and require a separate board committee to provide adequate oversight
  • Allows a board committee to focus solely on enterprise risks and, if necessary, coordinate risk oversight with other board committees
  • Provides greater support to officers who are responsible for risk management processes
  • Facilitates a continuous review of enterprise risks
  • Focuses the board on nominating directors with risk expertise
  • Many audit committees no longer have the time, expertise or resources necessary to provide oversight of all enterprise risks
  • Demonstrates to shareholders and other stakeholders that the board is committed to overseeing risks
  • Is viewed by certain institutional investors and corporate governance advocates as an emerging best practice7
  • Is unnecessary, as current board committees (e.g., audit, compensation and governance) already provide sufficient/expert risk oversight
  • Another standing board committee will consume valuable board resources, increase organizational costs and dilute the board’s focus
  • Certain industry-specific enterprise risks are so significant and complex that they require separate board oversight committees (e.g., IT committee, environmental committee, health and safety committee, finance committee)
  • Creates risk oversight inefficiencies and confusion (e.g., potentially duplicating committee oversight responsibilities)
  • Certain risks (e.g., relating to cybersecurity and corporate strategy) are more appropriately overseen by the entire board, not just a committee

Current Policies and Positions of Certain Institutional Investors, a Proxy Advisory Firm and Corporate Governance Advocates As They Relate to Risk Oversight

There is no one-size-fits-all approach to corporate governance and enterprise risk oversight. The unique characteristics of the company, the complexity of the industry in which it operates (e.g., with respect to regulatory, financial, credit and commodity risks), the needs of company stakeholders and the adoption of corporate governance policies the company and its board feel are essential in generating long-term shareholder value often dictate, in part, whether a board establishes a separate risk committee or delegates risk oversight duties and responsibilities among existing board committees. As boards evaluate whether to establish a separate risk committee, it may be helpful to understand the current risk oversight policies and positions of several large institutional investors, a leading proxy advisory firm and certain corporate governance advocates, as this understanding provides insight into the general expectations of these parties with respect to corresponding duties and responsibilities. A select summary of those policies and positions is provided below.

Institutional Investors — Asset Managers:

BlackRock Inc.:

State Street Global Advisors (SSgA):

Allianz Global Investors:

Institutional Investors — Pension Funds:

California Public Employees’ Retirement System (CalPERS):

California State Teachers’ Retirement System (CalSTRS):

Florida State Board of Administration (Florida SBA):

A Leading Proxy Advisory Firm

Glass Lewis & Co. LLC:

Certain Corporate Governance Advocates

Council of Institutional Investors (CII) (advocating on behalf of shareholders):

The Business Roundtable (BRT) (advocating on behalf of management):

Considerations for Boards of Directors

To facilitate discussion among board members as to whether establishing a separate risk committee will contribute to more effective corporate governance and is in the best interests of the company, directors may consider the following:

  1. See Risk Sensing: The (Evolving) State of the Art, Deloitte (2015) (providing survey results of certain executives representing major industries, which revealed the three risk areas having the greatest impact on their companies’ business strategy:

    In 2013:
    1. reputation
    2. business model
    3. economic trends/competition (tie)

    In 2015
    1. regulatory
    2. reputation
    3. pace of innovation

    Predicted for 2018
    1. pace of innovation/regulatory (tie)
    2. talent
    3. reputation).

    See also Conduct Risk Report 2015/2016, Thomson Reuters (2016) (revealing that conduct risk, which focuses on the corporate culture and ethical behavior of employees and managers, is receiving significant board attention, as 52 percent of surveyed global financial services firms reported an increase in board-level focus on this risk over the past 12 months and 63 percent expect the cost of time and resources devoted to conduct risk issues to increase in the next year).
  2. 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities, Mark Beasley, Bruce Branson and Bonnie Hancock (February 2015).
  3. See, for example, Securities and Exchange Commission Regulation S-K, Item 407(h), mandating that reporting companies, in certain periodic reports, disclose the extent of the board’s role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. In addition, see the listing requirement set forth in New York Stock Exchange Section 303A.07(b)(iii)(D), requiring every audit committee to have a written charter that addresses its duties and responsibilities which, at a minimum, must include (among other items) a discussion of policies with respect to risk assessment and risk management. Commentary to this listing requirement states:
    While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.
  4. The Important Work of Boards of Directors, 12th Annual Boardroom Summit and Peer Exchange, SEC Commissioner Luis A. Aguilar (Oct. 14, 2015).
  5. 2015 Spencer Stuart Board Index, Spencer Stuart (November 2015). This increase may also be attributed, in part, to Section 165(h) of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which requires certain financial institutions to have such committee. Financial sector companies comprise approximately 18 percent of the S&P 500 index. S&P 500 Financials, S&P Dow Jones Indices, McGraw Hill Financial (Feb. 29, 2016). See footnote 6 below for further discussion regarding Section 165(h) of the Dodd-Frank Act.
  6. The Dodd-Frank Act requires a separate risk committee for (1) nonbank financial companies supervised by the Board of Governors of the Federal Reserve System that are publicly traded companies and (2) certain bank holding companies that are publicly traded and have total consolidated assets of not less than $10 billion. The Board of Governors may require a publicly traded company with total consolidated assets of less than $10 billion to establish a risk committee to promote sound risk management practices. Under the Dodd-Frank Act, a risk committee shall (a) be responsible for the oversight of the enterprisewide risk management practices of the nonbank financial company supervised by the Board of Governors or bank holding company, (b) include such number of independent directors as the Board of Governors may determine appropriate, based on the nature of operations, size of assets and other appropriate criteria related to the nonbank financial company supervised by the Board of Governors or a bank holding company and (c) include at least one risk management expert having experience in identifying, assessing and managing risk exposures of large, complex firms. Dodd-Frank Act, Section 165(h).
  7. See discussion under “Current Policies and Positions of Certain Institutional Investors, a Proxy Advisory Firm and Corporate Governance Advocates As They Relate to Risk Oversight” herein. Further, note that certain activist investors are submitting shareholder proposals on this issue. For example, in 2015, the Construction Laborers Pension Trust Fund for Southern California submitted a shareholder proposal to Chesapeake Energy Corp. requesting that Chesapeake establish a risk oversight committee of the board, arguing, in part, that the SEC supports such proposal (“[The SEC notes] that there is widespread recognition that the board’s role in the oversight of a company’s management of risk is a significant policy matter regarding the governance of the corporation. In light of this recognition, a [shareholder] proposal that focuses on the board’s role in the oversight of a company’s management of risk may transcend the day-to-day business matters of a company and raise policy issues so significant that it would be appropriate for a shareholder vote.”). Division of Corporation Finance, SEC, Staff Legal Bulletin No. 14E (Oct. 27, 2009). Said proposal received 3 percent shareholder support (based on votes “for” and “against”) at Chesapeake’s May 22, 2015, annual meeting of shareholders.
  8. Proxy Voting Guidelines for U.S. Securities, BlackRock (February 2015).
  9. Proxy Voting and Engagement Guidelines — United States, SSgA (March 2015).
  10. Corporate Governance Guidelines and Proxy Voting Policy, Allianz (2015).
  11. Global Governance Principles, CalPERS (March 16, 2015).
  12. Corporate Governance Principles, CalSTRS (April 3, 2015).
  13. 2015 Corporate Governance & Proxy Voting Guidelines, Florida SBA (2015).
  14. Proxy Paper Guidelines 2016 Proxy Season: An Overview of the Glass Lewis Approach to Proxy Advice (United States), Glass Lewis (November 2015). Notably, our research revealed that Institutional Shareholder Services Inc., another leading proxy advisory firm, does not publicly disclose a formal position that specifically addresses the establishment of a standing risk committee.
  15. Corporate Governance Policies, CII (April 1, 2015).
  16. Letter to the SEC in response to the SEC’s Concept Release on Possible Revisions to Audit Committee Disclosures, BRT (Sept. 8, 2015).
  17. Governing for the Long Term: Looking Down the Road with an Eye on the Rear-View Mirror, PwC’s 2015 Annual Corporate Directors Survey, PricewaterhouseCoopers LLP (2015).
  18. Id.
  19. Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, North Carolina State University’s Enterprise Risk Management Initiative and Protiviti (February 2015).

This article was published by Law360 on April 1, 2016 and is republished with permission.

View Relevant Document(s):

‹ Back to Listing


Practice Areas

Jump to Page