You can’t stop what you can’t see | KPMG | CA

You can’t stop what you can’t see

You can’t stop what you can’t see

It’s important to build the right framework for early risk detection.


Related content

You can’t stop what you can’t see

Today’s boards and audit committees (ACs) are not only being challenged to do more, they’re also being held to a higher level of accountability. Their essential role hasn’t changed, but responsibilities have increased, expectations have risen and the repercussions of “not getting it right” continue to grow.

While the AC’s role has always been risk-centric, it typically focused on the financial and regulatory risks associated with financial statements and reporting. Now, however, their mandate often extends to the organization’s full risk profile, with many organizations renaming the audit committee the “audit and risk committee of the board” and giving it explicit responsibility for all risk areas. As a result, lapses or gaps in an organization’s risk management framework affect more than the financials and can ultimately lead to heightened public scrutiny, shareholder dissatisfaction and a loss of investor confidence. Many boards and ACs are struggling with this rapidly evolving role, uncertain whether their risk governance frameworks are robust enough to anticipate, assess and address quickly changing and increasingly complex risks.

Within this shifting landscape, boards and ACs are being forced to take a broader view of risk and to consider whether their processes and controls are adequate to identify, assess, manage and mitigate the organization’s full spectrum of existing and emerging risks.

Five steps to increased risk preparedness

Boards and ACs understand that risk is changing the accountability spectrum; they can see and feel it, and they understand that everyone’s interpretation of risk has to become more dynamic. Those who are ultimately accountable for risk need processes and tools to enable better identification, assessment and mitigation, particularly when it comes to non-traditional operational risks, or those that can affect reputation and lead to public censure, shareholder dissatisfaction or loss of investor confidence.

To that end, certain key steps can help strengthen and broaden the risk oversight framework, including:

  1. Members of the board and AC have comfort that all relevant risks across the organization are identified, analyzed and appropriately addressed.
    • The three lines of defense are in place, including:
    • Controls within the business functions
    • A management oversight function ensuring appropriate controls for management-directed activities
  2. The independent assurance functions, such as audit (internal and external), as well as any external assessors.
  3. All risk oversight functions are working effectively, both on their own and in concert with each other. For example, internal audit has a board mandate to look at all risks in the organization and, together with external audit, objectively consider and assess them as necessary.
  4. The Enterprise Risk Management function is strategically aligned and has, or is cultivating, the ability to anticipate emerging risks. A strong ERM function will by now have identified and—along with management—assessed cyber security risk and taken appropriate action to ensure adequate controls.
  5. Industry-specific risk requirements are understood (health and safety for example), with functions, activities and controls in place for identification, assessment and mitigation.

What are the implications for boards and the audit committee?We’re talking about more than just additional duties and enhanced expectations. The board needs to ensure risk is covered, so if there is no specific risk committee, it will generally fall to the AC. With the stakes so high, ACs should confirm the organization has the structures in place to identify, assess and evaluate all the risks and controls for which the AC bears oversight responsibility.

Boards and audit committees should ask:

  • Is our view of risk broad enough to cover the whole organization?
  • Are the three lines of defense in place and functioning in a coordinated and effective manner?
  • Do we fully understand the key strategic risks of our organization and are we comfortable that we have controls to appropriately manage these specific risk areas?
  • What could prevent us from reacting fast enough to a major risk event, such as a security breach?

Playing in a bigger ballpark

In the past, boards and ACs rightfully focused on financial statement risk, but in today’s world, it’s simply not enough. Risk responsibility has gone beyond the financials. Cyber security, social media, evolving business technologies, doing business in emerging economies—these are just a few of the many areas creating increasingly complex risks for boards and audit committees.

If inadequate risk management and controls lead to an incident or breach, customers will turn away, investors will lose confidence and major financial loss—and potential personal director liability—could result. However, a strong risk framework—including an effective ERM program, early risk identification processes, a capable IA function and an active internal/external auditor relationship—can help ensure the AC’s broad risk management mandate is fulfilled, protecting the organization’s assets.

Connect with us


Request for proposal