Where should risk management be discussed? Full board or a committee of the board?

My good friend, Alexei Sidorenko, recently shared what he considers one of his “controversial thoughts about modern day risk management in non-financial companies”. I recommend his RISK-ACADEMY blog and YouTube channel.

He wrote Why Board Audit Committee is the worst place for risk management and having a separate Board Risk Committee is even worse.

I agree with him to a degree and add that internal audit should report to both the audit committee and any risk committee. Where appropriate, it should attend full board meetings where information from an audit and its effect on enterprise objectives is being discussed.

Here are some key points:

• Over the last 10 years it became almost dogmatic that risk management effectiveness has to be disclosed at the Board level. It seems to be equally accepted that full Board is responsible for risk management oversight, who, however can and often do, delegate this oversight responsibility to the Audit Committee. This is in fact so common, that many organisations have expanded the Audit Committee mandate to include risk management and renamed them Audit and Risk…