Risk is subjective by nature. Threats and vulnerabilities differ from one organization to the next; as do the strategies and responsibilities for managing them. An Audit Committee's role will vary for this reason, yet it is most effective when supported by a robust board-level approach.
What does that robust board-level approach look like? It's the entire Board understanding its responsibility to oversee risk management. It's clearly defining roles and committee mandates to leverage the expertise of individual directors and committees so that collectively they ensure the organization has effectively identified, measured and prioritized its top risks. It's the Board assessing risk when committing to the organization's strategic plans, agreeing on and collectively monitoring the response.
We must remember that risk doesn't necessarily mean "threat". Risks can signal an opportunity for growth or innovation which an organization may choose to exploit. Strategic responses (to either mitigate the downside or take advantage of the upside) need to be informed by reliable information regarding the related risks and the organization's agreed appetite for risk.
Risks are never static. Neither can they be contained in silos. Risks evolve, expand, and connect to other risks in complex and unpredictable ways. Without a crystal ball, accurately predicting the impact of compounding and interconnected risks is impossible. But Boards must challenge management to comprehensively assess the dependencies between risks. Given the pace of change and complexities of doing business in an increasingly connected world, it's nearly impossible to fully understand and address every risk on the (virtual) horizon. Boards must remain focused on what threatens the achievement of the company's strategic objectives. Organizations need to prioritize risks based on their severity and likelihood, using an agreed framework or ranking scale.
The good news is, boards don't need to go it alone. There are numerous resources and third-party supports that can work with the board to bridge skill gaps and provide the tools and resources to pursue a truly dynamic risk management approach.