A separate and mandatory board risk committee is a good corporate governance practice, said commenters on a European Commission proposal, but the requirement for a risk committee should be proportionate and care should be taken to avoid diluting the responsibilities of the whole board for risk oversight. The commenters also saw cross-membership in the audit and risk committees as a best practice. The comments were to a Commission green paper seeking significant changes in EU corporate governance against the backdrop of broader regulatory and legislative reforms to deal with issues from the financial crisis.
However, there was strong opposition to the suggestion that risk committee chairs should report directly to the annual meeting of shareholders. The commenters felt that that the board as a whole is accountable to shareholders and should report to the annual general meeting and not an individual director. However, there was general agreement that the chairman of the risk committee should be available to answer questions and file a report that could be part of the annual report.
There was unanimous support for the idea that the board should approve the risk profile and strategy and be responsible for the oversight of the implementation of risk strategy by executive management.
There was some support for requiring the company to provide a non-boilerplate risk statement informing shareholders on risk exposures, risk strategy and risk tolerance in order to help investors form a comprehensive view of the firm’s risk appetite. But French, German and UK respondents indicated that their national legislation or corporate governance codes already require extensive risk disclosures.
The majority of commenters considered unnecessary a mandatory duty on the board to inform regulators of any material risks of which it is aware. In their view, existing European and national legislation already requires a high degree of communication between regulators and boards or the executive management, which would cover information about material risks. However, some investors, audit firms and law firms, as well as certain public authorities, are in favor of introducing a more specific obligation.
There was unanimous agreement that the company should have a chief risk officer with high status and authority and independence from operational and business units. But the code should leave the exact hierarchical status of the chief risk officer to each firm to decide, taking into account the principle of proportionality. The view is that the chief risk officer should be a member of the board of directors or of the executive board and report directly to the board or to the risk committee. In addition, the risk officer’s remuneration and tenure should be subject to the board's approval.
There was also unanimous agreement that the board needs to receive timely and accurate information on risk. In this regard, the chief risk officer could either have a duty to report directly to the board or to the risk committee on a regular basis or should be able to do so if needed. In addition, the position of chief risk officer could be strengthened by the officer periodically attending board meetings or meetings of the risk committee. However, some respondents from jurisdictions with mandatory two-tier boards indicated that in their system only the management board has the competence to report directly to the supervisory board, not the chief risk officer who can report to the management board only.
Some institutional investors indicated that shareholders were not sufficiently informed about risk issues and suggested that communication on risk matters should also be improved towards shareholders.