Should audit committees rethink risk management?

The evolution of audit committee risk management

A volatile economic and geopolitical environment has led to new and evolving risks that require more time and resources to manage. Along with this, recent reports highlight the changing role of the audit committee and underscore the need for committees to review their risk management approach.

• More audit committees are taking on cybersecurity: 54% of S&P 500 companies disclosed that their audit committees are responsible for cybersecurity risk oversight in 2022, up from just 11% in 2016.²
• A growing number of audit committees now share or lead oversight responsibilities for ESG and enterprise risk management (ERM) activities.³
• Business leaders perceive that the volume and complexity of risks are close to the highest they’ve been in 13 years. More than half of public companies do not believe their risk management processes are “robust or mature,” according to a recent study, and their boards are calling for more effective risk management.⁴

While day-to-day risk mitigation falls to company management, board oversight is critical. But overburdened audit committees might struggle to give risks other than those related to financial reporting and compliance the attention they require. Lack of accountability and inadequate oversight processes can spell disaster in the form of a data breach, employee fraud, supply chain disruption, or many other risks.

Considering these potential risks, should audit committees modify their approach to risk management oversight? Three self-assessment steps can help audit committees answer these questions.

Step 1: Review risk oversight processes and priorities

The audit committee cannot oversee risk without a strong understanding of its company’s unique risk profile.

• Committee members should refresh their understanding of priority risks, the company’s risk appetite, and management’s approach to and philosophy on risk.
• Next, the committee should review processes for how the board receives risk updates from management and how risk oversight is covered on the board agenda.
• Finally, committee members should understand how various risks are interconnected and how the board can track and identify these connections. For example, cybersecurity or operational risks can compound financial reporting and compliance risks.

Step 2: Assess bandwidth and structure for effective audit committee risk management

Audit committees should review a detailed list of their responsibilities and how they are prioritized.

• For various risk-related duties, how much oversight and attention are required?
• Does the audit committee have the resources and expertise to manage these risks?
• Do the committee structure and overall board structure help or hinder oversight?
• How well do various board committees communicate with one another on risk issues?

This type of thoughtful and honest self-assessment can take time. Some boards might wish to consider assessment by a third-party consultant to identify weaknesses and opportunities.

Step 3: Explore options to more effectively allocate risk across the board

How do effective audit committees juggle core responsibilities with risk oversight? Board members can tap their professional networks or consult with their external auditor to learn alternative approaches and best practices.

Adjustments to audit committee risk management practices might include:

• Creating a separate, dedicated risk committee or subcommittee – a practice that is already required for financial institutions with more than $50 billion in assets
• Increasing education and training to help committee members better understand and manage risks
• Offloading finite tasks and projects to consultants
• Allocating more time on the board agenda to discuss risk topics or mandating more frequent and in-depth updates from management
• More formally separating risk oversight tasks and discussions from assurance and financial reporting tasks, because they require different mindsets and processes

Pros and cons of separate risk and audit committees

Establishing a dedicated risk committee is a frequently explored option. However, while risk committees might provide enhanced oversight, they aren’t necessarily the right answer for every company.

No one-size-fits-all approach for audit committees

Audit committees can follow these guidelines and explore questions with the understanding that the outcomes might vary significantly. Risk oversight practices that work for one organization might not work for another. Committees must choose the approach that makes the most sense for their needs and circumstances.

¹ Lauren Cunningham, Sarah Stein, Kimberly Walker, and Karneisha Wolfe, “Audit Committee: The Kitchen Sink of the Board,” Center for Audit Quality (CAQ), Virginia Tech Pamplin College of Business, and the Neel Corporate Governance Center at the University of Tennessee, Knoxville’s Haslam College of Business, November 2022, https://www.thecaq.org/ac-kitchen-sink/
² “2022 Audit Committee Transparency Barometer,” Center for Audit Quality (CAQ), November 2022, https://www.thecaq.org/2022-barometer/
³ “Audit Committee: The Kitchen Sink of the Board.”
⁴ Mark Beasley and Bruce Branson, “2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 13th Edition,” American Institute of Certified Public Accountants (AICPA) and the NC State Poole College of Management, June 2022, https://erm.ncsu.edu/library/article/2022-risk-oversight-report-erm-ncstate-lp