Article 74(2) of Directive 2013/36/EU (CRD) establishes that an institution's governance arrangements "shall be comprehensive and proportionate to the nature, scale and complexity of the risk inherent in the business model and the institution's activities", taking into account the technical criteria in Articles 76 to 95 of the CRD. Therefore, an institution, while not deemed 'significant', may be deemed to have sufficient risks relative to its nature, scale and complexity to require the establishment of a risk committee, while smaller and less complex institutions are not required to establish such a committee under proportionality considerations.
Where the first paragraph of Article 76(3) of the CRD does not apply, but a risk committee is required to be established on the basis of proportionality under Article 74(2), the fourth subparagraph of Article 76(3) may then apply. This enables competent authorities to allow a non-significant institution to combine its audit committee, referred to in Article 41 of Directive 2006/43/EC, with this risk committee. This is subject to the members of the joint committee having the knowledge, skills and experience required of both competences. Competent authorities may allow the establishment of a joint risk/audit committee following individual or peer assessments, or make their establishment available to defined categories of institutions with a similar risk profile and degree of complexity. This should be done on the basis of objective criteria.
For the smallest or least complex non-significant institutions, it is likely that neither a dedicated risk committee nor a joint risk/audit committee will be required.
While there is no definition of 'significant' in Regulation (EU) No. 575/2013 (CRR), Directive 2013/36/EU (CRD), or in existing EBA Guidelines, the EBA Guidelines on Internal Governance state, under point 14.6 and in particular 14.12, that institutions should establish a risk committee subject to the proportionality principle. Pending the development of guidelines setting out the definition of 'significant' in this context, Member States should apply their own criteria in making this determination.
Regardless of the establishment of a dedicated risk committee, a joint risk and audit committee, or neither of these, the management body shall, pursuant to the second sub-paragraph of Article 76(3) of the CRD, always retain ultimate responsibility for the risk management within the institution.