A risk committee is an important part of risk governance across the organization. But what is it and what does it do?
At the corporate level, the risk committee is there to assist the board with strategic risk management at an organizational level. For many companies, risk is one of the responsibilities of the audit committee.
However, there is also a role for a project risk committee as part of your governance for how strategic change is delivered. In many organizations, this falls under the remit of the PMO. As your project risk management approaches mature, they align with any corporate governance and risk responsibilities at the organizational level so the whole business has a holistic view of risk.
A project risk management committee serves several functions:
- It reviews risk assessments
- It manages overall risk exposure throughout the portfolio
- It sets levels for appropriate risk exposure.
Ultimately, it provides risk oversight responsibilities for the sum total of all business change happening in the organization at any given time.
How does a risk committee work?
Typically, the project governance structure or PMO will define the responsibilities of the risk committee in a charter or terms of reference. That sets out exactly what the group is expected to do and the parameters in which they will operate. If there are links to corporate governance frameworks, those should be documented too.
The group meets regularly to review the portfolio’s risk exposure and ensure they are comfortable with the level of risk and planned management activities. They may make recommendations to other project governance teams like the group responsible for approving new projects. For example, if the portfolio already meets the level of risk appetite agreed by the organization, then they may recommend that no more high-risk projects are started until some projects finish.
Managing project risk across the portfolio is a balancing act and the committee’s role is to make sure that balance is always in favor of the organization.
Who sits on a risk management committee?
There are no hard and fast rules about who should be present on the risk management committee. In our experience, we typically see senior project delivery professionals like the PMO Director or Portfolio Manager as well as senior managers from other parts of the business. You could expect to see representatives from the following business areas:
- Corporate risk
- Internal audit
- Finance
- Operations
- Compliance
- Quality management
- Project management
And others as required to provide a breadth of experience and knowledge to the process. Sometimes it is appropriate to have input from customer groups or suppliers, but these individuals would rarely be invited to the committee meetings. Instead, individual projects or programs would solicit input and feed that up to the committee in response to whatever question the group was investigating.
Risk management procedures
The committee may also create and approve risk management procedures for how projects need to deal with risk. The procedures are then used by project and program managers to ensure risk processes are adequately put into place.
Ideally, risk management should be used early in the project lifecycle, even before the idea becomes a ‘real’ project. The procedures should allow for this. You want to apply risk assessments at the point of discussing whether the investment is worthwhile because it’s better to know what you are letting the business in for early in the process instead of once the work is underway.
The protocols for dealing with risk evolve over time, and the committee should be the guardian of those practices. As risk maturity improves, the processes develop too, and the group reviews and approves new ways of working.
Identifying emerging risk
The value in a group looking at portfolio level risk is that they often have access to data that individual project managers do not. As data is aggregated and consolidated, you can more easily spot trends. The combined impact of several risks may well be larger than the individual impact at project level. While project managers do talk to each other, they may not be in a position to see the impact that their projects have jointly on the organizational risk profile. The committee sees the big picture and can act accordingly.
This also gives the group the opportunity to spot emerging risk – things that aren’t yet a problem across the portfolio but that might be in the future. They warrant closer analysis to ensure they are adequately managed.
In order to do this, they need access to real-time, relevant risk information. Normally this risk reporting will be taken direct from your project management software tools so that it presents the most up-to-date position.
Raising awareness of risk
Another function of the risk committee is simply to raise awareness of risk management across the project delivery community. They could support the PMO in providing training, or lobby for a budget for advanced risk management tools or external support like maturity assessments.
Let’s be honest: risk management isn’t the most glamorous of business topics and while we’d love it to be fully embedded in the framework of how all companies operate, we are the first to say not all businesses are there yet. Keeping awareness high means risk stays on the agenda, is covered in employee inductions and is taken seriously across all departments. That’s the best way to build a culture of risk awareness to fully manage the exposure that naturally comes from delivering projects.
If you don’t yet have a risk management committee operating to review portfolio level risk across the business, perhaps it’s time to consider the value one could add. We can help. A risk management checkup will give you confidence in how well your existing processes are working and help you identify next steps.