By Elisabeth A. Wilson
“Why does the board necessarily have to approve the new risk committee?” a colleague leaned back in his chair and asked.
It is a fair point. The new committee in question is more of a sub-committee, far down the pecking order and designed to inform and re-inform a hierarchy of other committees far in advance of the board risk Committee and the ultimate target of the full board. But that was the point—the full board was the definitive reporting goal.
And the response?
“Because we as a company need to be able to demonstrate to external regulators that the board maintains full and appropriate purview over risk management. The board’s acknowledgement and approval of the proposed committee will demonstrate that governance.”
The dawn of a new committee
The risk committee under discussion was actually a restructure and repurposing of an existing committee—separating components of risk, technology and operations, into two distinct governance bodies. The decision was made after much initial pondering across myriad departments and in conjunction with various stakeholders around the general effectiveness and purpose of the original committee. Additional committee levels were suggested, as was completely switching up membership to executives only in order to give the committee greater power, or potentially disbanding the committee altogether. Finally, at the recommendation of one executive, it was determined that oversight of both technology and operational risk under one body was too cumbersome and left insubstantial time to fully address both topics. So two committees were born.
Parsing out the technology and operational risk components of each committee started with marathon white boarding sessions. Labor-intensive, complex Venn diagrams in cramped writing that were then photographed on I-phones, taken back to desks, and zoomed in on with beady, weary eyes in order to translate the information into some semblance f order in a spreadsheet. Since each new committee would be fully dedicated to its subject for the first time, suddenly there was a sense of possibility. What if these themes were included as standard committee topics? What if periodic updates were requested from these business unit and program leaders? What if current reporting was expanded to include these metrics?
Point people were established to usher in these changes—one for technology risk and one for operational risk. Together, these colleagues began growing each new committee’s agenda and reporting expectations—and casting a broader and more comprehensive net of risk oversight as a result. The ultimate audience was always kept top of mind—the new committee members and the tiered governance bodies leading up to the board. Cementing this would drive truly holistic and strategic management of risk, both vertically and horizontally across the organization. The key questions being asked were: What information, topics and report-outs would ultimately benefit each level, all the way to the top?
And you get to be a committee member. And you … and you …
Feedback during this initial phase of committee restructure was essential. Polling existing committee members to gain their views on what worked well and what could be improved helped identify trends that could be addressed via the new committee methodology. It also helped target the essential talent required to optimize committee oversight. Some stakeholders felt their continued engagement was unnecessary, others (sometimes somewhat unhelpfully) wanted to stay on and continue to contribute. And new committee members were proposed and approached to gain their buy-in and partnership.
The outcome was establishing that sweet spot of stakeholder engagement at the right level of leadership across the organization. Since these two committees were farther down the governance hierarchy, business unit leaders and key subject matter experts across both technology and operational functions were pinpointed. The restructure also ushered in the perfect time to reset expectations around committee participation. Where remote requirements during the COVID-19 pandemic inadvertently allowed for a broad swath of teammates to dial in and multi-task through committee meetings, it was determined that the new committee structures would allow for a certain level of exclusivity. The aim was to have the right people in the room to ensure conversations were efficient, succinct—and ultimately valuable. These business leaders, serving in their capacity as committee members, would be empowered to influence and direct risk strategy and remediation, escalating recommendations to higher governance bodies as appropriate. Almost more importantly, they would be expected to disseminate risk decisions and related policy to their individual organizations as appropriate, driving both adherence and a united message around risk practices across the company.
Chart(er) a new path
Once committee purview, standard meeting topics and membership were established, it was time to parse out the existing committee charter into two. Careful consideration was given to other committee charters utilized across the organization to ensure alignment and consistency across all bodies, whether they were credit, asset and liability or compliance-focused. This was a decided advantage as leveraging previous documents as a template ensured both new technology and operational risk committee charters practically wrote themselves. Expectations around meeting structures, cadence and frequency, agenda development, chair assignment, attendance, minutes, et al. are de rigueur and once documented, can easily be documented again.
Luckily, this allowed more time to focus on crafting the right level of requirements around committee intent and effectiveness in the new charters. Ensuring both committees had teeth was essential. Risk—established or emerging—rarely evinces itself in neat, tidy silos. Risk events or issues tend to messily seep out, impacting multiple lines of business and requiring cohesive partnership to execute remediation strategies. Both charters were therefore constructed to explicitly empower the committees to drive assignment of risk ownership, requirements around subsequent remediation timeframes, and periodic reporting updates to the committee and other leadership. Rather than allowing for potentially endless negotiations and recommitments across various lines of business, the committees would appoint one teammate to man the helm of a specific risk event—to drive efficient and timely management of risk.
Documenting risk escalation methodologies for each committee to adhere to was an essential facet of each charter as well. While each committee was authorized by its charter to direct certain risk decisions, everyone (except perhaps the board) at some point faces a situation that falls above their paygrade. It was crucial to build a path for each committee to follow in the event it was more appropriate to make a recommendation around risk and related acceptance or remediation—one that a higher governance body would ultimately steer and approve.
Crucial buy-in
Once the committees design, roster, and charters were formalized, it was time to develop a comprehensive slide deck outlining the committee structure for presentation to the proposed executive sponsors for their feedback and concurrence. Their agreement on committee purpose and membership (in addition to their additional recommendations) was the final finishing flourish.
Having secured their approval, the next crucial round of socialization began: Reaching out to and wooing newly identified committee members (since designation as an essential committee member—and the subsequent time commitment—is not always eagerly appreciated by everyone). Gently disengaging previous committee members whose roles now better served other areas of the organization and thanking them for their service. Identifying crucial teammates to act as liaisons between both committees to help identify risks potentially overlapping between technology and operational risk stripes. Re-establishing expectations and commitment for existing committee members transitioning to new committee structures and needs. This communication perhaps required the most skill, blood, sweat, and tears of the entire committee restructuring effort, in terms of engagement and diplomacy alone. But white glove treatment pays off in locking in committed, enthusiastic committee members who understand they are vested with the authority and responsibility to safeguard the broader organization from risk in order to balance it appropriately against opportunity.
To the board and beyond
Finally, the day dawned when both proposed committees, designed to support fluent discussion around risk management at the lower echelons of the organization, were submitted to the board to ensure its full understanding and acknowledgement. Committee discussions and related reporting, so many levels away, would ultimately drive a synchronized view of risk across the organization and influence the ultimate strategic decisions made by the full board. The moral of the story is that no person in an organization, no role, no committee is too small to drive appropriate risk adherence and governance. And no board is too big to acknowledge and internalize it.
Elisabeth A. Wilson, senior risk advisory officer, supports the operational risk function and leads the environmental, social, and governance risk program at Atlantic Union Bank, a $24 billion regional bank based in Richmond, Virginia. All views expressed in this article are those of the author and do not represent the opinions of any entity.
