Skip to main content
Blog Post

Why the strategic risk management committee is important

Insurance Consulting and Technology
Insurer Solutions

By Paul Caputo | November 22, 2019

A strategic risk management committee is important because it manages risks that can significantly impact a company’s ability to achieve its strategies and business objectives.

Unlock More

About our 'A Year in the Life of the Strategic CRO' series

In our ongoing A Year in the Life of the Strategic CRO series, risk experts from our Insurance Consulting and Technology team, Willis Re and other parts of Willis Towers Watson cover how a strategically focused CRO can drive corporate strategy through the enterprise risk management planning process and throughout the year.

When I first read the term "strategic" associated with risk management and chief risk officers (CROs) my initial reaction was, "So what? Isn't this obvious and aren't most companies doing this already, even if implicitly?" Unfortunately, this was a naïve perspective and I didn't really consider the complexity, structure, culture and employee specialization characteristic of large corporations. The global financial crisis then highlighted that enterprise risk management was not "strategic" for a number of companies.

Anecdotally, I expect that successful companies in their initial phase of establishment are good at integrating and implementing strategic risk management within the business. It is likely, however, that strategic risk management is not necessarily formalized but rather ingrained within the entrepreneur or executive manager driving the business. As companies grow, they are prone to losing some of this innate link of strategy and risk management. The challenge for many growing companies is to ensure they maintain this link.

To be strategic or not strategic? That is the question!

Within the overall enterprise risk management (ERM) process, many companies have established management risk committees (MRCs). Typically, these MRCs bring together a cross-disciplinary group of people to take a company-wide view of risks and to promote risk awareness and risk management practices in the company. The structure and constituents of MRCs vary widely between organizations — the key is that it needs to work for the organization and take into consideration the complexity of the business, the broader ERM processes and the company structure.

So, what defines a strategic risk management committee (SRMC)? Strategic risks are those risks which can significantly impact a company's ability to achieve its strategies and business objectives. These are the risks that ultimately impact shareholder value or the ongoing viability of the company. A SRMC, therefore, has the purview to identify, assess and manage the risks to the company's business strategy, including taking appropriate action when risk is actually realized.

What supports an effective strategic risk management committee?

There is no simple answer to what is an appropriate structure, size and process for a SRMC to be effective. We have observed different structures working well in different organizations — ranging from a single SRMC with members from senior management to a range of sub-committees for each key risk category to multiple SRMCs targeting different levels of management, businesses lines and geographic locations.

Key attributes of an effective SRMC:

  • All major areas of the company should be represented on the committee ensuring the inter-relationship amongst risks is identified, and company-wide coordinated mitigation plans developed.
  • Committee members need to be advocates of risk management within the company and accept that risk is not necessarily a negative for the organization, but rather certain risks can be embraced by the company as a business opportunity.
  • Committee meetings should be an open forum where information is shared, risks are openly discussed, and concerns raised over mitigation plans.
  • Committee member engagement must be maintained. This can be challenging but should include making the meetings directional and not overly prescriptive, focusing on the most significant risks facing the company, keeping the information provided as current as possible and ensuring the continued support from senior executives and the Board.
  • Key risk information must be communicated both informally and formally throughout the company.
  • The committee needs to be aligned with the strategy and business objective of the company.

The above attributes can be challenging for some companies particularly where the risk function is treated as an island and risk management perceived as a compliance requirement.

Some of the key drivers for a successful SRMC include the following:

Strong risk culture

A lot has been written, debated and in some instances regulated about having an appropriate risk culture. I don't intend to go into what constitutes a strong risk culture and how to develop and measure as this topic deserves a separate article (or two) given its broader importance to risk management. We recently posted an article, The challenge of creating an effective risk culture, which is worth a read.

If you don't have a risk culture that fosters identifying and discussing risk, reviewing and learning from breaches, and deriving opportunities from potential risks then it is unlikely that a company will be able to develop an effective strategic management risk committee.

An interesting issue that has emerged during the recent regulatory review of financial services in Australia is the misalignment between individuals and the organization. In summary, this is effectively the self-interest of employees whereby individual compensation and future promotions is adversely impacted by the identification of breaches in risk or identifying new risk impacting the business. This has resulted in individuals hesitant to raise risk issues within the organization and — in extreme cases — to simply do nothing. Whilst compensation is part of the issue, it does raise a bigger challenge around job security and how individuals are promoted.

Let's consider three possibilities for risk culture within a company:

  • (A) Risk culture is strong and already supports strategic and tactical applications of risk management
  • (B) Risk culture is strong and supports tactical applications of risk management but not strategic
  • (C) Risk culture is weak or does not support risk management

If a company has a risk culture as defined by (B), above, then it is possible for the MRC to drive the risk culture to support strategic applications. This can be achieved by how the chief risk officer CRO facilitates the SRMC and interacts with senior executives and the board.

A recent discussion with a CRO highlighted how they had moved the MRC to be more strategically focused. Initially the MRC was very tactically focused, at each meeting a report was provided with a long list of risks and mitigation action/controls. The meeting effectively endorsed the report. The CRO changed the format of the meetings — streamlined the report to key risks and then added emerging risk issues to be discussed at the meeting. Over time the meeting priorities changed such that the discussion of the risk issues (i.e. strategic risks) dominated the committee meetings.

If a company has a weak risk culture (i.e. (C) above) it is extremely difficult for the MRC to have a significant impact. This requires greater change in the organization and must be driven from the top (senior executives and the board).

CRO and senior risk professionals

The CRO and senior risk professionals should have a mix of commercial and risk experience and expertise. The commercial experience assists in the facilitation of discussions and identification of the strategic risks facing the company but also aids in establishing credibility of the risk function within the business functions.

Facilitation of the SRMC

For a newly established SRMC, there can be a tendency for members to view the committee as a "rubber stamp." The committee chair or CRO can influence how the committee operates and ultimately its effectiveness. The CRO should use the SRMC to solve risk problems by ensuring that the committee focuses on key risks with a good mix of quantitative and qualitative and devotes sufficient meeting time to discussion of these risks rather than reviewing a prepared list.

Support of senior executives and the board

It is paramount that senior executives and the board support and trust the SRMC and they should actively seek advice from it particularly in relation to the risks associated with achieving the company's business strategy.

A SRMC is an effective tool in a company's risk arsenal. Whilst it may be considered a point of differentiation currently, it is quickly becoming a hygiene requirement by regulators, rating agencies, shareholders and customers.


Paul Caputo
Head of Insurance Consulting & Technology for Willis Towers Watson in Australia and New Zealand

Paul has extensive experience across financial services holding senior executive positions in several companies in Australia and Asia including seven years as the CRO for a large insurer.

Related Solutions

Contact Us