Over the last 10 years it became almost dogmatic that risk management effectiveness has to be disclosed at the Board level. It seems to be equally accepted that full Board is responsible for risk management oversight, who, however can and often do, delegate this oversight responsibility to the Audit Committee. This is in fact so common, that many organisations have expanded the Audit Committee mandate to include risk management and renamed them Audit and Risk Committee.
According to FRC, the audit committee should review related information presented with the financial statements, including the strategic report, and corporate governance statements relating to the audit and to risk management.
The audit committee should ensure that the internal audit plan is aligned to the key risks of the business. The audit committee should pay particular attention to the areas in which work of the risk, compliance, finance, internal audit and external audit functions may be aligned or overlapping and oversee these relationships to ensure they are coordinated and operating effectively to avoid duplication. (FRC)
I am sure IIA Global provides similar guidance for the Audit Committees on risk management. Although it wasn’t on the first Google results page, so it doesn’t count ))) Let me know if you found it. I wouldn’t be surprised if IIA again totally missed the plot on audit and risk.
Anyway, this seems both logical and practical. Whenever the internal auditors present an audit plan, it should be risk based (RM2). The Audit Committee agenda should be risk based (RM2). The Audit Committee should receive a report on the risk management effectiveness (although I have a very different views on what this report should look like and the methodology for its preparation compared to conventional RM1 thinking). Audit Committee may probably ask for ad-hoc reports on specific compliance risks from time to time (RM1).
Very often however I see other risk management matters relegated to the Audit Committee, including risk management strategy and other risk management activities. Write in the comments if you have observed something similar, where the Audit Committee becomes the place for all risk matters.
And that is totally against the whole purpose of risk management. If risk management is a decision making tool (under RM2 it sure is), then discussing risks, goals, objectives, performance targets or actual performance separate from risks is insanity. Risk is not a standalone item that needs to be managed (except few compliance risks, but only because regulators missed the plot and now we all have to pretend compliance risks need to be managed and not a driver in business decision making), risk is the other side of the performance coin.
Business performance is 2 dimensional: reward and risk. How much did we make and how much did it or could’ve cost us (how much risk did we take on to generate the revenue).
Separating the risk conversation from planing, budgeting and performance conversations should stop asap.
The oversight should stay at the Audit Committee but all the other risk matters, including risks associated with strategies, business plans, budgets, investment decisions, internal change projects, pandemics and the like should move back to the full Board or at least the Staretgy Committee. Risks should be quantified and their effects discussed at the time of making decisions, not later when the Audit Committee meets. We seem to have a place for RM1 at the Board but no place for RM2.
I did a couple of surveys, both in Russia and globally, and was amazed to find that 60% of the risk managers saw no problem with this. I guess it’s easy when you are RM1.
Ask yourself this, if this current practice worked, why do we still have deterministic strategies, business plans and investment decisions? Why does management present a single scenario, sometimes 3 scenarios if we are lucky, instead of transparently showing the volatility associated with key assumptions and the probability of achieving objectives for each decision?
What do you think?