Uncertainty has always accompanied business operations. It cannot be avoided; it must be faced. Management and boards should openly recognize that the pace of change has increased and become more interconnected and global in nature, with the audit committee playing an active role in risk oversight.
Every organization is unique, causing internal and external risk categories to manifest through different risk events. Knowing the relevant risk categories and drilling into the specific events that could occur and influence an organization’s success is imperative. The CAE needs to be a consultant to the audit committee, helping it with its oversight role. In addition, the internal audit function and the organization’s senior leaders should work together to evaluate vulnerabilities linked to strategic objectives.
The Velocity of Change
As business changes and emerging risk becomes more relevant, risk management becomes a shared, routine process. Increasing reliance on Internet technology makes cybersecurity a crucial risk. Businesses with global customers or vendors must pay attention to geopolitical factors abroad, while other organizations face exposures within their home nations.
The potential for a “black swan” event, a devastating event that no one could have foreseen, exists as well. For example, the earthquake and subsequent tsunami Japan experienced in 2011 wreaked havoc on global supply chains without warning. Attempting to identify such possibilities is unfeasible and beyond the scope of effective risk management practices.
Such events illustrate the impact and velocity of change, as do disruptive innovative technologies. While such disruption quickly makes some products and business models obsolete, it also presents opportunities for organizations that acknowledge and embrace change. That’s what makes the audit committee’s risk oversight role so important.
No business can totally mitigate every risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation whose importance requires participation by an organization’s audit committee and other board members, with the CAE and internal audit function serving increasingly important roles.
Enterprise Risk Frameworks
A variety of frameworks provide guidance for assessing and managing risk. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework is widely used by organizations in many industries. The International Organization for Standardization’s ISO 31000–Risk Management Principles and Guidelines is recognized worldwide.
In addition to these frameworks, The Corporate Executive Board monitors reported risks from the largest U.S. corporations. Such resources enable an organization to take a continual, systemic risk management approach. In turn, an organization can define its risk profile, which provides an understanding of the organization’s approach toward risk (see “Considerations Affecting Risk Profile” below).
While the internal audit function may facilitate identification of the risk profile and recognition of risk reduction activities, risk management should be owned by the organization’s CEO and leadership team. The CAE can educate board members on risk management practices, relevant emerging risks, and alignment with the strategic business objectives. Understanding the risk profile can aid members in identifying expertise or skills gaps within the board that may impede its ability to provide guidance on managing emerging risks.
The Audit Committee’s Risk Oversight Role
The audit committee exercises oversight for crucial corporate governance matters, including financial and compliance issues. The importance of risk awareness highlights why audit committee members also need to make risk an ongoing topic of discussion at board meetings throughout the year.
Initially, audit committee members should meet with and question the CEO, chief financial officer, chief operating officer, CAE, chief risk officer, controller, general counsel, director of financial reporting, IT director, and other key leaders. Insights gleaned from such interactions give committee members with risk oversight responsibilities firsthand knowledge of exposures facing the organization and help the committee engage other board members at the strategic and risk awareness levels. The knowledge gained from heightened risk awareness enables the audit committee, board, and management to more effectively address uncertainty and strategic objectives.
The internal audit function complements those efforts by assessing risks related to those strategic objectives. With industry-specific knowledge and understanding of analytics and other measurement or predictive tools, the internal audit function also can recommend and monitor controls that enhance efficiency, risk recognition, and responsiveness.
Building a Competitive Advantage
Monitoring the risks that emerge from change and uncertainty enables CAEs to advise the board and audit committee on exercising the risk oversight that is crucial to good corporate governance. This enhanced risk awareness can more fully prepare the organization to recognize and respond to emerging vulnerabilities before they become crises as well as to capitalize on opportunities that accompany change. In that sense, enhanced responsiveness to change can give an organization a competitive advantage that enables it to thrive.