Compliance and Risk Management Committee for Your Board

Compliance with laws and regulations applicable to the company’s business activities and identifying and managing the risks associated with those activities are two of the fundamental duties and obligations of the board of directors.  The emergence of sustainability as a new factor for consideration in boardrooms has expanded the compliance duties to include adherence to voluntary standards that the board has committed to with respect to governance and environmental and social responsibility and broadened the definition of risks to include environmental and social issues and challenges.  While creating a separate board committee to focus on compliance and risk management is not a new phenomenon, such committees have grown in importance.  Some companies separate compliance and risk management into two different committees and companies may also place board-level groups assigned to compliance and/or risk management as subcommittees of another standing committee of the board, such as the audit committee.
In a December 2016 report on how board committees among S&P 500 companies had evolved to address new challenges, the EY Center for Board Matters reported that compliance committees among those companies were typically responsible for oversight of programs and performance relating to legal and regulatory risks and the implementation and maintenance of the company’s code of conduct and related matters.  Specific areas of focus for this committee included the environment, health and safety and technology.  The functions of a compliance committee might overlap with the risk, public policy and sustainability committees.  Sectors most likely to have a compliance committee included health care, energy and financial.
With respect to risk management committees, the preparers of the EY report found that these committees generally were responsible for making recommendations for the articulation and establishment of the company’s overall risk tolerance and risk appetite; overseeing enterprise-wide risk management to identify, assess and address major risks facing the company, which may include credit, operational, compliance/regulatory, interest, liquidity, investment, funding, market, strategic, reputational, emerging and other risks; and reviewing and discussing management’s assessment of the company’s enterprise-wide risk profile.  The functions of a risk management committee might overlap with the finance and compliance committees.  Sectors most likely to have a risk committee included financial services (almost 75% of the companies in that sector had a risk committee), industrials, utilities, consumer discretionary, information technology and consumer staples.
The charter for a board-level compliance and risk management committee should include a statement of purpose that addresses both compliance and risk management, recognizing that the two areas overlap substantially.  From a compliance perspective, the purpose of the committee can be stated to include oversight of the company’s implementation of compliance programs, policies and procedures, including the company’s code of conduct, that are designed to respond to the various compliance and regulatory risks facing the company; and assisting the board of directors and the other committees of the board, notably the audit and governance committees, in fulfilling their oversight responsibilities for the company’s compliance and ethics programs, policies and procedures.  When defining compliance, the focus should not only be on relevant laws and regulations but also any voluntary standards that the board has agreed should be adhered to with respect to the day-to-day conduct of the company’s operations and other activities.  A Global Compact publication recommended that the purpose statement of a risk management committee should include ensuring that the risks and opportunities arising from current and emerging corporate sustainability trends are included and addressed in the company’s Enterprise Risk Management program and that the board is informed of material issues relating to current and emerging economic, social and environmental trends.
 While the name of the committee may imply that compliance and risk management should be considered side-by-side, many companies view the primary focus of the committee to be risk management and that compliance risks are just one of many risks that identified and evaluated along with other operational and business risks.  Given the potential scope of any company’s operational, business and compliance risks, it is important for the board to thoughtfully allocate primary responsibilities for certain types of risks among the board’s various committees to ensure that the appropriate focus and expertise is applied to those risks.  For example, in the charter of its risk and compliance committee the board of directors of Target made it clear that the entire board would retain oversight responsibility over the company’s key strategic risks, as well as the company’s reputation and corporate social responsibility (“CSR”) efforts (which could also have been assigned to a separate board-level committee formed to oversee CSR), and oversight responsibility for certain other risk areas were assigned to other committees of the board (i.e., the audit and finance committee would handle financial reporting, internal controls and financial risks; the infrastructure and investment committee would handle risks related to the company’s capital expenditures, major expense commitments and infrastructure needs; the human resources and compensation committee would handle compensation incentive-related risks, organizational talent and culture, and management succession risks; and the nominating and governance committee would handle governance structuring, board succession and public policy engagement risks).
It is common practice to break out the description of the scope of duties and responsibilities in the committee charter into compliance and risk management.  With respect to compliance matters, the compliance and risk management committee should be charged with overseeing the company’s activities in the area of compliance that may impact the company’s business operations or public image, in light of applicable government and industry standards, as well as legal and business trends and public policy issues.  The mandate of the committee can be quite extensive, especially for companies operating in highly regulated industries and markets, and generally includes establishing, in conjunction with the senior management of the company, programs regarding operational and legal compliance and sound business ethics for the company; overseeing the company’s relationships with its principal regulatory authorities; reviewing matters relating to the education, training and communications to ensure the company’s compliance and ethics policies and procedures are properly disseminated, understood and followed; and monitoring and reviewing the company’s activities to ensure that legal requirements and high standards of business and personal ethics are communicated within the company and are being met by the company, its officers and employees and the company’s business partners.
As for risk management, Deloitte suggested that the committee should be concerned with overseeing the company’s risk exposures and risk management infrastructure; addressing risk and strategy simultaneously, including consideration of risk appetite, and advising the entire board on risk management strategy; monitoring risks; and overseeing and supporting the efforts of the CRO, the company’s management risk committee and other groups within the organization formed to monitor risks and implement risk programs.  Deloitte noted that it was important to determine how the risk committee will stay informed on developments in risks so it can evolve in its response to them and suggested that such committees develop procedures to ensure that members stay abreast of leading practices as risks evolve and understand the new risks associated with new businesses and locations and how changes in regulations increase or decrease risk.  The committee should also benchmark risk governance practices of peers, remain current on risk-related disclosure requirements and conduct annual evaluations of committee performance.
Among the items in a comprehensive list of duties and responsibilities with respect to risk management included in the committee charter of Brierty were the following:

• Maintaining an up-to-date understanding of areas where the company is, or may be, exposed to risk and compliance issues and seek to ensure that management are effectively managing those issues;
• Providing input to the board and senior management regarding the company’s risk profile and tolerance,
• Assessing and monitoring appropriate risk management and internal control systems to ensure that risk is managed at levels determined to be acceptable by the board;
• Reviewing the adequacy and effectiveness of the company’s policies and procedures which relate to governance, risk management and compliance and updating these policies and procedures where required;
• Making recommendations to the board on the appropriate risk and risk management reporting requirements to the board and the committee;
• Providing advice to the board and the CEO on relevant corporate level performance indicators and targets for risk management and compliance activities;
• Undertaking an annual review of risk management policy and underlying strategies and procedures to ensure its continued application and relevance;
• If considered necessary by the committee, establishing a periodic and independent review of the implementation and effectiveness of the risk management policy to provide objective feedback to the board as to its effectiveness;
• Receiving and considering reports on risk management and compliance programs and performance against policy and strategic targets;
• Providing the board with advice and recommendations regarding the appropriate material and disclosures to be included in the section of the company’s annual report which relates to the company’s risk management and compliance policies;
• Ensuring that the board, before it approves the company’s financial statements for any financial period, is provided with declarations from the CEO and the CFO that in their opinion, the financial records of the company have been properly maintained and that the financial statements comply with the appropriate accounting standards and give a true and fair view of the financial position and performance of the company and that this opinion has been formed on the basis of a sound system of risk management and internal control which is operating effectively;
• Reviewing the adequacy of the company’s insurance coverage; and
• Ensuring that management has embedded an appropriate risk management culture in the organization and that risk management is an integral part of the company’s decision-making process.

Sources for this article included The Essential Role of the Corporate Secretary to Enhance Board Sustainability Oversight: A Best Practices Guide (United Nations Global Compact, September 2016).
This article is adapted from material in Sustainability and Corporate Governance: A Handbook for Sustainable Entrepreneurs, which is prepared and distributed by the Sustainable Entrepreneurship Project and can be downloaded here.
Alan Gutterman is the Founding Director of the Sustainable Entrepreneurship Project, which engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business.  Visit the Project’s Library of Resources for Sustainable Entrepreneurs to download handbooks, guides, articles and other materials relating to sustainable entrepreneurship and keep up with the Project’s activities by following Alan on LinkedIn, Twitter and Facebook.