Companies today face increasingly complex risks, especially in relation to the gradual loss of market share to competitors and the impact of new technology. The board is ultimately responsible for assessing and managing these and other risks; but how it structures itself to discharge this responsibility varies.

Audit risk committees

The most common approach is to allocate risk governance to the audit committee, often renamed the audit and risk committee. In 2016, KPMG studied the disclosures of 100 listed companies in Singapore and found that 75 per cent had taken this course.

However, almost without exception, the audit committee’s agenda is already crowded. Besides the heavy duty of reviewing the financial statements, it provides oversight on internal controls, fraud, whistle-blowing and other aspects of financial risks. A separate KPMG study found that 50 per cent of the members of audit committees of Singapore-based companies find it increasingly difficult to properly oversee the major risks of their companies.

In practice, where the audit committee is also charged with risk oversight, the risk agenda items often get covered only briefly. They may even be deferred because of time constraints. In addition, the committee’s focus is usually on past financial performance and financial risks, an orientation that does not sit well with the need to not only manage current risks but also be more forward-looking, and to anticipate the broader range of new and potential risks the company could face.

Board risk committees

Establishing a separate board risk committee (BRC) can alleviate some of this pressure. An effective BRC provides a structure that focuses in more detail on the risk management framework and all the key risks, beyond financial risks notwithstanding its significance.

Whether the board needs to form a separate BRC depends on several factors: 

• Regulatory environment. Does the company operate in a highly regulated industry, such as banking or insurance, where a BRC is mandated?
• Industry risk profile. Or does it operate in a complex or fast-moving environment, such as information technology, where more specific skills and experience may be required to understand the changing risks in the industry?
  
• Structural complexity. Does the company’s structure or diversity of its operations make it more difficult to obtain a holistic view of the risks? For example, are there geographical or diversified industry risks that can be properly assessed only with more time and experience?
  
• What is the size of the company? Typically, larger companies appoint BRCs due to their complex structure and operations. However, smaller companies that are looking to grow should also consider a BRC as the growth phase is arguably the most critical stage in balancing risk and opportunity for expansion and long-term success.
  

For companies with significant and complex risks, it is not unusual to have specialised risk committees in addition to the BRC. For example, companies in the shipyard, medical and construction industries often have Safety and Health Committees, whilst IT-dependent companies may form IT Governance Committees.

BRC guidance

Once the decision to form a BRC has been made, it is important that it is structured to function effectively and vested with appropriate authority. 

Leading industry practice holds that an independent and objective BRC is able to constructively challenge existing risk management and internal control systems. For that reason, the BRC should comprise at least three directors, the majority being non-executive directors including the BRC chairman, and at least independent director.

To help the BRC fulfill its duties, members should have relevant skills, experience, and company and industry knowledge, as well as diverse perspectives. Members are also encouraged to attend development courses to keep abreast of new developments in risk governance, risk management and the different emerging risk areas to which the company is exposed. Where needed, subject matter specialists should be engaged to assist the BRC in complex issues such as cyber security.

As with the other board committees, the BRC needs clearly documented terms of reference that detail its oversight responsibilities, and how these are to be discharged. An important term deals with the tenure and renewal of BRC members: this is critical to ensure the BRC is refreshed and renewed on a regular basis.

The board should adopt a common risk management framework that articulates the roles of the audit committee and the BRC. This sets the tone and direction for the way risks are managed.

It is important to establish the communication protocols for the audit committee, the BRC and any other board committees charged with overseeing different aspects of risk. These ensure completeness and consistency, and minimise the duplication of effort and any overlap of responsibilities.

The way forward for BRCs 

A strong BRC spots warning signs. It knows the right questions to ask, and is able to fully evaluate risks. In this way, it provides invaluable support to the board and the audit committee by optimising decision-making around risks. 

The thing is, while the Code of Corporate Governance encourages the formation of a BRC, it says little else. As a result, over time, different practices have evolved. For that reason, the BRC Guide, which will be launched by the SID at the end of the month, is an important milestone for exploring the different approaches and best practice guidelines on the board’s duties in risk management. 

The article is contributed by Irving Low, Head of Risk Consulting at KPMG in Singapore. The views expressed is his own.