Risk Management and Compliance Committee

1) Appointment and mandate

• Builds and maintains Risk Appetite and compliance principles
• approves key policies/standards and their changes;
• controls key risks (operational, regulatory, information security/privacy, financial, third parties);
• establishes compliance metrics and SLO/SLAs and monitors their achievement;
• addresses escalation and conflicting priorities;
• provides an audit-ready state (evidence base, solution protocols).

2) Composition and independence

• Compliance Lead/DPO (co-chair)
• CISO/Head of Security (co-chair)
• Head of Legal
• Head of Risk/Enterprise Risk
• CFO/Finance (for impact assessment)
• Business/Product Representative (VP/Director)
• Platform/Infrastructure Manager or CTO-delegate

• Internal Audit (Observer)
• HR/L & D (Training/Assessments)
• Procurement/Vendor Mgmt (third parties)
• Data/Platform (DWH/Lineage/CCM)

Principles of independence: no conflict of interest, documenting recusals, fixing the role of observers.

3) Committee RACI

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

4) Regulation and frequency

Normal mode: once a month (90 minutes) + weekly express KPI/KRI monitoring (15 minutes).
Crisis mode (incident/regulator): meetings every 24-48 hours until stabilization.
Quorum: ≥ 2/3 of the voters, including one co-chair.
Solutions: simple majority; according to high-risk - 2/3 and the veto right of co-chairs (fix in the charter).

5) Incoming artifacts (inputs)

Risk Register and Heatmap (updated KRI).
Compliance KPI/SLO: DSAR/SLA, Access Hygiene, Drift, Evidence Coverage и др.
Change Log by Policy (Major/Minor/Emergency).
Waivers-register with expiry dates and compensating controls.
Incidents & Findings: Sev1/Sev2, repeatability, remediation status.
Vendor Risk: critical providers, SLA/certificate violations.
Audit/assessments: statuses, open comments, button readiness.

6) Outputs and artifacts (outputs)

Decision protocol with owner, due date, severity and expected risk effect.
Updated Risk Appetite Statement and Priorities.
Update/reject policies and waivers with conditions.
Escalation letters/solutions for Board/CEO at high-risk.
Communication one-pagers and tasks for commands (tickets in ITSM/GRC).

7) Typical summons (60-90 minutes)

1. Summary of KPI/KRI and deviations (10").
2. Incidents/Sev1-updates and lessons (15").
3. Politicians: Major changes, conflicting interpretations, localizations (15").
4. Third parties: SLA/certificate violations, sub-processors (10").
5. Waivers: Extension/close, red zones (10").
6. Audit/assessments: ready status and "audit pack" (10").
7. Solutions and task allocation (10").

8) Decision making and escalation procedures

Decision card (template): context → options → impact on risk/cost → recommendation → voting.
Escalation: if risk> Appetite or delinquency> SLA - take-out to Executive/Board.
Review: post-factual assessment of the effect of the decision after 30-60 days (impact review).

9) Integrations and end-to-end flows

RBA: findings → Committee subpoena → owner/due → closing control.
CCM (continuous monitoring): alerts/metrics → rule/threshold prioritization.
Policy Lifecycle/Change Mgmt: Major edits → updates, communication, training.
Vendor DD/Outsourcing: scoring model and gap lists → contract terms/SLA.
Incident Mgmt: SOAR/PR/Legal playbooks → reports and lessons.

10) Committee Performance Metrics

On-time Remediation:% of Committee tasks closed on time (by severity).
Decision Lead Time: median time from raising the issue to resolution.
Waiver Hygiene:% exclusions with current expiration date (target: 100%).
Repeat Findings: the proportion of repetitions in 12 months (target: ↓).

Audit Readiness Time: Hours to full "audit pack."

Risk Reduction Index: ∆ of total risk rate QoQ.
Communication SLA:% of roles notified on time by Major solutions.

11) Committee Charter (template)

Purpose: risk and compliance oversight; protecting the interests of the company and customers.
Scope: all jurisdictions/business lines/IT systems/third parties.
Authority: approval of policies/exceptions; querying data/audits; escalation in Board.
Composition and quorum: (see § 2 and § 4).
Conflicts of interest: declarations, recusals, journal.
Protocols: standard of full minutes (agenda, solutions, voices, owner, due, links to evidence).
Revision of the charter: annually or at the request of the Board.

12) Document templates

12. 1 Decision Card

Topic/Context/Regulations/Risks

Options and valuation (cost, timing, impact on SLA/KRI)

Post-decision recommendation and risk level

Performance owner and due date

Voting result (for/against/abstained)

12. 2 Minutes of the meeting

Date/quorum/participants

Agenda

Discussion (brief, item by item)

Solutions (owner, due, success metric)

Open issues/escalations

Applications (dashboards, reports, links to WORM archive)

12. 3 Risk Appetite Matrix (example)

13) Committee dashboards (minimum)

Risk Heatmap: probability × impact × residual risk.
Compliance KPI Center: DSAR, Access Hygiene, Drift, Evidence Coverage.
Incidents & Findings: Sev1/Sev2, MTTR, repeatability.
Policy Changes: Major/Minor/Emergency pipeline and training status.
Vendor Risks: certificates, SLAs, sub-processors, incidents.
Waivers & Deadlines: active/expired, escalations.
Audit Readiness: percent "audit pack" by audits/certifications.

14) Committee Year Calendar

Monthly: regular agenda (§ 7).
Quarterly: Risk Appetite revision, KPI/KRI trends, findings total.
Half year: revision of key policies and waivers portfolio.
Annual: Committee Charter, Audit/Certification Plan, Lessons Learned.

15) Crisis mode (Sev1/Regulatory)

Immediate convocation; battle-rhythm updates (e.g. every 4 hours).
Unified Communication (Legal/PR), Legal Hold control.
Solutions for access control/disabling integration/data isolation.
Separate incident protocol and post-mortem with actions.

16) Antipatterns

Committee as a "mailbox" without authority and deadlines.
Lack of protocols and evidence - controversy in the audit.
Perpetual waivers with no expiry date and compensating controls.
Unsolvable agendas: no decision cards, no options and no effect estimates.
KPIs without owners and a link to Risk Appetite.
Conflicts of interest without managed recusals.

17) Committee maturity model (M0-M4)

M0 Hell-hoc: rare meetings, no metrics and protocols.
M1 Formalized: charter, quorum, basic minutes, monthly meetings.
M2 Manageable: KPI/KRI dashboards, decision cards, waivers control.

M3 Integrated: communication with CCM/RBA/Policy-as-Code, "audit-ready by button."

M4 Assured: predictive KRIs, automatic escalation, regular impact-review decisions.

18) Related wiki articles

Risk-Based Audit (RBA)

Continuous Compliance Monitoring (CCM)

KPIs and compliance metrics

Compliance Policy Change Management

Policies and Procedures Lifecycle

Due Diligence and Outsourcing Risks

Legal Hold and Data Freeze

Total

A strong Committee is not a "meeting," but a risk management mechanism: a clear mandate, independence and quorum, data in dashboards, decisions with owners and deadlines, enforcement and evidence base. Compliance then becomes a predictable pillar of strategy rather than a drag on business.