Risk Committees And Enterprise Risk Oversight
Risk Committee Responsibilities
4
1. Concept and Role
A Risk Committee is a board-level (or senior management-level) body responsible for overseeing the identification, assessment, monitoring, and management of risks faced by an organization. Its responsibilities are central to corporate governance, fiduciary duties, and regulatory compliance.
2. Core Responsibilities of a Risk Committee
(a) Oversight of Risk Appetite and Strategy
- Recommend and periodically review the Risk Appetite Framework (RAF)
- Ensure risk-taking aligns with business strategy
- Monitor adherence to risk limits
(b) Enterprise Risk Management (ERM) Supervision
- Oversee implementation of ERM systems
- Review risk registers, heat maps, and dashboards
- Ensure integration across departments
(c) Identification of Key and Emerging Risks
- Monitor strategic, financial, operational, legal, and reputational risks
- Pay special attention to:
- Cybersecurity risks
- ESG risks
- Regulatory developments
(d) Monitoring Risk Controls and Internal Systems
- Evaluate adequacy of internal controls
- Coordinate with internal audit and compliance teams
- Ensure proper mitigation frameworks exist
(e) Oversight of Compliance and Regulatory Risks
- Ensure adherence to laws and regulations
- Monitor compliance failures and enforcement risks
(f) Crisis Management and Stress Testing
- Review stress-testing results
- Oversee contingency and business continuity plans
(g) Reporting and Escalation
- Provide periodic risk reports to the board
- Escalate significant or emerging risks promptly
(h) Interaction with Key Officers
- Engage with:
- Chief Risk Officer (CRO)
- Chief Compliance Officer (CCO)
- Internal auditors
3. Expanded Functional Responsibilities
(i) Policy Approval
- Approve risk management policies and frameworks
(ii) Challenge Function
- Critically question management’s assumptions and risk-taking decisions
(iii) Culture and Tone
- Promote a strong risk culture within the organization
(iv) Data and Technology Oversight
- Ensure use of appropriate risk analytics tools
4. Key Case Laws on Risk Committee Responsibilities
(1) Caremark International Inc. Derivative Litigation (1996)
- Directors failed to implement monitoring systems.
- Principle: Boards must ensure systems exist for risk oversight—risk committees operationalize this duty.
(2) Stone v. Ritter (2006)
- Established liability for failure of oversight.
- Principle: Risk committees must ensure effective reporting and monitoring mechanisms.
(3) Marchand v. Barnhill (2019)
- Board failed to oversee food safety risks.
- Principle: Committees must actively monitor mission-critical risks.
(4) In re Boeing Company Derivative Litigation (2021)
- Failure to monitor aircraft safety risks.
- Court criticized absence of structured oversight.
- Principle: Risk committees must ensure continuous monitoring of core operational risks.
(5) In re Citigroup Inc. Shareholder Derivative Litigation (2009)
- Addressed financial crisis-related oversight.
- Principle: Poor business outcomes ≠ liability unless there is governance failure.
(6) ASIC v. Cassimatis (Storm Financial) (2016)
- Directors liable for exposing company to harmful risks.
- Principle: Risk oversight must align with legal and ethical obligations.
(7) APRA v. IOOF Holdings Ltd (2019)
- Failures in governance and risk management.
- Principle: Committees must monitor compliance and conflicts of interest.
5. Doctrinal Principles Emerging from Case Law
(i) Duty of Oversight (Caremark Doctrine)
- Boards and committees must actively monitor risks
(ii) Good Faith and Active Engagement
- Passive oversight is insufficient
(iii) Mission-Critical Risk Focus
- Heightened responsibility for core operational risks
(iv) Documentation and Reporting
- Proper records demonstrate fulfillment of duties
6. Relationship with Other Governance Bodies
| Body | Responsibility |
|---|---|
| Board of Directors | Overall governance |
| Risk Committee | Risk oversight and monitoring |
| Audit Committee | Financial controls and reporting |
| Management | Risk execution and implementation |
7. Regulatory Expectations
Regulators expect risk committees to:
- Be independent and competent
- Meet regularly
- Maintain documented processes
- Ensure transparency in risk reporting
8. Practical Challenges
- Information overload vs meaningful insights
- Overlap with audit committee
- Rapid emergence of new risks
- Ensuring independence from management influence
9. Best Practices
- Clearly defined responsibilities in charter
- Regular and structured meetings
- Use of risk metrics and KPIs
- Direct access to independent information
- Continuous training of members
- Integration with strategic decision-making
10. Analytical Perspective
Risk Committees have evolved from:
- Advisory bodies → Core governance institutions
Modern courts evaluate:
- Whether committees were active, informed, and responsive
- Whether they acted on red flags
11. Conclusion
Risk Committee Responsibilities are central to:
- Corporate governance
- Risk mitigation
- Legal compliance
The case law consistently establishes that:
Liability does not arise from taking risks—
but from failing to oversee, monitor, and respond to them effectively.
RELATED Blog
comments