Risk Committee

Resource Guide
For related information and guidance, visit the Deloitte Centre for
Corporate Governance website at:

[Link]
Contents
Introduction: Risk committees become reality.......................................................... 3

Section 1: Considerations in forming a risk committee......................................... 6

Section 2: Risk committee charter and composition............................................. 15

Section 3: Fulfilling risk-oversight responsibilities................................................. 22

Section 4: Risk Intelligent enterprise.................................................................... 37

Section 5: On-going education and periodic evaluation....................................... 55

Conculsion: Ever vigilant, continually improving..................................................... 58

Appendix A: Sample risk committee charter............................................................ 63

Appendix B: Ilustrative planning tool...................................................................... 73

Appendix C: Risk committee performance evaluation.............................................. 80

Appendix D: Board-level Risk Intelligence map........................................................ 89

Contacts............................................................................................. 93
Risk Committee Resource Guide 1
Introduction

2
Risk committees
become reality
Risk Committee Resource Guide 3
This guide aims to assist board members of This resource guide first presents considerations
companies in designing, developing, and for a board contemplating the formation of a risk
operating a board-level risk committee. In terms committee (Section 1). It then covers topics that
of the King Report of Governance for South a risk committee charter might include, as well
Africa, 2009 (King III), it is recommended that the as guidance on developing and using the charter
board should assign oversight of the company’s (Section 2). Next, the guide provides suggestions
risk management function to an appropriate related to how a risk committee may go about
board committee (for example a risk committee fulfilling its chief responsibilities (Section 3), and
or the audit committee). This is in line with overview of the Risk Intelligent approach to risk
international developments, for example in the management (Section 4) and educating and
United States the Dodd-Frank Act requires such evaluating itself (Section 5). Most sections include
committees for certain bank holding companies. example related questions to ask when developing
a risk committee.
Deloitte developed this guide in response to
growing interest in board-level risk committees. While risk management is not a new concept,
While many companies already have a risk many companies are refreshing their thinking
committee (or in many instances a combined with regard to risk governance and oversight
audit and risk committee), quite a few do not. as disciplines for many board members. We
Also, companies that do have risk committees trust that this guide will help improve board
may benefit from revisiting their risk committee members’ and senior executives’ knowledge
charters and activities. In doing so, the board of risk committees and of risk governance and
can ascertain that the risk committee has oversight. We encourage interested readers to
the composition, reporting relationships, and make use of the tools and resources mentioned
responsibilities that best suit the enterprise. and included in the appendix of this guide.

1
The Dodd-Frank Wall Street Reform and Consumer Protection Act is a federal statute in the United States signed into law by President
Barack Obama on July 21, 2010. It promotes the financial stability of the United States by improving accountability and transparency in
the financial system, ending “too big to fail,” protecting the American taxpayer by ending bailouts, protecting consumers from abusive
financial services practices, and other purposes.

4
 Oversight

Common Risk
Infrastructure

People Process Technology

Risk Management Activities

Risk Classes

Components of risk management

Risk Committee Resource Guide 5

Section 1

6
Considerations
in forming a
risk committee
Risk Committee Resource Guide 7
According to King III the board is responsible for their potential impact and likelihood. The
the governance of risk through formal processes, committee should receive assurance from internal
which include the total system and process of risk and external assurance providers regarding the
management. The board should show leadership effectiveness of the risk management process.
in guiding the efforts aimed at meeting risk In turn, management is responsible for the
management expectations and requirements. design, implementation and effectiveness of risk
Although the board remains ultimately responsible management, as well as continual risk monitoring.
for the governance of risk, it may delegate this
function to a separate committee. It is of vital importance that members of the risk
committee have experience within the industry.
The Listings Requirements of the Johannesburg This would allow them to identify areas of risk
Stock Exchange (JSE) require listed companies to and be aware of the appropriate methods of
have a risk committee comprising a minimum managing the company’s exposure via internal
of three members. Membership of the risk (the control environment) or external (such as
committee should include executive and thorough insurance cover) means.
non-executive directors. Those members of senior
management responsible for the various areas of Risk management is an often misunderstood
risk management should attend the meetings. The discipline within a company. Too often the
chairman of the board may be a member of this responsibility for ensuring that the significant
committee but must not chair it. risks identified and adequately managed is not
acknowledged, or is inappropriately delegated to
The role of the committee is to perform an the audit committee. There are two reasons why
oversight function. In doing so, it should consider the risk management function should not report
the risk policy and plan, determine the company’s to the audit committee, but should be monitored
risk appetite and risk tolerance, ensure that risk by a separate risk committee. The first is that, as
assessments are performed regularly, and ensure a consequence of the prescribed composition
that the company has and maintains an effective of the audit committee (all members must
on-going risk assessment process, consisting be independent non-executive directors), the
of risk identification, risk quantification and risk function will often have financial focus when risk
evaluation. This risk assessment process (using management should correctly extend far beyond
a generally recognised methodology) should the finances of a company.
identify risks and opportunities, and measure

8
Secondly, the audit committee should act as an Also, a combined audit and risk committee will
independent oversight body. Having to directly inevitably have a strong focus on financial risks,
oversee the risk management function would which may result in inadequate attention to
generally involve a large amount of detailed review operation and related risk.
of the processes and workings of the company.
This would necessarily have a detrimental effect on It is our recommendation that the responsibility
the objectivity of the audit committee’s members for risk management be delegated by the board
when considering reports of the risk management to a separate risk committee, comprising both
function. The formation of a separate committee executive and non-executive directors. Where
recognises the fact that the identification and more than one committee bears responsibility
management of risks impacting the business, and for risk management (i.e. the audit committee
the disclosure of these to the shareholders is vital to oversees financial risks and the remuneration
good governance. committee oversees risks pertaining to
compensation), it is paramount that the
In addition, the JSE is aware that some listed responsibilities are clearly demarcated and that
companies combine the audit and risk committee. communication channels are established to ensure
The JSE warns that, given the difference in that the respective committees take cognisance of
the membership of these committees, listed and consider the reports and recommendations of
companies must ensure that in these instances the other relevant committees.
that the membership of the combined committee
meets the more stringent independence In considering whether or not to establish a risk
criteria of the audit committee as set out in committee one might consider the following key
the Companies Act and King III. The result of a factors:
combined committee is that all the members • Inherent risk environment: The need for a risk
must be independent non-executive directors. committee may be precipitated by the inherent
This precludes executive directors (such as the risk environment. The extent, complexity, and
CEO and CFO) from membership. However, given potential impact of risks should be considered,
the key role of the CEO in the risk management and weighed against the ability of the board or
process, best practice (as captured in King a board committee (e.g. the audit committee)
III) requires the risk committee to comprise a to deal sufficiently with workload.
combination of executive and non-executive
directors.

Risk Committee Resource Guide 9

• The needs of stakeholders: The needs of the • Scope of risk committee responsibilities: The
enterprise and its stakeholders should be board may need to decide whether the risk
considered. It may also behove the board to committee will be responsible for overseeing
assess the quality and comprehensiveness all risks, or whether other committees, such
of the current risk governance and oversight as the audit committee or the remuneration
structure, the risk environment, and the future committee, will be responsible for some.
needs of the organisation. The composition For example, oversight of risks associated
and activities of the risk committee and its with financial reporting may remain under
relationship with other board committees the audit committee, while those associated
could reflect the board’s assessment of those with executive remuneration plans might
factors. remain with the remuneration committee.
• Alignment of risk governance with strategy: But because functional risks (such as tax or
The board should consider whether risk human resources risk) are often connected to
oversight and management are aligned with operational or strategic risks, it is important to
management’s strategy. Enterprises vary consider how the interconnectivity of risks is
widely in their business models, risk appetite, addressed. In any event, the board will need
and approaches to risk management. A key to determine which committees will oversee
consideration is that the board, management, which risks.
and business units be aligned in their approach • Communication among committees: The
to risk and strategy - to promote risk-taking for board should consider how the committees
reward in the context of sound risk governance. will keep one another - and the board itself
• Oversight of the risk management - informed about risks and risk-oversight
infrastructure: A question to consider is practices. Efficiency and effectiveness call for
whether the risk committee is responsible for clear boundaries, communication channels,
overseeing the risk management infrastructure and handoff points. This need may require the
- the people, processes, and resources of the board to define these elements clearly, making
risk management program - or whether the adjustments as needed.
audit committee or entire board will oversee it.

10
General role of the risk committee
The risk committee will have specific responsibilities that include, but are not limited to, oversight and
approval of the enterprise risk management framework commensurate with the complexity of the
company including (note that these responsibilities are performed by the committee on behalf of the board
– ultimately the board remains responsible for the final approval of the risk policy and risk management):
• Oversight of risk appetite and risk tolerance appropriate to each business line of the company
• Appropriate policies and procedures relating to risk management governance, risk management
practices, and risk control infrastructure for the enterprise as a whole
• Processes and systems for identifying and reporting risks and risk-management deficiencies,
including emerging risks, on an enterprise-wide basis
• Monitoring of compliance with the company’s risk limit structure and policies and procedures
relating to risk management governance, practices, and risk controls across the enterprise
• Effective and timely implementation of corrective actions to address risk management deficiencies
• Specification of management and employees’ authority and independence to carry out risk
management responsibilities, and
• Integration of risk management and control objectives in management goals and the company’s
compensation structure.

Risk Committee Resource Guide 11

The risk governance infrastructure
The totality of the risk governance infrastructure To establish an appropriate risk governance
includes the oversight provided by board infrastructure, the board might consider defining
committees in their risk-related roles. The risk the risk-related roles and responsibilities of each
governance infrastructure sets forth how the committee as well as clear boundaries and
board defines the role of board committees and communication channels among them. The
the full board in overseeing risk. For example, board will need to understand and define which
is there a separate risk committee of the board committees are responsible for which risks and
or is risk oversight handled only by the audit how each committee oversees risks.
committee or spread across committees,
depending on expertise? And, finally, what is the
role of the full board in overseeing risk?

12
Sample questions to ask about forming a risk committee:
• How long is the term of service for members and for the chair? Will the chair position rotate, or
will he/she be appointed or reappointed by vote or other means?
• What are the responsibilities of the risk committee and of the committee chair?
• How will the chair, the committee, and its members be evaluated?
• Will the management risk committee report to the risk committee, the Chief Risk Officer (CRO),
or the CEO? Are subsidiaries or other related entities subject to the risk committee?
• Which risks will the risk committee oversee and which will be left to other board committees?
• Which board members have the experience to be on the risk committee, and how can the
company attract and cultivate appropriate risk committee members?
• How will the board keep abreast of changes in regulations and in risk governance and
management practices?
• How will the board ensure that the committee has access to the people and resources it will
need to carry out its responsibilities?

Risk Committee Resource Guide 13

14
Section 2

Risk committee
charter and
composition

Risk Committee Resource Guide 15

Risk committee charter In developing risk committee charters, boards
may wish to consider including provisions that
Often, the board and its risk committee define specifies:
their roles in risk oversight and governance • The separate nature of the risk committee
by means of the risk committee charter. The and that it has been established to exercise
charter is also among the main tools the board enterprise-wide risk-oversight responsibilities
has for disclosing its approach to risk oversight. • The risk-oversight responsibilities of the
In writing the charter, the board and the risk committee and how it fulfils them
committee will determine the risk committee’s • Who is responsible for oversight of
role and responsibilities in risk governance. management’s risk committee, for example,
whether it is the CRO, the risk committee,
Board committee charters specify the the full board, or the CEO (although, typically,
committee’s responsibilities and how it carries the full board is ultimately accountable and
them out. The risk committee charter discloses responsible for risk governance)
the board’s involvement in and approach to • Who is responsible for establishing the criteria
risk oversight, the committee’s relationship for management’s reporting about risk to the
to the CEO, Chief Risk Office (CRO) and to board (although the actual criteria need not be
management’s risk committee, and other key set in the charter, because they are expected to
elements of risk oversight. change as the enterprise and risks change)
• The composition of the risk committee and the
qualifications of risk committee members
• The board’s or risk committee’s responsibilities
regarding the enterprise’s risk appetite, risk
tolerances, and utilisation of the risk appetite
• The board’s or risk committee’s responsibility
to oversee risk exposures and risk strategy for
broadly defined risks, including for example
credit, market, operational, compliance, legal,
property, security, IT, and reputational risks

16
• The risk committee’s responsibility to oversee In general, the more precise the charter, the
the identification, assessment, and monitoring better positioned the risk committee will be
of risk on an on-going enterprise-wide and to exercise oversight. For example, a detailed
individual-entity or line of business basis charter should enable the committee to develop
• The risk committee’s responsibility to an annual meeting calendar, based on the
approve the charter of the management risk responsibilities and required meeting frequency.
committee - if the board, in compliance with The calendar might include, for example,
the company’s Memorandum of Incorporation, specific risk issues (such as risk appetite) and
delegates that responsibility to the risk activities (such as risk committee education) for
committee discussion, as well as meeting agendas, using
• The reporting relationships between the the responsibilities in the charter as a guide.
risk committee, the CEO, the CRO and the
management risk committee In addition, it may be appropriate to coordinate
• The risk committee’s oversight of the risk committee calendar with those of
management’s implementation of the risk the audit, remuneration, and nominations
management strategy committees so that the risk committee will, at
• The risk committee’s responsibility to ensure a minimum, be made aware of the risk-related
that risk management is embedded in the activities of those committees. Coordinating their
business and all decision making processes calendars enables the committees to coordinate
• The use of specialist in areas where risks are their activities and use of resources to maximise
complex risk-oversight efficiency.
• Terms of service of risk committee members
and the chair, with incumbents subject to Tools and resources. Deloitte has developed
reappointment; term limits (which may preclude a model risk committee charter as a guide
members or chairs from having their terms and template for boards and committees that
renewed) may not be desirable because they are developing their charters. The model risk
may cause the loss of individuals in valued roles committee charter is located in Appendix A and
can be used with the calendar planning tool in
Appendix B.

Risk Committee Resource Guide 17

Developing and using the • Review the charter annually: An annual review
of the charter to update the committee’s
risk committee charter role in risk oversight by the board and risk
committee may also be required. The charter
The following guidelines can be considered by a
should be updated as needed to keep the
board or risk committee as they develop and use
committee’s structure and practices in line with
a risk committee charter:
• Develop the charter as a group: Risk committee regulatory requirements and the enterprise’s
members, under the guidance and with the needs. It could also be periodically reviewed
approval of the full board, could develop by a qualified external third party to assess
the charter as a group (perhaps with the whether the committee’s structure and
assistance of an external facilitator). While the responsibilities reflect leading practices in the
actual writing of the charter can be delegated industry. The results of a regular review of
to management, input from the board and the effectiveness of the committee may also
committee members should be considered provide useful guidance with respect to the
regarding the key principles embedded in the content of the charter.
charter, which risks will be overseen, whether
the CEO/CRO will report to the risk committee,
and other key points. Ideally, all risk committee
members would agree to the charter and
approve it - as would the board.
• Use the charter as a guide: A risk charter is
not to be written and shelved but instead put
to use. When the committee is in doubt as to
its responsibilities, or feels the need to assert
its risk governance role with senior executives,
it can reference the charter for guidance.
Providing the charter as part of the orientation
package for new members of the board and
its committees may help on-boarding and may
be used in locating and hiring the committee’s
members, who may be recruited from among
existing board members or elsewhere.

18
Composition of the risk Board committees constitute an important
element of the governance process and should
committee be established with clearly agreed reporting
procedures and a written scope of authority. The
The Companies Act provides the board with the
Act recognises the right of a board to establish
power to appoint board committees, and to
board committees but by doing so, the board
delegate to such committees any of the authority
is not exonerated of complying with its legal
of the board. The authority of the board to
responsibilities.
appoint board committees is subject to the
- King III principle 2.23 par 125
company’s Memorandum of Incorporation.
If the company’s Memorandum of Incorporation,
or a board resolution establishing a committee,
does not provide otherwise, the committee
may include persons who are not directors of
the company. However, it should be noted that
where non-directors are appointed to a board
committee, such persons are not allowed to vote
on a matter to be decided by the committee

Risk Committee Resource Guide 19

Consider having risk committee members who Members of the risk committee, taken as a
are knowledgeable about risk governance and whole, should comprise people with adequate
management and about the risks the enterprise risk management skills and experience to
faces and methods of managing them. It may be equip the committee to perform its functions.
advantageous to have risk committee members To supplement its risk management skills and
with knowledge of business activities, processes, experience, the risk committee may invite
and risks appropriate to the size and scope of independent risk management experts to attend
the enterprise, as well as the time, energy, and its meetings.
willingness to serve as active contributors.
Those members of senior management
The composition of the risk committee (as responsible for the various areas of risk
proposed by King III) is somewhat unique in that management should attend its meetings.
it should comprise a combination of directors
(both executive and non-executive directors) and As with all matters related to board composition,
non-directors. The JSE (through the application the nominations committee typically has the
of King III) echoes the requirement that both authority to define the qualifications of its
executive and non-executive directors be members. It can also help determine whether
appointed to the committee. (King III indicates current board members can provide the needed
that all other committees should comprise only skills. In most organisations, the nominations
non-executive directors, of which the majority committee would assist in recruiting, vetting,
should be independent). Neither King III nor the and approving risk committee members.
JSE requires the appointment of independent
directors on the risk committee. The chairman of Risk committee members may be recruited from
the board may me a member of this committee the current board and should ideally include a
but must not chair it. combination of executive and non-executive
directors.

20
 Notes:

As there is some overlap between the functions

of the audit committee (responsible for among
others overseeing the management of financial
risks) and the risk committee (responsible for
all other risks), we find that there is often an
overlap in membership of the audit committee
and the risk committee. Many companies find
it appropriate to appoint one or two members
of the audit committee, one or two other
non-executive directors, as well as the CEO and
the CFO as members of the risk committee.
Of course, the collective membership of the
committee should account for the range of skill
and experience required to guide management
and perform effective oversight with respect to
the risk management process. Other relevant
members of the senior management team (for
example the Chief Internal Auditor, Chief Risk
Officer, Chief Information Officer, etc.) are invited
to attend all meetings.

Asking questions and considerations related

to the composition of the risk committee is
one element of effective board succession and
development plans.

Risk Committee Resource Guide 21

Section 3

Fulfilling
risk-oversight
responsibilities

22
Risk Committee Resource Guide 23
Successful risk oversight depends, Responsibilities
in part, on the ways in which
Broadly, the responsibilities of a risk committee
the risk committee fulfils its may include the following:
responsibilities and interacts with • Oversee the risk management
the executive team, CRO, board, infrastructure: The full board may oversee the
and stakeholders. organisation’s risk management infrastructure
(see sidebar below), or this oversight
responsibility can be delegated to the risk
committee, rather than to the audit committee
(the committee that historically has had
primary responsibility for overseeing the risk
management infrastructure). The JSE Listing
Requirements permit the board of a listed
company to delegate this responsibility to a risk
committee, rather than to the audit committee
– where the responsibility is delegated to a
combined audit and risk committee, listed
companies must ensure that in these instances
the membership of the combined committee
meets the more stringent independence criteria
of the audit committee as set out in King III
(see comments above).
• Address risk and strategy simultaneously:
Address risk management and governance
when strategies for growth and value
creation are being created and management
decisions are being made. The purpose of this
responsibility is typically not to promote risk
avoidance, but the opposite - to promote risk-
taking for reward in the context of sound risk
governance.

24
• Approve the risk management policy ◦ the standards and methodology adopted –
and plan: The risk committee should be this refers to the measureable milestones such
able to demonstrate that it has dealt with as tolerances, intervals, frequencies, frequency
the governance of risk comprehensively. rates, etc.
This should include the development and ◦ risk management guidelines
implementation of a policy and plan for a ◦ reference to integration through, for instance,
systematic, disciplined approach to evaluate training and awareness programmes, and
and improve the effectiveness of risk ◦ details of the assurance and review of the risk
management, as well as the related internal management process.
control, compliance and governance processes The committee should review its risk
within the company. Management should management plan regularly but at least once a
develop both the risk management policy year.
and the plan for approval by the committee. • Approve the process for risk identification:
The risk management policy should set the The risk management plan should set out
tone for risk management in the company the process for risk identification. This can
and should indicate how risk management take various forms, e.g. scenario planning,
will support the company’s strategy. The a management workshop, etc. The risk
risk management policy should include committee should assess the robustness of the
the company’s definitions of risk and risk process for the identification of all risks, and
management, the risk management objectives, review and approve outcomes of the process.
the risk approach and philosophy, as well as
the various responsibilities and ownership for
risk management within the company. The risk
management plan should consider the maturity
of the risk management of the company and
should be tailored to the specific circumstances
of the company. The risk management plan
should include:
◦ the company’s risk management structure
◦ the risk management framework i.e. the
approach followed, for instance, COSO, ISO,
IRMSA ERM Code of Practice, etc.

Risk Committee Resource Guide 25

• Assist with risk appetite and tolerance: • Monitor risks: The committee should assist
The risk committee should help establish, in assessing and monitoring the company’s
communicate, and monitor the risk culture, compliance with the risk limit structure and
risk appetite, risk tolerances, and risk utilisation effective remediation of non-compliance on an
of the organisation at the enterprise and on-going, enterprise-wide, and individual-entity
business-unit levels. Risk appetite defines the basis. For the risk committee, this responsibility
level of enterprise-wide risk that leaders are extends to all risks, or at least to all risks not
willing to take (or not take) with respect to monitored by the audit, remuneration, or other
specific actions, such as acquisitions, new board-level committees. In cases of risks monitored
product development, or market expansion. by other board committees, the risk committee
Where quantification is practical, risk appetite should be made aware of on-going risks.
is usually expressed as a monetary figure • Oversee risk exposures: It’s important
or as a percentage of revenue, capital, or that the risk committee develop a view
other financial measure (such as loan losses); into critical risks and exposures and into
however, we recommend that less quantifiable management’s strategy for addressing them.
risk areas, such as reputational risk, also The committee should consider the full range
be considered when setting risk appetite of risks and potential interactions among
levels. Once the risk appetite is defined, the risks, including risk concentrations, escalating
committee (in consultation with management) and de-escalating risks, contingent risks, and
then should define specific risk tolerances, also inherent and residual risk.
known as risk targets or limits, that express
the specific threshold level of risk by incident
in terms that decision-makers can use (for
instance, in completing an acquisition, the
risk tolerance may be defined as a stop-loss
threshold of a specified value).

26
• Correlate risks: The committee should In line with the Risk Intelligent approach to risk
assist the board to ensure that the board is management (see section 4), it is important
satisfied that insurance, indemnification and that the risk committee assist management to
remuneration practices do not prejudice risk ensure the incorporation of Risk Intelligence
management decision-making. into the strategy of the business. In this regard,
• Advise the board on risk strategy: The the risk committee should guide the design of
board creates the risk committee to serve processes for integrating risk management into
as a repository of information and expertise strategic planning, to continuously monitor
on risk and to advise the board on risk strategic alignment of risk management and
strategy. Thus, the risk committee can help establish accountability by reinforcing executive
inform the board of risk exposures and accountability for risk management.
advise the board on future risk strategy. In
this regard, it should be noted that King III
proposes that risk management should be Steps some boards have
intrusive: its methodology and techniques
should be embedded within strategy setting,
taken to improve risk
planning, and business processes to safeguard governance:
performance and sustainability. The rigours of
risk management should provide responses • Revised committee charters to include risk-
and interventions that strive to create an related concerns
appropriate balance between risk and reward • Benchmarked their practices against peer
within the company. companies
• Obtained guidance from associations of
directors and similar sources
• Focused more attention on risk management
and its value and shortcomings
• Reviewed ethical guidelines and codes of
conduct

Risk Committee Resource Guide 27

• Foster an appropriate risk culture: The Questions to consider regarding a
committee should work towards embedding a
risk culture where people at every level manage Chief Risk Officer:
risk as an intrinsic part of their jobs. Rather
• What specific qualifications does the CEO seek in the CRO?
than being risk averse, they should understand
• Has this person served as a CEO, CRO, CFO, or CCO, or in another
the risks of any activity they undertake and
position with substantial risk-related responsibilities? How recent is his or
manage them accordingly. Such a culture
her experience?
supports open discussion about uncertainties,
• What was the industry, size, and scope of the organisation(s) and which
encourages employees to express concerns,
risks did he or she manage or oversee? How do the businesses and
and maintains processes to elevate concerns to
risks that the individual previously oversaw compare with those of the
appropriate levels.
company?
• Approve management risk committee
• What was the nature of regulatory requirements and expectations for risk
charters: Management may establish risk
management in the individual’s prior organisation?
committees not only at the enterprise level, but
• How hands on and in depth is his or her experience? In other words, did
also in some cases at business-unit levels. The
he or she just sign-off on risk management or oversight reports or was he
risk committee should consider and approve
or she truly involved?
the charters of any such management risk
• What was the size of the risk organisation and what role did the
committees.
individual play in developing and overseeing the risk organisation?
• Central role of the CEO: It should be noted
• What were the results of risk management and governance activities
that King III stresses that although a CRO
during and after this person’s watch? What were his or her successes and
may be appointed to assist the CEO with the
failures and how does he or she view them?
execution of the risk management process, the
• How risk averse or risk tolerant is this person in organisational settings?
accountability to the board remains with the
• Has this individual had the experience of identifying, analysing,
CEO. There should however be an appreciation
monitoring, and reporting on risk to a board?
that execution of risk management does
• Is this individual a good fit with the executive team and the board
not reside in one individual but requires an
in terms of personality, team orientation, communication skills, and
inclusive team-based approach for effective
leadership style?
application across the company.

28
• Consult external experts: The risk committee • Consider other responsibilities: Depending
should consider having access to external on the enterprise, its industry, and its approach
expert advice regarding risk and risk to value creation, the risk committee may
governance and management in the form want to involve itself in other responsibilities.
of meetings, presentations, verbal or written The work of the risk committee can help its
briefings, or assignments commissioned by the members to be better positioned to add value
risk committee. Areas to cover could include within the board and the organisation.
the risk environment, regulatory developments,
leading practices, or any other items the board
or committee specifies. In some cases, the risk
committee may seek external board education
regarding risk management or regulatory
matters. In other cases, the risk committee
may engage a consultant for a particular
assessment or other efforts best commissioned
at the board level.
• IT governance: King III makes it clear that
the board must ensure proper governance
of information technology (IT) risk, including
information security. As such, IT risks form an
integral part of company’s risk management
processes. The risk committee may be assigned
responsibility to oversee IT risk management.
In this regard, the role of the risk committee
is to ensure proper alignment of IT with the
strategy, performance and sustainability
objectives of the company, the implementation
of an IT governance framework, oversight of
the management of information assets, and
monitoring and evaluation of all significant
investments and expenditure in IT.

Risk Committee Resource Guide 29

The board and/or the risk committee can assert At the action level
its responsibilities in any given area by writing
them into the risk committee charter.
In addition to the above responsibilities, the risk
committee might also consider the following:
The risk management • Locate gaps and overlaps: Given its
infrastructure enterprise-wide view of risk, the risk committee
is positioned to locate gaps and points of
An organisation’s risk management infrastructure overlap between board committees. If any are
includes the people, processes, and technology discovered, the committee may be positioned
required to identify measure, monitor, mitigate,
to recommend ways to address them and
and manage the risks the enterprise faces. An
define or redefine appropriate boundaries and
infrastructure with these components can help
provide management with information to help communication channels.
assess and manage risk. • Require risk reporting to the board: The
committee should consider how to define
The risk committee should review the risk significant decisions, transactions, positions,
infrastructure. If an adequate infrastructure is not and other items that management should bring
in place, management must consider whether to to the risk committee’s and board’s attention.
scale back its risk-taking to appropriate levels or These may be defined by type, transaction size,
scale up the infrastructure to adequate levels or amount of exposure, and any other criteria the
take other agreed-upon action. board or risk committee specifies.
• Provide adequate funding: The risk
Overseers of risk may rely on the risk
committee can also influence the adequacy of
management infrastructure for the information
budgets and resources for risk governance and
required to exercise proper oversight.
management which are appropriate.
Thus, potential indicators of an inadequate
infrastructure can be the lack of adequate and • Recognise IT’s role: IT is integral to
timely information about risk, inconclusive risk management and oversight in every
discussions about risk, or feelings of being organisation. Given this fact, the risk committee
uninformed about risks. This may or may not must understand the role of IT in the risk
indicate a need for a risk committee, but it could management infrastructure and the risks to IT
point to the need for improved information to as well as those posed by cybercrime and other
support risk. cyber threats.

30
 • Review crisis management plans: Keep
abreast of crisis preparedness and ascertain
that management has developed and can
implement a plan to respond to major risks,
such as natural disasters, terrorism, cyber-
attacks, epidemics, civil disorder, black
swan events, and other events that could
compromise the enterprise’s human or other
resources or disrupt the value chain.

Focus on correlated risk

Interdependencies among risks often cross business-unit and functional boundaries. Attempts to mitigate risk in one area, such as
operations, may affect risk exposure in other areas, such as finance, tax, IT, or human resources, and vice versa. Or different areas of
the business may independently pursue rewarded risk activities that, while remaining within each group’s individual risk tolerance,
create unacceptable risks for the company as a whole. Sometimes, organisational silos can mask important connections even in
closely related areas such as liquidity and credit risk which may be managed in different parts of the organisation.

To illustrate, consider supply chain risk. Examining supply chain risk as an operational risk might fail to account for dependent
risks that are often managed in silos, such as activities related to transfer pricing, the US Foreign Corrupt Practices Act, supplier
issues, legal versus beneficial ownership of intangible assets overseas, value-added tax, customs and licensing, currency issues,
global regulatory compliance, or deployment of staff overseas. A risk event in any of these areas can create a ripple effect
through the others, leading to unintended consequences. Examples include: results of a significant transfer-pricing decision
could wipe out the economic benefit of an otherwise rational and tax-efficient supply chain strategy. Sanctions from a foreign
government could put a valuable link in the supply chain in jeopardy. Failing to appreciate the legal environment in a geography
might result in the loss of a valuable patent to nationalisation, one upon which key manufacturing processes depend. Lack of
preparation in the implementation or maintenance phases throughout an organisation’s supply chain management cycle may
result in an unanticipated tax burden associated with exit charges and/or permanent establishment risk.

If these risks are examined individually but not considered together as companies assess their supply chain strategy, the extent
of the upside and downside risk in the supply chain cannot be fully appreciated. Excluding any one of these could lead to a
business decision that doesn’t contemplate risk holistically across the organisation. Mitigation in one area could increase the
significance of the risk in the other, or failing to aggregate the risk could mean that mitigation is postponed inappropriately.

Risk Committee Resource Guide 31

Risk-oversight disclosures
King III requires the board to disclose in the company’s Integrated Report how it has satisfied itself
that risk assessments, responses and interventions are effective. In order to provide a comprehensive
report to shareholders and other stakeholders, Deloitte has developed a list of points which boards,
risk committees, and senior management can use to help determine what may be appropriate and
useful to disclose:
• Whether the full board is responsible for risk
• Whether the company has a separate risk committee
• Whether the risk committee or the audit committee is the primary committee responsible for risk
• Whether other board committees are involved in risk oversight
• Whether the remuneration committee is responsible for overseeing risk in remuneration plans
• Whether the CEO is responsible for risk management or how the CEO is involved in risk
• Whether the company has a CRO
• The board’s involvement with regard to the company’s risk appetite
• How the board is involved with regard to corporate culture
• Whether risk oversight and management are aligned with the company’s strategy
• Whether the company has a risk committee at the management level
• Whether the company separately addresses reputational risk
• Whether any undue, unexpected or unusual risks were taken in the pursuit of reward as well as any
material losses and the causes of the losses. This disclosure should be made with due regard to the
company’s commercially privileged information. In disclosing the material losses, the board should
endeavour to quantify and disclose the impact that these losses have on the company and the
responses and interventions implemented by the board and management to prevent recurrence of
the losses.

32
Identification of key risks and
opportunities, and linking
this to materiality in the
Integrated Report

With the release of the Integrated Reporting As such, the board agenda and board pack
Framework, the International Integrated may provide a very clear indication of what
Reporting Council has provided further guidance information is regarded as material by the
to companies on what principles and content board. Of course, this approach to materiality
elements should be adopted when preparing an necessitates greater alignment between material
Integrated Report. matter identification and assessment and the risk
management process.
Consequently there are two areas that the risk
committee should be aware of and over time In disclosing the key risks and opportunities
may become responsible for. These include in the Integrated Report, the risk committee
the materiality determination process and the should provide the oversight over this element of
reporting of risk and opportunities. disclosure in the Integrate Report prior to board
approval. The disclosure point should influence
In determining whether or not a matter is the risk committee’s in year reporting and focus
material, senior management and the board on not only the downside but the upside of risk
consider whether the matter substantively management.
impacts, or has the potential to substantively
impact, the organisation’s strategy, its business
model, or one or more of the capitals it uses or
affects. The principle here is that, if the board
needs certain information to take key strategic
decisions, this point to the materiality of the
information.

Risk Committee Resource Guide 33

Overview of risk and of management’s risk management
responsibilities

• How do we define risk appetite and risk tolerance, at both the enterprise and business-unit levels?
• How do we measure the risk utilisation and exposures of the organisation at the enterprise and
business-unit levels?
• What are the components of the risk management infrastructure and how do we know they are
adequate to address the risks the enterprise faces?
• Have the audit committee and remuneration committee gauged the risks that they oversee in
financial reports and remuneration systems and reported them to the risk committee?
• Are we receiving the information from management that we have requested and has it been
timely?
• Have we used the risk-related information from the CEO, CRO and management to monitor the
risk appetite and risk profile, and in a timely manner?
• Do we review and concur with the organisation’s disclosures regarding risks in the Integrated
Report and other public documents before they are issued?

34
Notes:

Risk Committee Resource Guide 35

Section 4

36
Risk intelligent
enterprise
Risk Committee Resource Guide 37
At many organisations, risk governance and Nine fundamental principles of a Risk
value creation are viewed as opposed or
even as mutually exclusive, when in fact they Intelligence program
are inseparable. Every decision, activity, and
1. In a Risk Intelligent Enterprise, a common definition of risk, which
initiative that aims to create or protect value addresses both value preservation and value creation, is used
involves some degree of risk. Hence, effective consistently throughout the organisation.
risk governance calls for Risk Intelligent 2. In a Risk Intelligent Enterprise, a common risk framework supported by
governance - an approach that seeks not to appropriate standards is used throughout the organisation to manage
discourage appropriate risk-taking, but to embed risks.
appropriate risk management procedures into all 3. In a Risk Intelligent Enterprise, key roles, responsibilities, and authority
of an enterprise’s business pursuits. relating to risk management are clearly defined and delineated within
the organisation.
Deloitte’s concept of the Risk Intelligent 4. In a Risk Intelligent Enterprise, a common risk management infrastructure
Enterprise integrates nine principles related is used to support the business units and functions in the performance
of their risk responsibilities.
to the responsibilities of the board, senior
5. In a Risk Intelligent Enterprise, governing bodies (e.g., boards, risk
management, and business unit leaders into
committees, audit committees, etc.) have appropriate transparency and
a cohesive risk management framework. Risk visibility into the organisation’s risk management practices to discharge
governance is at the apex of the framework: their responsibilities.
the unifying touchstone and guide to all of the 6. In a Risk Intelligent Enterprise, executive management is charged with
organisation’s risk management efforts. But on primary responsibility for designing, implementing, and maintaining an
a more detailed level, what does effective Risk effective risk program.
Intelligent governance entail? 7. In a Risk Intelligent Enterprise, business units (departments, agencies,
etc.) are responsible for the performance of their business and the
management of risks they take within the risk framework established by
executive management.
8. In a Risk Intelligent Enterprise, certain functions (e.g., Finance, Legal, Tax,
IT, HR, etc.) have a pervasive impact on the business and provide support
to the business units as it relates to the organisation’s risk program.
9. In a Risk Intelligent Enterprise, certain functions (e.g., internal audit,
risk management, compliance, etc.) provide objective assurance as well
as monitor and report on the effectiveness of an organisation’s risk
program to governing bodies and executive management.

38
 Nine Principles for Building a
The Risk Intelligent Enterprise
Risk Intelligent Enterprise
Governing Bodies Responsibility

Roles & Responsibilities

Common Definition of Risk

Common Risk Framework

Common Risk Infrastructure

Executive Management Responsibility

Objective Assurance and Monitoring

Business Unit Responsibility

Support of Pervasive Functions

Based on our experience working with boards in their risk Collectively, these “areas of focus” reflect the view that risk-
governance efforts, we have identified six distinct actions a taking for reward and growth is as important as risk mitigation
board can take to help enable a Risk Intelligent governance to protect existing assets. By treating risk as intrinsic to the
approach: conduct of business, Risk Intelligent governance elevates risk
1. Define the board’s risk oversight role (delegated to the risk management from an exercise in risk avoidance to an essential
committee) consideration in every decision, activity, and initiative.
2. Foster a Risk Intelligent culture
3. Help management incorporate Risk Intelligence into strategy
4. Help define the risk appetite
5. Execute the Risk Intelligent governance process
6. Benchmark and evaluate the governance process

Risk Committee Resource Guide 39

Area of focus 1: Define the board’s risk oversight role

Effective risk oversight begins with a solid mutual understanding of the

extent and nature of the board’s responsibilities as compared to those
of management and other stakeholders. Key board-level responsibilities
include setting the expectations and tone, elevating risk as a priority,
and initiating the communication and activities that constitute intelligent
risk management. The ultimate goal is to assist management in creating
a cohesive process in which risks and their impacts are routinely
identified, evaluated, and addressed.

A board should possess enough collective knowledge and experience to promote a broad
perspective, open dialogue, and useful insights regarding risk.

Actions to consider in defining the board’s risk oversight role:

• Define the board’s risk governance roles and responsibilities. Although the entire board is
accountable for overseeing risk management and should be involved in the risk oversight process,
it may delegate responsibility for risk oversight to the risk committee. Having various committees
play complementary roles in risk oversight (e.g. risk committee, audit committee, remuneration
committee, etc.) - and share their findings and insights with each other and the entire board - can
help set the tone that risk oversight is important to all board and committee members. Even in
boards where the nominal responsibility for risk oversight rests with a single committee all board
members should recognise that risk oversight is broader than that single committee. In any case, all
such roles and responsibilities should be formally defined and clearly understood.

40
• Consider board composition. In our view,
a board should possess enough collective
Questions to ask about risk
knowledge and experience to promote a oversight:
broad perspective, open dialogue, and useful
insights regarding risk. Consider performing • How is risk overseen by our various board
a periodic evaluation, perhaps carried out committees?
by the nominations committee, of the • Is there appropriate coordination and
board’s overall composition as well as each communication?
member’s experiences, knowledge, and special • Are we getting the information and insights we
characteristics and qualities. Having the right need for key decisions?
mix of board members at the table will allow • Which framework has management selected
for discussions that are founded on Risk for the risk management program? What
Intelligent knowledge and perspective.
criteria did they use to select it?
• Establish an enterprise-wide risk management
• What mechanisms does management use to
framework. Like any organisational process,
risk management requires a framework that monitor emerging risks? What early warning
defines its goals, roles, activities, and desired mechanisms exist, and how effective are they?
results. Deloitte’s concept of the Risk Intelligent How, and how often, are they calibrated?
Enterprise describes an approach to risk that can • What is the role of technology in the risk
strengthen an existing framework or constitute a management program? How was it chosen,
framework itself. Ideally, the chosen framework and when was it last evaluated?
will help management establish goals, terms, • What is the role of the tax function in the
methods, and measures, as well as gauge the risk management program? Are we taking
need for specific programs (such as a contract steps to demystify tax by gaining a high-level
risk and compliance program or training understanding of not only the downside
programs on risk awareness).
consequences of tax risks, but also the upside
• Perform site visits. Consider touring the
potential that a robust tax risk management
organisation’s facilities to enhance your
understanding of work processes and the program can offer?
risks associated with value creation and
preservation. A number of boards today
are indeed using site visits to broaden their
knowledge of - and demonstrate their interest
in – the work of the enterprise.

Risk Committee Resource Guide 41

Area of focus 2: Foster a Risk Intelligent culture
In a Risk Intelligent culture, people at every level manage risk as
an intrinsic part of their jobs. Rather than being risk averse, they
understand the risks of any activity they undertake and manage
them accordingly. Such a culture supports open discussion about
uncertainties, encourages employees to express concerns, and maintains
processes to elevate concerns to appropriate levels.

Actions to consider in fostering a Risk Intelligent culture:

• Lead by example in communicating about risk. The risk committee should ask management
about the risks of specific decisions, activities, and initiatives. It should set expectations with senior
executives and business unit leaders about what information the committee expects and how it
will be conveyed. The committee should set the tone for an open and candid dialogue. Also, the
risk committee has to work with management to develop appropriate messaging about the risk
environment for the rest of the organisation.
• Build cohesive teams with management. Culture change occurs not by decree but through
interactions with management. The committee should create opportunities to engage with
management and to learn more about their risk management practices. These interactions can form
the basis of a continual, interactive process of alignment that both allows the committee to refine its
views and priorities, and enables management to adjust its practices to reflect your guidance.
• Reward Risk Intelligent behaviour. The risk committee should consider incorporating risk-related
objectives into the company’s executive remuneration structures. It may also wish to urge
management to weave risk management practices into job descriptions, training, work processes,
supervisory procedures, and performance appraisals.
• Consider a third-party assessment. In addition to self-assessment, commissioning an independent
external review of the risk governance policies, procedures, and performance can yield useful
benchmarking information and shed light on leading risk governance practices.

42
Questions to ask about the organisational culture:
• How are we communicating our Risk Intelligence messages and assessing the extent to which Risk
Intelligence is understood throughout the enterprise?
• Are people comfortable in discussing risk, or are they afraid to raise difficult issues? How quickly do
they raise issues?
• How might our remuneration programs encourage inappropriate short-term risk taking? How can
we change these programs to encourage Risk Intelligent risk-taking instead? What mechanisms exist
to recover remuneration when excessive risk-taking occurs?
• Has the organisation developed a common language around risk that defines risk-related terms and
measures and that promotes risk awareness in all activities and at all levels?
• How have we demonstrated the significance of risk governance in our documentation and
communications?
• What tools are we using to gauge our risk governance effectiveness, and with what results? What
benefit might we derive from an independent evaluation?

Risk Committee Resource Guide 43

Area of focus 3: Help management incorporate Risk
Intelligence into strategy
Since one of a board’s main responsibilities is to oversee the strategy-
setting process, helping management incorporate Risk Intelligence
into strategy is an inherent part of the risk committee’s overall role.
Drawing on a solid practical understanding of the enterprise’s efforts
around value creation and preservation, the committee can work with
management to collaboratively move from a negative “incident” view of
risk to a more positive “portfolio” view that considers risks and rewards
in a broader strategic context.

Actions to consider in helping management incorporate Risk Intelligence into strategy:

• Design processes for integrating risk management into strategic planning. The committee may
consider augmenting the overall strategic planning process with processes for considering risks
across the organisation, prioritising the risks, and appropriately allocating risk management
resources. It should consider the scenario-planning process and whether it incorporates both
upside and downside risks, as well as a view into the overall risk exposures and opportunities. The
committee may wish to develop processes that help verify that risk management incorporates value
creation as well as preservation, that the risk appetite is defined and risk tolerances are identified,
and that risk is handled accordingly. Also, the risk committee can include discussions about risk at
retreats devoted to strategy.
• Monitor strategic alignment. Monitoring strategic alignment involves analysing the risk-return
trade-off in setting the company’s financial goals, the proposed means of reaching those goals, and
likely constraints. To execute this monitoring, the risk committee will need to maintain visibility in
strategic planning and risk-reward decisions. The committee must make it clear that any changes
or events with potentially significant consequences for the organisation’s reputation, as well as its
financial position, are to be brought to its attention for consideration.

44
• Establish accountability. The risk committee should establish and reinforce executive accountability
for risk management. One way to do this is to expect full disclosure by management of the risks
associated with each aspect of the strategy. Give management on-going feedback about your
satisfaction with their level of disclosure and the quality of risk-reward analyses. A formal evaluation
process for specific executives, led by the chair of the risk committee may be considered.

Questions to ask when helping management incorporate

Risk Intelligence into strategy:
• How can we build Risk Intelligence into decisions about capital allocation, acquisition, succession
planning, and other strategic initiatives?
• How should risk-return trade-offs be weighed in strategic planning and review sessions? How can
we generate more meaningful discussion of these trade-offs?
• What is the process for identifying and evaluating changes in the external environment? How are
these findings considered in strategic planning?
• How realistic is the strategy? Under what scenarios would the strategy be achieved - or fail to be
achieved – and what are the intended results or plans if it fails?
• What would it take - in resources, knowledge, alliances, or conditions - to increase the likelihood of
achieving the desired results and to reduce the chances of failure?

Risk Committee Resource Guide 45

Area of focus 4: Help define the risk appetite
Risk appetite defines the level of enterprise-wide risk that leaders
are willing to take (or not take) with respect to specific actions, such
as acquisitions, new product development, or market expansion.
Where quantification is practical, risk appetite is usually expressed
as a monetary figure or as a percentage of revenue, capital, or other
financial measure (such as loan losses); however, we recommend that
less quantifiable risk areas, such as reputational risk, also be considered
when setting risk appetite levels. While the CEO proposes risk appetite
levels, the risk committee on behalf of the board ought to approve them
- or challenge them and send them back to the CEO for adjustments -
based on an evaluation of their alignment with business strategy and
stakeholders’ expectations.

Risk appetites may vary according to the type of risk under consideration. Using a Risk Intelligent
approach, companies ought to have an appetite for rewarded risks such as those associated with new
product development or new market entry, and a much lower appetite for unrewarded risks such
as non-compliance or operational failures. Some risks just come with the territory. If you are in the
chemical business, there will inevitably be environmental spills and health and safety incidents. If you
don’t have the appetite for those types of risks, then you probably shouldn’t be in that business. Once
you have accepted this reality, you should do everything to prevent, rapidly detect, correct, respond
to, and recover from any such incident.

Once the risk appetite is defined, management then should define specific risk tolerances, also
known as risk targets or limits, that express the specific threshold level of risk by incident in terms that
decision-makers can use (for instance, in completing an acquisition, the risk tolerance may be defined
as a stop-loss threshold of a specified value). Management may have no tolerance for unethical
business conduct or for environmental, health and safety incidents by adopting a zero incidents policy.

46
 One important management responsibility is to continually monitor the company’s risk exposures,
evaluate actual risk exposure levels against the stated risk appetite, and adjust risk tolerances and
policies as necessary to align actual risk exposure with the desired risk exposure as defined by the risk
appetite. By having management report on this process to the risk committee, members can gain
insight into whether there may be opportunities for further risk-for-reward strategies or, conversely, if
the organisation is overly “stretched” in its risk levels.

Actions to consider in helping to define the risk appetite:

• Distinguish between risk appetite and risk tolerance. Many business unit leaders and some
senior executives fail to distinguish between risk appetite and risk tolerance. As a result, many
organisations either set arbitrary risk tolerances that do not track back to an overall risk appetite, or
wrongly assume that a general statement of risk appetite gives decision-makers enough operational
guidance to stay within its parameters. The risk committee can help the organisation steer clear of
these traps by assisting management in developing a cogent approach to defining the risk appetite,
specifying risk tolerances, and communicating them across the enterprise.
• Serve as a sounding board. The committee should be available as a resource for helping senior
executives understand and reconcile various views of risk within the organisation. One way to do
this is to ascertain how management balances and aggregates the business units’ risks as well as
how management sets various risk tolerances, particularly in relatively risky businesses or markets.

Questions to ask regarding risk appetite:

• What size risks or opportunities do we expect management to bring to our attention?
• How does management determine the organisation’s risk appetite? Which risk categories are
Companies considered, and how do they relate to management’s performance goals and compensation
ought to have metrics?
an appetite for • In developing the risk appetite, how did management incorporate the perspectives of shareholders,
regulators, and analysts — and experiences of peer companies?
rewarded risks...
• How are risk tolerances set? How does that process account for risk appetite? How do risk
and a much tolerances relate to the risk appetite and to risk categories?
lower appetite • What scenario-planning or other models are used in setting the risk appetite and tolerances? How
for unrewarded do these tools account for changing circumstances and for the human factor?
risks.
Risk Committee Resource Guide 47
Area of focus 5: Execute the Risk Intelligent governance
process
A Risk Intelligent governance process should be strategic in design,
promote awareness of the relationship between value and risk, and
efficiently and effectively allocate the company’s risk management
resources. Effective execution of the process depends on maintaining a
disciplined, collaborative approach focused on process design, process
monitoring, and accountability.

Actions to consider in executing the Risk Intelligent governance process:

• Work with management on process design. A joint approach to process design can help establish
processes that both the risk committee and management feel are effective, yet not overly
burdensome. The committee can collaborate with executives to develop value creation and risk
management objectives, board responsibilities, and mechanisms for elevating key risk issues.
It’s often useful to establish policies that detail the circumstances under which management
must obtain board or committee approval for decisions, while noting that the board’s role is risk
governance rather than risk management.
• Monitor the overall risk management process. The risk committee should set up procedures for
evaluating and overseeing the processes by which risks are systematically identified, reported, and
managed. To execute effective monitoring, it’s important that committee members keep abreast of
the company’s vulnerabilities, risk appetite, and risk tolerances; understand the risk management
system; and bring an integrated view of the organisation’s risk management methods to discussions
with the executive team.
• Conduct formal risk management program assessments. A risk management program assessment
can include questions about risk governance, risk infrastructure and management, and risk
ownership. This provides a comprehensive view of the process and enables all stakeholders to see
how they fit into both the basic process and any improvement efforts.

48
• Clarify accountability at the board and management levels. Complete, on-going disclosure
of major risk exposures by the CEO to the committee and the board is fundamental to a Risk
Intelligent governance process. We suggest that that committee works with the CEO to verify
that responsibility for specific risks and related activities has been assigned to specific members of
the management team. In doing this, it’s important for the committee and the CEO to maintain a
constructive, collaborative relationship — but that need not stop the risk committee from discussing
difficult issues with management and questioning practices when doubts arise.

Common Definition of Risk

Common Risk Framework

Roles & Responsibilities

Risk Governing Bodies Responsibility

Intelligence
Executive Management Responsibility
Program
Methodology Common Risk Infrastructure

Objective Assurance and Monitoring

Business Function Responsibility

Support of Pervasive Functions

It’s important for the risk committee and the CEO to maintain a
constructive, collaborative relationship.

Risk Committee Resource Guide 49

Questions to ask when executing the
governance process:
• Are people at all levels — across silos — actively engaged in risk
management? If so, how? If not, why not?
• What criteria does management use to prioritise enterprise risks? How
well does the company’s allocation of risk management resources align
with those priorities?
• How is management addressing the major opportunities and risks
facing the company? How do we know that these are, in fact, the major
opportunities and risks, and that the steps management is taking to
address them are appropriate?
• How do we know when risks are increasing, holding steady, or
decreasing? What processes does management use to identify and
monitor these trends over time?
• How often do we discuss risk with management? What issues have been
brought to our attention in the past six to twelve months?

50
Notes:

Risk Committee Resource Guide 51

Area of focus 6: Benchmark and evaluate the governance
process
Risk governance is a continual process, and systematic mechanisms
for evaluating and improving risk governance proficiency can greatly
benefit efforts to identify, prioritise, and implement improvements as
well as give the risk committee visibility into the organisation’s progress
toward a Risk Intelligent governance approach. Such mechanisms
allow the committee to gauge the institution’s current stage of
development relative to peers; they can also help track the progress of
the governance program along a Risk Intelligence “maturity model.” As
it is good practice to obtain periodic independent assessment of the
risk management process, King III requires that Internal Audit provide a
written assessment of the risk management function to the Board.

Actions to consider in benchmarking and evaluating the governance process:

• Use internal monitoring and feedback. The risk committee should periodically ask for feedback
from senior executives on how well the committee and other board members have played their risk
oversight role. As part of this effort, the committee may consider the report from Internal Audit on
the effectiveness of the risk management process. The committee may also wish to request relevant
reports from the risk management team. The committee may also review the methods by which
management assesses the risk management program.
• Participate in continuing education and updates. To keep individual committee members’
knowledge up to date, it’s helpful to receive on-going updates on approaches to risk management
and on risks developing in the internal and external environment.
• Solicit independent viewpoints. An independent review of the risk governance program can help
to identify what is working, locate any gaps, and prioritise areas for improvement. The committee
should consider having management present the summary results along with a plan for any
corrective actions.

52
• Include risk as a topic in the annual board self-assessment. The board’s annual self-assessment
process provides a broad view into how the full board feels that it is performing in its overall
governing body role. Including questions in the assessment form focused specifically on risk
governance effectiveness can be a valuable guide to measuring the committee and the individual
members’ effectiveness in providing Risk Intelligent governance. The nominations committee may
wish to consider reviewing the assessment form to verify that it includes such language.

Questions to ask when benchmarking and evaluating the

governance process:
• How have we gone about assessing our risk governance and management programs? What other
tools might we use in this assessment?
• To what extent are our compliance, internal audit, and risk management teams employing Risk
Intelligent approaches? How are risks aggregated across our businesses?
• What value might we derive by engaging a third party to assess our organisation against leading
practices, industry peers, and other benchmarks?
• How can we improve our risk governance proficiency, stay current, and share knowledge about risk
governance - both individually and collectively?
• What steps can we take to improve the quality of our risk governance and management processes?

Ask for feedback from senior executives on how well you and your
fellow board members have played your risk oversight role.

Risk Committee Resource Guide 53

54
Section 5

On-going
education
and periodic
evaluation
Risk Committee Resource Guide 55
As with other board • Understand new risks associated with new
businesses and locations and how changes in
responsibilities, it is important that
regulations in foreign jurisdictions can increase
risk oversight does not become or decrease risk.
a set-it-and-forget-it proposition. • Periodically benchmark risk governance
Risks in the economic, competitive, practices of peers (including peer companies
regulatory, legal, and technological within the company’s industry), competitors,
customers, and suppliers in order to understand
environments are dynamic, and
evolving practices and evolving expectations of
risk governance must evolve in business partners and investors.
response. • Keep up to date on risk disclosure requirements
in external/public communications.
Education never ends • Offer orientation programs for new risk
committee members and a module in board
In terms of King III, companies should ensure members’ orientations to inform them about
the continued education of all board members the risk committee.
with the intention of keeping them up to date
with applicable prescripts and best practice. As a Education could include sources ranging from
committee dealing with an area in constant flux, conferences and continued readings to courses
the risk committee should consider how it plans designed for senior executives to customised
to stay informed about developments in risk briefings from external specialists. Deloitte
management practices and emerging risk areas. suggests a mix of general updates and company-
specific information on risk, risk governance, and
The following guidelines can assist risk risk management.
committees in developing education and training
initiatives to:
• Stay abreast of leading practices as risks
evolve and as management updates its risk
management methods.

56
Evaluations are a must • There are several methods for board committee
evaluations, each with its advantages and
King III stresses that the evaluation of the board, disadvantages:
its committees and the individual directors – Self-evaluation
should be performed every year. Effective and – Peer evaluation
meaningful evaluation is only possible once the – External evaluation
board has determined its own role, functions, • In the absence of regulations to the contrary,
duties and performance criteria as well as those an annual self-evaluation of the risk committee
for the board committees. as a whole, as well as an evaluation conducted
with external specialists every two or three
The performance of the risk committee as a years may be beneficial and appropriate.
whole and, possibly, that of individual members
should be evaluated periodically.
Tools and resource. To assist risk committees
• Areas of risk committee performance to
in their evaluation efforts, we have included a
consider evaluating may include:
sample risk committee performance evaluation
– Breadth and depth of the committee’s
questionnaire in Appendix C.
knowledge of risk and risk governance and
management (including on-going education)
– Independence of the risk committee
members from management
– Performance of the chair of the committee
and his or her relations with management,
the CEO, the CRO and with the committee
– Clarity of communications with management
about risk and the degree to which these
communications have been understood and
acted upon
– Quality of board, risk committee, and
management responses to potential or
actual financial, operational, regulatory, or
other risk events
– Effectiveness of the information received and
reporting about risk by management

Risk Committee Resource Guide 57

Conclusion

Ever vigilant,
continually
improving

58
Risk Committee Resource Guide 59
Much of the value of the risk committee will Then, as appropriate, they should question
likely come from the questions it poses, such management about the risks and about how
as the following two, which are central to risk the organisation is addressing them. Then they
oversight: must listen carefully to the answers and, as
• What are all the risks of a decision or initiative appropriate, probe for more information.
— for instance, of a new product, market,
acquisition, or financial structure — that Further information may come from internal,
management may be considering? financial, audit, or assurance reports and from
• What steps has management taken to mitigate, informal conversations with the CRO and
manage, and monitor those risks? members of the management risk committee. In
fact, when failures in risk management occur, in
Developments in the business, financial, Deloitte’s experience, post-incident reviews of
economic, and regulatory environment can “What happened?” often reveal that information
be expected to subject risk committees to an which could have helped the enterprise recognise
expanding range of responsibilities, up to and the risk sooner and address it more effectively
including weighing in on strategic issues from a already existed within the organisation.
risk-oversight perspective. While the full board
takes the lead in strategy discussions with the This knowledge presents risk committees with
executive team, the risk committee often will a real opportunity. They can shoulder the
have a valuable wide – angle perspective to offer responsibility of helping management to identify
to the board. not only risks (and opportunities) and ways of
addressing them, but also ways of improving
Regardless of how the committee’s the risk management infrastructure so that
responsibilities evolve, a key skill of its members information about risks and how to manage
will be to understand and prioritise the risk them surfaces before, rather than after, risk
governance and oversight needs of the events.
enterprise. This can require at least as much
wisdom as skill. By that we mean committee
members must understand the risks posed by the
business itself and by external forces and how
they might affect the enterprise.

60
Questions to ask to encourage continual improvement in
risk oversight:
• How do we evaluate the CEO, CFO, chief audit executive, and other senior positions in terms of
their risk awareness and approach to risk management?
• How are we working with management and stakeholders (especially shareholders) to help the
enterprise balance demands for short-term performance and long-term prosperity?
• What are our ethical and legal responsibilities for risk oversight in energy efficiency, water usage,
labour practices, and other areas of sustainability, and how are we meeting them?
• Where is the line between risk oversight and risk management? How do we practice the right
balance that characterises sound risk governance?
• What assurance is the risk committee obtaining on the effectiveness of the risk management
function?
• How embedded is the risk culture within the organisation?
• How do we keep the risk committee from becoming stale, set in its ways, or merely pro forma in
its approach to oversight? How do we stay open to opportunities to improve when we believe our
methods are working?

Risk Committee Resource Guide 61

62
Appendix
A
Risk Committee Resource Guide 63
This sample risk committee charter is based on leading practices observed by Deloitte in the analysis
of a variety of materials.

It is important to note that the Risk Committee Resource Guide practices are drawn from Deloitte
experiences and our understanding of practices currently being used.

Deloitte does not accept any responsibility for any errors this publication may contain, whether caused
by negligence or otherwise, or for any losses, however caused, sustained by any person that relies
on it. The information presented can and will change; we are under no obligation to update such
information. Deloitte makes no representations as to the sufficiency of these tools for your purposes,
and, by providing them, we are not rendering accounting, business, financial, investment, legal, tax,
or other professional advice or services. These tools should not be viewed as a substitute for such
professional advice or services, nor should they be used as a basis for any decision that may affect
your business. Before making any decision or taking any action that may affect your business, you
should consult a qualified professional adviser.

Deloitte does not assume any obligations as a result of your access to or use of these tools.
This template is designed for South African public companies; exceptions to the requirements noted
below may apply for certain issuers, including investment companies, small-business issuers, and
foreign private issuers. All companies should consult with legal counsel regarding the applicability and
implementation of the various requirements identified. Further, this template should be tailored on a
company-by-company basis to meet the needs and specific situations for each company utilising the
tool.

64
Sample risk committee charter

I. Purpose and authority

The risk committee is established by and among the board to properly align with management as it
embarks a risk management program. The primary responsibility of the risk committee is to oversee
and approve the company-wide risk management practices to assist the board in:
• Overseeing that the executive team has identified and assessed all the risks that the organisation
faces and has established a risk management infrastructure capable of addressing those risks
• Overseeing, in conjunction with other board-level committees or the full board, if applicable,
risks, such as strategic, financial, credit, market, liquidity, security, property, IT, legal, regulatory,
reputational, and other risks
• Overseeing the division of risk-related responsibilities to each board committee as clearly as possible
and performing a gap analysis to determine that the oversight of any risks is not missed
• In conjunction with the full board, approving the company’s enterprise wide risk management
framework

The risk committee may have the authority to conduct investigations into any matters within its scope
of responsibility and obtain advice and assistance from outside legal, accounting, or other advisors, as
necessary, to perform its duties and responsibilities.

In carrying out its duties and responsibilities, the risk committee shall also have the authority to meet
with and seek any information it requires from employees, officers, directors, or external parties. In
addition, the risk committee could make sure to meet with other board committees to avoid overlap
as well as potential gaps in overseeing the companies’ risks.

The risk committee will primarily fulfil its responsibilities by carrying out the activities enumerated in
Section III of this charter.

Risk Committee Resource Guide 65

II. Composition and meetings
The risk committee will comprise three or more directors as determined by the board. The
membership will include a combination of executive and non-executive directors. The committee may
include non-directors as members. Each member will have an understanding of risk management
expertise commensurate with the company’s size, complexity and capital structure.

The risk committee will provide its members with annual continuing education opportunities and
customised training focusing on topics such as leading practices with regard to risk governance and
oversight and risk management.

Committee members will be appointed by the board. Unless a chairperson is elected by the full board,
the members of the committee may designate a chairperson by majority vote. Additionally, the risk
committee, in conjunction with the full board and with the nominations committee, may do well to
consider and plan for succession of risk committee members.

The risk committee will report to the full board. The risk committee will consider the appropriate
reporting lines for the CEO, the company’s chief risk officer (CRO) and the company’s management-
level risk committee - whether indirectly or directly - to the risk committee.

The committee will meet at least quarterly, or more frequently as circumstances dictate. The
committee chairperson will approve the agenda for the committee’s meetings, and any member may
suggest items for consideration. Briefing materials will be provided to the committee as far in advance
of meetings as practicable.

Each regularly scheduled meeting will begin or conclude with an executive session of the committee,
absent members of management. As part of its responsibility to foster open communication, the
committee will meet periodically with management, heads of business units, the CRO (if applicable),
the chief audit executive (director of the internal audit function), and the independent auditor in
separate executive sessions.

66
III. Responsibilities and duties
To fulfil its responsibilities and duties, the risk committee will:

Enterprise responsibilities

• Help to set the tone and develop a culture of the enterprise vis-à-vis risk, promote open discussion
regarding risk, integrate risk management into the organisation’s goals and compensation structure,
and create a corporate culture such that people at all levels manage risks rather than reflexively
avoid or heedlessly take them
• Provide input to management regarding the enterprise’s risk appetite and tolerance and, ultimately,
approve risk appetite and the statement of risk appetite and tolerance messaged throughout the
company and by line of business
• Monitor the organisation’s risk profile - its on-going and potential exposure to risks of various types
• Approve the risk management policy and plan. Management should develop both the risk
management policy and the plan for approval by the committee. The risk management plan should
consider the maturity of the risk management of the company and should be tailored to the specific
circumstances of the company. The risk management plan should include:
- the company’s risk management structure
- the risk management framework i.e. the approach followed, for instance, COSO, ISO, IRMSA
ERM Code of Practice, etc.
- the standards and methodology adopted – this refers to the measureable milestones such as
tolerances, intervals, frequencies, frequency rates, etc.
- risk management guidelines
- reference to integration through, for instance, training and awareness programmes, and
- details of the assurance and review of the risk management process.

Risk Committee Resource Guide 67

The risk management policy should set the tone for risk management in the company and should
indicate how risk management will support the company’s strategy. The risk management policy
should include the compa¬ny’s definitions of risk and risk management, the risk management
objectives, the risk approach and philosophy, as well as the various responsibilities and ownership for
risk management within the company.

• The committee should review the risk management plan at least once a year.
• Define risk review activities regarding the decisions (e.g. acquisitions), initiatives (e.g. new products),
and transactions and exposures (e.g. by amount) and prioritise them prior to being sent to the
board’s attention
• Review and confirm that all responsibilities outlined in the charter have been carried out
• Monitor all enterprise risks; in doing so, the committee recognises the responsibilities delegated to
other committees by the board and understands that the other committees may emphasise specific
risk monitoring through their respective activities
• Conduct an annual performance assessment relative to the risk committee’s purpose, duties, and
responsibilities; consider a mix of self- and peer- evaluation, supplemented by evaluations facilitated
by external experts
• Oversee the risk program/interactions with management
• Review and approve the risk management infrastructure and the critical risk management policies
adopted by the organisation
• Periodically review and evaluate the company’s policies and practices with respect to risk assessment
and risk management and annually present to the full board a report summarising the committee’s
review of the company’s methods for identifying, managing, and reporting risks and risk
management deficiencies
• Continually, as well as at specific intervals, monitor risks and risk management capabilities within the
organisation, including communication about escalating risk and crisis preparedness and recovery
plans
• Continually obtain reasonable assurance from management that all known and emerging risks have
been identified and mitigated or managed
• Communicate formally and informally with the executive team and risk management regarding risk
governance and oversight

68
• Discuss with the CEO and management the company’s major risk exposures and review the steps
management has taken to monitor and control such exposures, including the company’s risk
assessment and risk management policies
• Review and assess the effectiveness of the company’s enterprise-wide risk assessment processes and
recommend improvements, where appropriate; review and address, as appropriate, management’s
corrective actions for deficiencies that arise with respect to the effectiveness of such programs
• Monitor governance rating agencies and their assessments of the company’s risk and proxy advisory
services policies, and make recommendations as appropriate to the board
• In coordination with the audit committee, understand how the company’s internal audit work plan
is aligned with the risks that have been identified and with risk governance (and risk management)
information needs

Reporting

• Understand and approve management’s definition of the risk-related reports that the committee
could receive regarding the full range of risks the organisation faces, as well as their form and
frequency
• Respond to reports from management so that management understands the importance placed on
such reports by the committee and how the committee views their content
• Read and provide input to the board and audit committee regarding risk disclosures in financial
statements and other public statements regarding risk
• Keep risk on both the full board’s and management’s agenda on a regular basis
• Coordinate (via meetings or overlap of membership), along with the full board, relations and
communications with regard to risk among the various committees, particularly between the audit
and risk committees
• Disclose in the company’s Integrated Report how it has satisfied itself that risk assessments,
responses and interven¬tions are effective

Risk Committee Resource Guide 69

Charter review

• Review the charter at least annually and update it as needed to respond to new risk-oversight needs
and any changes in regulatory or other requirements
• Review and approve the management-level risk committee charter, if applicable
• Perform any other activities consistent with this charter, the company’s bylaws, and governing laws
that the board or risk committee determines are necessary or appropriate
• Submit the charter to the full board for approval

70
Notes:

Risk Committee Resource Guide 71

72
Appendix

B Risk Committee Resource Guide 73

Illustrative planning tool: Risk committee calendar of
activities
Risk committees can use this tool to help plan their annual activities and meeting agendas. This tool
is current, based on our understanding of the common practices in the marketplace. The action or
responsibility, as described, may not be an explicit legislative or regulatory requirement or proposal,
but may be an action that may result from legislative or regulatory requirements or proposals.

The “Suggested Frequency” section offers a suggestion for how often the activity could be performed,
while the “Meeting Month” section provides an area where the risk committee can mark the months
in which an activity could be performed. The risk committee might use this tool in conjunction with
the “sample risk committee charter,” and it should be tailored to reflect the responsibilities in the
company’s risk committee charter.

This document is not an all-inclusive list of activities that a risk committee should or must execute. The
planning tool contains general information only and does not constitute, and should not be regarded
as, legal or similar professional advice or service. Deloitte does not accept any responsibility for any
errors this publication may contain, whether caused by negligence or otherwise, or for any losses,
however caused, sustained by any person that relies on it. The information presented can and will
change; we are under no obligation to update such information. Deloitte makes no representations
as to the sufficiency of these tools for your purposes, and, by providing them, we are not rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. These
tools should not be viewed as a substitute for such professional advice or services, nor should they be
used as a basis for any decision that may affect your business. Before making any decision or taking
any action that may affect your business, you should consult a qualified professional adviser. Deloitte
does not assume any obligations as a result of your access to or use of these tools.

This planning tool is designed for use by SA public companies. All companies should consult with
legal counsel regarding the applicability and implementation of the various activities identified.

74
 Meeting month

Suggested
Action/Responsibility
frequency

September

November

December
February

October
January

August
March

April

May

June

July
Comments

Enterprise Responsibility

Help to set the tone and develop a culture of the enterprise vis-à-vis risk,
and promote open discussion regarding risk, integrate risk management
into the organisation’s goals and compensation structure, and create a Continuously
corporate culture such that people at all levels manage risks rather than
reflexively avoid or heedlessly take them.

Provide input to management regarding the enterprise’s risk appetite

and tolerance and, ultimately, approve risk appetite and the statement
Annually
of risk appetite and tolerance messaged throughout the company and
by line of business

Monitor the organisation’s risk profile — its on-going and potential

Continuously
exposure to risks of various types

Define risk review activities regarding the decisions (e.g., acquisitions),

initiatives (e.g., new products), and transactions and exposures (e.g., Annually and
by amount) and prioritise them prior to being sent to the board’s as needed
attention

Oversee the risk programme/interactions with management

Review and confirm that all the responsibilities outlined in the charter
Continuously
have been carried out.

Monitor all enterprise risks; in doing so, the committee recognises

the responsibilities delegated to other committees by the board and Annually and
understands that the other committees may emphasis specific risk as needed
monitoring through their respective activities.

Conduct an annual performance assessment relative to the risk

committee’s purpose, duties, and responsibilities; consider a mix of
Annually
self- and peer evaluation, supplemented by evaluations facilitated by
external experts

Review and approve the risk management infrastructure and the

Annually
critical risk management policies adopted by the organisation

Risk Committee Resource Guide 75

 Periodically review and evaluate the company’s policies and practices
with respect to risk assessment and risk management and annually
Annually and
present to the full board a report summarising the committee’s review
as needed
of the company’s methods for identifying and managing risks and
reporting risks and risk management deficiencies

Continually, as well as at specific intervals, monitor risks and

risk management capabilities within the organisation, including
Continuously
communications about escalating risk and crisis preparedness and
recovery plans

Continually obtain reasonable assurance from management that all

known and emerging risks have been identified and mitigated or Continuously
managed

Communicate formally and informally with the executive team and

Continuously
risk management regarding risk governance and oversight

Discuss with management and the CRO the company’s major

risk exposures and review the steps management has taken to
Continuously
monitor and control such exposures, including the company’s risk
assessment and risk management policies

Review and assess the effectiveness of the company’s enterprise-wide

risk assessment processes and recommend improvements, where
Annually and
appropriate; review and address as appropriate management’s
as needed
corrective actions for deficiencies that arise with respect to the
effectiveness of such programs

Monitor governance rating agencies and their assessments

Annually and
of the company’s risk and proxy advisory services policies, and
as needed
make recommendations as appropriate to the board

In coordination with the audit committee, understand how the

internal audit work plan is aligned with the risks that have been
Annually
identified and with risk governance (and risk management) information
needs

76
Chief risk officer

Ensure that the company’s CRO (if applicable) has sufficient stature,
Annually and
authority, and seniority within the organisation and is independent
as needed
from individual business units within the organisation

If the CRO reports to the risk committee, review the appointment,

performance, and replacement of the CRO of the company in Each board
consultation of the nomination and governance committee and the meeting
full board

Reporting

Understand and approve management’s definition of the risk-related

reports that the committee should receive regarding the full range Annually and
of risks the organisation faces, as well as their form and frequency of as needed
such reports

Respond to reports from management so that management

Annually and
understands the importance placed on such reports by the committee
as needed
and how the committee views their content

Read and provide input to the board and audit committee regarding
risk disclosures in financial statements, proxy statements, and other Annually
public statements regarding risk

Keep risk on both the full board’s and management’s agenda on a

Continuously
regular basis

Coordinate (via meetings or overlap of membership), along with the

full board, relations and communications with regard to risk among the Continuously
various committees, particularly between the audit and risk committees

Risk Committee Resource Guide 77

 Charter review

Review the charter at least annually and update it as needed to respond

Annually and
to new risk-oversight needs and any changes in regulatory or other
as needed
requirements

Review and approve the management-level risks committee charter, if

Annually
applicable

Perform any other activities consistent with the charter, the company’s
bylaws, and governing laws that the board or risk committee Continuously
determines are necessary or appropriate

Submit the charter to the full board for approval Annually

78
Notes:

Risk Committee Resource Guide 79

 Appendix

80
C
Risk Committee Resource Guide 81
Risk committee performance evaluation
While there is currently not a legal or regulatory requirement for board risk committees to complete
a performance evaluation, King III recommends regular performance evaluations for all board
committees. Based on our knowledge, assessing committee performance on a regular basis is a
leading governance practice.

Areas of risk committee performance to be evaluated may include:

• Breadth and depth of the committee’s knowledge of risk and risk governance and management
(including on-going education)
• Independence of the risk committee members from management
• Performance of the chair of the committee and his or her relations with management and the chief
risk officer (CRO), and with the committee
• Clarity of communications with management about risk and the degree to which these
communications have been understood and acted upon
• Quality of board, risk committee, and management responses to potential or actual financial,
operational, regulatory, or other risk events
• Effectiveness of the information received by the risk committee and reporting about risk by
management
• Engagement with regulators and others on risk management-related matters

There are several methods for board committee evaluations, each with its advantages and
disadvantages:
• Self-evaluation
• Peer evaluation
• External evaluation

In the absence of regulations to the contrary, an annual self-evaluation of the risk committee as a
whole, as well as an evaluation conducted with external specialists every two or three years may be
beneficial and appropriate.

82
The following questionnaire is based on our knowledge and understanding of emerging and leading
practices and is designed to assist in the self-assessment of a risk committee’s performance. It is not
intended to be all inclusive and, if used, should be modified to accommodate a company’s specific
circumstances.

When completing the performance evaluation, consider the following process:

• Select a coordinator and establish a timeline for the process
• In addition to risk committee members completing the form as a self-evaluation, ask individuals
who interact with the risk committee members to provide feedback
• Ask each risk committee member to complete an evaluation by selecting the appropriate rating that
most closely reflects the risk committee’s performance related to each practice
• Consolidate the results of such inquiry and evaluation into a summarised document for discussion
and review by the committee

Sample evaluation questionnaire

For each of the following statements, select a number between 1 and 5, with 1 indicating that
you strongly disagree and 5 indicating that you strongly agree with the statement. Select 0 if the
statement is not applicable or you do not have enough knowledge or information to rank the
organisation’s risk committee on a particular statement.

Risk Committee Resource Guide 83

 Insufficient knowledge

Neither agree nor

Strongly disagree

Strongly agree
disagree
Circle one number for each statement

Composition and quality

1. The designated risk expert meets the definition of “expert” as agreed
0 1 2 3 4 5
to by the committee and the board.
2. Risk committee members have the appropriate qualifications to meet
the objectives of the risk committee’s charter, including appropriate 0 1 2 3 4 5
risk background/qualifications.
3. The risk committee demonstrates integrity, credibility,
trustworthiness, active participation, an ability to handle conflict
0 1 2 3 4 5
constructively, strong interpersonal skills, and the willingness to
address issues proactively.
4. The risk committee demonstrates appropriate industry knowledge
0 1 2 3 4 5
and includes a diversity of experiences and backgrounds.
5. The risk committee participates in a continuing education program
to enhance its members’ understanding of relevant risk management 0 1 2 3 4 5
and industry-specific issues.
6. The risk committee reviews its charter annually to determine whether
its responsibilities are described adequately and recommends 0 1 2 3 4 5
changes to the board for approval.
7. New risk committee members participate in an orientation program
to educate them on the company, their responsibilities, and the 0 1 2 3 4 5
company’s risk management and oversight policies and practices.
8. The risk committee chairman is an effective leader. 0 1 2 3 4 5
9. The risk committee, in conjunction with the nominations, creates a
succession and rotation plan for risk committee members, including 0 1 2 3 4 5
the risk committee chairman.

84
 Insufficient knowledge

Neither agree nor

Strongly disagree

Strongly agree
disagree
Circle one number for each statement

Understanding the business and associated risks

1. The risk committee oversees or knows that the full board or other
committees are overseeing significant risks that may directly or indirectly
affect the company. Examples include:

• Regulatory and legal requirements

• Concentrations (e.g., suppliers and customers)

• Market and competitive trends

• Financing and liquidity needs

• Financial exposures
0 1 2 3 4 5
• Business continuity

• Company reputation

• Financial strategy execution

• Financial management’s capabilities

• Management override

• Fraud control

• Company pressures, including “tone at the top”

Risk Committee Resource Guide 85

 Insufficient knowledge

Neither agree nor

Strongly disagree

Strongly agree
disagree
Circle one number for each statement

Understanding the business and associated risks

2. The risk committee discusses the company’s risk appetite and specific
risk tolerance levels in conjunction with strategic objectives, as presented 0 1 2 3 4 5
by management, at least annually.
3. The risk committee considers, understands, and approves the process
implemented by management to effectively identify, assess, monitor, 0 1 2 3 4 5
and respond to the organisation’s key risks.
4. The risk committee understands and approves management’s fraud risk 0 1 2 3 4 5
assessment and has an understanding of identified fraud risks.
5. The risk committee considers the company’s performance versus that
of its peers in a manner that enhances comprehensive risk oversight by 0 1 2 3 4 5
using reports provided directly by management to the risk committee or
at the full board meeting.
Process and procedures
6. The risk committee reports its proceedings and recommendations to the 0 1 2 3 4 5
board after each committee meeting.
7. The risk committee develops a calendar that dedicates the appropriate 0 1 2 3 4 5
time and resources needed to execute its responsibilities.
8. Risk committee meetings are conducted effectively, with sufficient time 0 1 2 3 4 5
spent on significant or emerging issues.
9. The level of communication between the risk committee and relevant
parties is appropriate; the risk committee chairman encourages input
on meeting agendas from committee and board members and senior 0 1 2 3 4 5
management, including CEO, CFO, CRO, CIA, CCO, and business-unit
leaders.
10. The risk committee sets clear expectations and provides feedback to the
full board concerning the competency of the organisation’s CRO and the 0 1 2 3 4 5
risk management team.
11. The risk committee has input into the succession planning process for 0 1 2 3 4 5
the CRO.
12. The agenda and related information (e.g., prior meeting minutes,
reports) are circulated in advance of meetings to allow risk committee 0 1 2 3 4 5
members sufficient time to study and understand the information.

86
 Insufficient knowledge

Neither agree nor

Strongly disagree

Strongly agree
disagree
Circle one number for each statement

13. Written materials provided to risk committee members are relevant and
at the right level to provide the information the committee needs to 0 1 2 3 4 5
make decisions.
14. Meetings are held with enough frequency to fulfil the risk committee’s
duties at least quarterly, which should include periodic visits to company 0 1 2 3 4 5
locations with key members of management.
15. Regularly, risk committee meetings include separate private sessions with 0 1 2 3 4 5
business-unit leaders, the CRO or equivalent, and the internal auditor.
16. The risk committee maintains adequate minutes of each meeting. 0 1 2 3 4 5
17. The risk committee meets periodically with the committee(s) responsible
for reviewing the company’s disclosure procedures (typically the audit 0 1 2 3 4 5
committee) in order to discuss respective risk-related disclosures.
18. The risk committee coordinates with other board committees (e.g.,
audit committee) to avoid gaps or redundancy in overseeing individual 0 1 2 3 4 5
risks.
19. The risk committee respects the line between oversight and 0 1 2 3 4 5
management of risks within the organisation.
20. Risk committee members come to meetings well prepared. 0 1 2 3 4 5
Monitoring activities
21. An annual performance evaluation of the risk committee is conducted,
and any matters that require follow-up are resolved and presented to 0 1 2 3 4 5
the full board.
22. The company provides the risk committee with sufficient funding to fulfil
its objectives and engage external parties for matters requiring external 0 1 2 3 4 5
expertise.
Communication activities
23. The risk committee communicates regularly with regulators and others 0 1 2 3 4 5
on risk management-related matters.

Risk Committee Resource Guide 87

88
Appendix
D
Risk Committee Resource Guide 89
Board-level Risk Intelligence map
Critical areas and sample risks that the board should own and manage
Board Board Compensation/ Corporate Reputation/ Risk-oversight Transparency Ethical Crisis CEO
effectiveness/ structure performance Responsibility and culture/ succession
incentives/ & stakeholder management
knowledge and leadership alignment Sustainability relations financial tone at the planning
management (CR&S) integrity top
– Failure to – Lack of – Inadequate – Failure to – Inability to – Inadequate – Cursory – Failure to – Lack of – Lack of
understand appropriate disclosure of meet social understand board oversight reviews of foster an planning for discussion or
and exercise tone at the compensation responsibility and meet of risk financial ethical culture management formal plan for
fiduciary duties top set by process and obligations shareholder management statements during crisis CEO succession
leadership philosophies expectations activities and related – Inappropriate
– Ineffective/ – Lack of disclosures performance – No – Inadequate
insufficient – Weak – Misalignment involvement – Failure to – Inadequate incentives formal crisis focus placed
independent structure/ of performance from understand structure to – Failure to management on recruitment,
committees composition of metrics with appropriate trends allow for an challenge – Failure plan exists development
the board long-term levels of related to the enterprise risk management to monitor and
– Poor strategy management organisation’s management assumptions and control – Lack of deployment
communication – Ineffective workforce, process unauthorised definition of of quality
from communication – Executive – Inadequate creditors, – Inadequate activities roles during leadership
management between and compensation oversight over customers, – Inadequate or oversight crisis
among the inconsistent CR&S activities and other inappropriate of internal – Failure
board and with stakeholders risk appetite and external
– Inadequate to protect
knowledge management stakeholder – Lack of and tolerances auditors whistleblowers
of board expectations adequate – Real or
responsibilities – Board conflict disclosure of perceived – Lack of Risk – Inadequate
of interest – Undue CR&S activities influence Intelligent of unqualified
or lack of emphasis on of majority decision- finance
– Inadequate
independence the short-term shareholders making organisation
understanding
of the results
organisation’s – Inappropriate – Failure to – Inadequate – Lack of
business decision- – Misalignment adequately risk-related financial
making and of incentives consider and/ public expertise on
delegation of and rewards or respond to disclosure the audit
– Limited
authorities shareholders committee
exposure to
proposals
management – Inadequate
outside of the – Poor utilisation of an
CEO and CFO cooperation – Poor appropriate risk
and corporate framework
organisational brand
– Lack of board
alignment perception
cohesiveness – Lack of risk
management
– Inadequate expertise
attention to on the risk
strategy and committee (or
execution board)

90
 Representative questions that the board might ask in managing board-level risks
Managing known risk areas Identifying the unknown
• Is there a common • What is the magnitude of • What are the risks arising • Can we detect
understanding of risk and the known risk exposures out of the underlying significant changes in the
opportunity? (inherent)? assumptions in our environment (including
• Is there a common • Are any of these risk strategy choices? What regulatory changes)
language to bridge risk exposures life threatening if the assumptions are that affect our business
and business silos? Is it to the enterprise? How wrong? model and its underlying
ingrained into the risk fast can they occur? Are • Do the underlying assumptions?
framework? we prepared to respond/ assumptions of our • What might be the
• How much can be gained recover? industry and enterprise unintended consequences
by properly managing • How can we be confident pose some risks? of our decisions? Can we
this risk? How much is of our risk management • What are the assumptions detect them?
it costing us (or will it practices? What are underlying our value • Does the enterprise have
cost us) to manage this the exposures (residual) proposition and market common triggers to alert
risk? What is the cost of despite them? segmentation? leadership to strategic
inaction? • Are the residual exposures • Have the opposites of changes?
• What are the different within the risk appetite these assumptions been • Does bad news travel fast
ways in which value can of the firm? If not, what identified? What are the or have there been delays
be created or destroyed? can we practicably do implications of these on in escalating negative
• Does our risk to reduce our exposure our business? issues?
management or mitigation to these risks to an • How do we monitor for
strategy introduce any acceptable level? potential new business
additional risks? • Do we only conduct activity, new transaction
business within approved types, and new customers
business areas, for and counterparties?
approved product and
transaction types, and
with approved customers
and counterparties?

Risk Committee Resource Guide 91

92
Contacts
Dr Johan Erasmus Nina le Riche

Tel: 082 573 2536 Tel: 082 331 4840

jerasmus@[Link] nleriche@[Link]

Risk Committee Resource Guide 93

94
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee, and its network of member firms, each of which is a legally separate and independent entity.
Please see [Link]/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting and financial advisory services to public and private clients spanning
multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte
brings world-class capabilities and high-quality service to clients, delivering the insights they need to address
their most complex business challenges. The more than 200 000 professionals of Deloitte are committed to
becoming the standard of excellence.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited,
its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this
communication, rendering professional advice or services. No entity in the Deloitte Network shall be
responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2014 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited

Designed and produced by Creative Services at Deloitte, Johannesburg. (807472/ryd)