The evolution of audit committee risk management
A volatile economic and geopolitical environment has led to new and evolving risks that require more time and resources to manage. Along with this, recent reports highlight the changing role of the audit committee and underscore the need for committees to review their risk management approach.
- More audit committees are taking on cybersecurity: 54% of S&P 500 companies disclosed that their audit committees are responsible for cybersecurity risk oversight in 2022, up from just 11% in 2016.2
- A growing number of audit committees now share or lead oversight responsibilities for ESG and enterprise risk management (ERM) activities.3
- Business leaders perceive that the volume and complexity of risks are close to the highest they’ve been in 13 years. More than half of public companies do not believe their risk management processes are “robust or mature,” according to a recent study, and their boards are calling for more effective risk management.4
While day-to-day risk mitigation falls to company management, board oversight is critical. But overburdened audit committees might struggle to give risks other than those related to financial reporting and compliance the attention they require. Lack of accountability and inadequate oversight processes can spell disaster in the form of a data breach, employee fraud, supply chain disruption, or many other risks.
Considering these potential risks, should audit committees modify their approach to risk management oversight? Three self-assessment steps can help audit committees answer these questions.
Step 1: Review risk oversight processes and priorities
The audit committee cannot oversee risk without a strong understanding of its company’s unique risk profile.
- Committee members should refresh their understanding of priority risks, the company’s risk appetite, and management’s approach to and philosophy on risk.
- Next, the committee should review processes for how the board receives risk updates from management and how risk oversight is covered on the board agenda.
- Finally, committee members should understand how various risks are interconnected and how the board can track and identify these connections. For example, cybersecurity or operational risks can compound financial reporting and compliance risks.
Step 2: Assess bandwidth and structure for effective audit committee risk management
Audit committees should review a detailed list of their responsibilities and how they are prioritized.
- For various risk-related duties, how much oversight and attention are required?
- Does the audit committee have the resources and expertise to manage these risks?
- Do the committee structure and overall board structure help or hinder oversight?
- How well do various board committees communicate with one another on risk issues?
This type of thoughtful and honest self-assessment can take time. Some boards might wish to consider assessment by a third-party consultant to identify weaknesses and opportunities.
Step 3: Explore options to more effectively allocate risk across the board
How do effective audit committees juggle core responsibilities with risk oversight? Board members can tap their professional networks or consult with their external auditor to learn alternative approaches and best practices.
Adjustments to audit committee risk management practices might include:
- Creating a separate, dedicated risk committee or subcommittee – a practice that is already required for financial institutions with more than $50 billion in assets
- Increasing education and training to help committee members better understand and manage risks
- Offloading finite tasks and projects to consultants
- Allocating more time on the board agenda to discuss risk topics or mandating more frequent and in-depth updates from management
- More formally separating risk oversight tasks and discussions from assurance and financial reporting tasks, because they require different mindsets and processes
Pros and cons of separate risk and audit committees
Establishing a dedicated risk committee is a frequently explored option. However, while risk committees might provide enhanced oversight, they aren’t necessarily the right answer for every company.
Pros of a dedicated risk committee
|
Cons of a dedicated risk committee
|
- Dedicates more time and attention to risk oversight in a way that busy audit committees cannot
- Acts as a central clearinghouse to coordinate risk oversight activities and discussions happening across the board
- Consolidates board members with expertise in risk management
- Strengthens ongoing, active review of priority risks
|
- Adds costs and increases time commitments
- Creates more bureaucracy and potential duplication of effort by the board
- Siloes risk management and strategy discussions from the larger board
- Becomes unnecessary if the audit committee already provides effective risk oversight
|
No one-size-fits-all approach for audit committees
Audit committees can follow these guidelines and explore questions with the understanding that the outcomes might vary significantly. Risk oversight practices that work for one organization might not work for another. Committees must choose the approach that makes the most sense for their needs and circumstances.