Mention “Risk Committee” or “Enterprise Risk” to upper management and you will probably get an eye role. If you suggest a standing meeting about risk – it might get you fired. BUT – I believe the risk committee meeting can be the most valuable meeting on your calendar. Here’s how:

Why Risk Committee Meetings Are Important

Successful risk committee meetings are all about effective communication. So they have to be short, meaningful, and drive action that benefits the business. Here are a few keys for to success:

1 | Focus on the most important topics impacting the organization;
2 | Teams from cross-functional areas must have an opportunity to collaborate;
3 | Leadership requires visibility into progress and barriers to key activities; and
4 | Problems should be identified and resolved quickly.

Who Should Attend the Risk Committee Meeting

Risk Committee meetings are about cross-functional collaboration in the spirit of removing barriers and making progress. For this to happen leaders or delegates from the following functional areas should be in attendance:

1 | Legal/Compliance
2 | Information Technology (i.e,. Product, Operations, Information Security)
3 | Leadership from Business Functional Areas
4 | Operations
5 | Strategy (if applicable)
6 | Enterprise Risk (if applicable)

Structure of the Risk Committee Meeting

Risk Committee members are very busy so meetings should be optimally structured to maximize impact in a relatively short amount of time. To ensure a productive meeting leverage these principles:

1 | Assign a meeting coordinator to facilitate the meeting, gather and distribute information;
2 | Leverage a shared collaboration space to share data (i.e, a shared folder or dedicated application);
3 | The meeting should be limited to 45 minutes (1 hour for larger organizations);
4 | The meeting should be quarterly (there may be more frequent lower-level meetings);
5 | Leverage a standing agenda in which everyone understands their role and reporting habits;
6 | Clearly define key performance indicators (KPIs) in which each participant should provide an update;
7 | Status should be limited to on-track or off-track. If off-track clearly state what is required to “get unstuck”;
8 | Require advanced preparation from all committee members (including status from direct reports); and
9 | Status from committee members should be combined and distribution in advance.

 

Collecting Key Performance Indicators

Key performance indicators will be unique to each organization, but here are a few areas to consider collecting:

1 | Status of key projects focused on defined business objectives (pulling from the organizations annual strategy);
2 | Results of internal and external audit reports;
3 | Results from enterprise risk assessments;
4 | Results of penetration tests or vulnerability assessments;
5 | Feedback from committee members or leaders of functional areas; and
6 | Periodic survey results from the management team.

Let’s Get Started

If you stick to the guidelines above – your risk committee meeting could be the most valuable meeting on your calendar. If you want to learn more about how we help organization manage risk let’s grab coffee.

[fruitful_btn link=”https://hubs.ly/H09x6QP0″]Learn More About the vCISO Solution[/fruitful_btn] [fruitful_btn link=”https://www.risk3sixty.com/contact/”]Contact Us[/fruitful_btn]