It’s important to build the right framework for early risk detection.
Today’s boards and audit committees (ACs) are not only being challenged to do more, they’re also being held to a higher level of accountability. Their essential role hasn’t changed, but responsibilities have increased, expectations have risen and the repercussions of “not getting it right” continue to grow.
While the AC’s role has always been risk-centric, it typically focused on the financial and regulatory risks associated with financial statements and reporting. Now, however, their mandate often extends to the organization’s full risk profile, with many organizations renaming the audit committee the “audit and risk committee of the board” and giving it explicit responsibility for all risk areas. As a result, lapses or gaps in an organization’s risk management framework affect more than the financials and can ultimately lead to heightened public scrutiny, shareholder dissatisfaction and a loss of investor confidence. Many boards and ACs are struggling with this rapidly evolving role, uncertain whether their risk governance frameworks are robust enough to anticipate, assess and address quickly changing and increasingly complex risks.
Within this shifting landscape, boards and ACs are being forced to take a broader view of risk and to consider whether their processes and controls are adequate to identify, assess, manage and mitigate the organization’s full spectrum of existing and emerging risks.
Boards and ACs understand that risk is changing the accountability spectrum; they can see and feel it, and they understand that everyone’s interpretation of risk has to become more dynamic. Those who are ultimately accountable for risk need processes and tools to enable better identification, assessment and mitigation, particularly when it comes to non-traditional operational risks, or those that can affect reputation and lead to public censure, shareholder dissatisfaction or loss of investor confidence.
To that end, certain key steps can help strengthen and broaden the risk oversight framework, including:
What are the implications for boards and the audit committee?We’re talking about more than just additional duties and enhanced expectations. The board needs to ensure risk is covered, so if there is no specific risk committee, it will generally fall to the AC. With the stakes so high, ACs should confirm the organization has the structures in place to identify, assess and evaluate all the risks and controls for which the AC bears oversight responsibility.
In the past, boards and ACs rightfully focused on financial statement risk, but in today’s world, it’s simply not enough. Risk responsibility has gone beyond the financials. Cyber security, social media, evolving business technologies, doing business in emerging economies—these are just a few of the many areas creating increasingly complex risks for boards and audit committees.
If inadequate risk management and controls lead to an incident or breach, customers will turn away, investors will lose confidence and major financial loss—and potential personal director liability—could result. However, a strong risk framework—including an effective ERM program, early risk identification processes, a capable IA function and an active internal/external auditor relationship—can help ensure the AC’s broad risk management mandate is fulfilled, protecting the organization’s assets.