The revised UK Corporate Governance Code contains a new principle stating that boards are responsible for determining the nature and extent of the significant risks they are willing to take in achieving their strategic objectives. However, the establishment of a board risk committee is optional, with the audit committee assuming risk management functions for companies that do not set up risk committees. Where there is a risk committee, noted Financial Reporting Council Stephen Haddrill, CEO of the UK Financial Reporting Council, attention needs to be paid to its relationship with the audit committee. There is a danger of overlap or of issues getting missed entirely as each considers it to be the other’s responsibility. Various ways of managing this problem have been suggested, for example, common membership, common secretariat, joint meetings. The FRS has oversight of the Corporate Governance Code.
In recent remarks, the FRC chief said that the board and audit committee should not be involved in micromanaging the risk management and internal control system, but either directly or indirectly they need to know enough to assure themselves they are working effectively. The judgments boards and committees make can only be as good as the information on which they are based. Thus, he advised board and committee need to spell out to the senior company managers much more clearly what information they require. They must also satisfy themselves that there are internal assurance systems in place ensuring that information they receive is sound and robust. In turn, the board and audit committee must effectively report these issues to company shareholders.
Not mandating a separate board risk committee in the Code was effectively a rejection of a recommendation of Sir David Walker, who reasoned that risk management is essentially a forward looking process that does not fit well with the role of the audit committee, which is looking backwards, dealing with historical information. But the FRC was persuaded that the problems often stemmed from the board having not spent sufficient time assessing the risks, which is a weakness that would not be remedied by creating another committee. Thus, the Code leaves the decision of whether to have a separate risk committee to the individual companies.