May 15, 2026
Hi Everyone,
At some point, someone will suggest your company needs a risk committee.
The Conference Board's 2025 data on US public companies tells a different story. Nearly half run with just three committees, and standalone risk committees are rare outside financial services.
We're sharing four alternatives that cover the same ground with less overhead.
Most companies with fewer than 500 employees should skip it
Brad Feld and Matt Blumberg wrote about this in Startup Boards. Most growing companies don't need board committees beyond the legal basics.
The reason is practical. A risk committee needs at least two to four members with real expertise, a charter, standing agenda items, and quarterly meetings. At a company with 80 or 200 employees, those people are already in the room during your exec team meetings and your regular board meetings. A separate committee creates a second conversation about the same risks, with the same people, on a different calendar.
Even among the largest public companies in the US, dedicated risk committees remain the exception outside of banking and insurance.
Four alternatives that work better at this stage
If you're running a company with 20 to 500 employees, these four options cover the same ground with far less overhead.
A spreadsheet that tracks your biggest risks: List every major risk, who owns it, how severe it is, what you're doing about it, and where it stands. Update it once a quarter during your exec team review. If enterprise customers ever ask how you manage risk and security, this spreadsheet is usually all you need to show them. Tools like Drata or Vanta can automate the tracking.
To make this easier, we built a ready-to-use risk tracker spreadsheet. Replace the examples with your own risks and review it with your team once a quarter. Download it here.
Risk as a standing item in your existing meetings: Travis May, founder of Datavant, built a monthly "at-risk review" into his exec meetings once the company passed $20M in revenue. The team reviewed a list of accounts and projects at risk of failure. If something went wrong that wasn't already on the list, the team knew they had missed something in how they shared information.
Annual top 10 risks at the full board: Pick one board meeting per year, usually the budget meeting, and dedicate 45 minutes to reviewing your ten biggest risks. Each risk gets an owner and a status. This gives your board real visibility without a standing committee.
A small security working group, when enterprise customers ask for it: Some larger customers will require proof that you manage data securely before they sign. When that happens, put your CTO, CFO, and head of legal in a room once a quarter to review your security practices and keep the documentation current.
When you actually do need a committee
The answer changes based on what your investors or customers need from you:
Your first enterprise customer asks you to prove your data is secure: That's when the small security working group earns its place. This can happen early, sometimes when you still have fewer than 100 employees.
Your board grows beyond five members: Deciding the CEO's pay informally stops working as more people are in the room. A small compensation committee fixes that.
You need your first formal financial audit: That's when you add an audit committee with at least one board member who understands financial reporting well enough to challenge it.
You're preparing to go public: Add a committee for board composition and governance, set up internal auditing, and make sure most of your board members are independent from the company.
Even at 2,000 employees, the standard setup is still just those three board committees plus the security working group. A standalone risk committee remains unusual outside banking and insurance.
Try this today
If someone has suggested adding a risk committee, ask them to name the specific decisions it would make that aren't already happening in your exec meetings or board meetings.
No specific decision? Save everyone the calendar invite.
Go deeper
👉 McKinsey: How public-company boards can thrive by adopting private equity practices – the 2024 global board survey showing why smaller, more focused governance structures outperform
👉 Harvard Law School Forum: Board Practices and Composition in the Russell 3000 and S&P 500 – 2025 benchmarks on how many committees companies actually run, board size by industry, and where risk oversight sits in practice
👉 First Round Review: Focus on Your First 10 Systems, Not Just Your First 10 Hires – a Chief of Staff playbook for building operating systems at scaling companies, including governance
👉 PwC: 2025 Annual Corporate Directors Survey – the full survey on what directors want changed and why board composition frustrates them
Coming up on Monday
On Monday, we'll cover how to run a weekly business review that keeps your whole company aligned in 60 minutes or less.
Have a great weekend!
P.S. What's the best business book you've read this year? We're building a summer reading list and want your picks.