The idea of a board risk committee has gained currency as of late.

In the banking industry, such a committee may soon be required. While quite a few companies have moved to set up such committees, many are still getting by with the risk governance function tucked into the audit committee's portfolio of duties. Given the rising prominence of risk management in all areas of business, a separate committee strikes us a great idea. While we often deal with IT risk in this publication, we have been anything but blind to the many other risks that companies face on a daily basis.

There are lots of issues to discuss, and we're happy to note that Deloitte has come out with a new resource, "Risk Committee Resource Guide for Boards." It delves into all the big issues, which are relevant for financial and nonfinancial companies, though the issue may be more pressing for financial companies, given the Dodd-Frank NPR that will likely refine some regulatory burdens in this area.

I've always thought the key to success is independence and making sure that the committee can reach past the top level of management down into the organization. So one issue is "whether the CRO, if there is one, will report to the risk committee, the board, or the chief executive officer (CEO)--or have a dual reporting relationship to the risk committee, or board, and the CEO. Under the NPR for banks and BHCs with more than $50 billion in assets and for non-bank financial companies designated as systemically important, the CRO will be required to report to the risk committee and CEO."

Keep in mind also that the NPR may end up requiring a risk expert, much like a financial expert was required for audit committees.

For more:  
- here's the guide

Related articles:
Audit committees double as risk committees
Are you ready to setup a risk committee?