Why Board Audit Committee is the worst place for risk management and having a separate Board Risk Committee is even worse

Over the last 10 years it became almost dogmatic that risk management effectiveness has to be disclosed at the Board level. It seems to be equally accepted that full Board is responsible for risk management oversight, who, however can and often do, delegate this oversight responsibility to the Audit Committee. This is in fact so common, that many organisations have expanded the Audit Committee mandate to include risk management and renamed them Audit and Risk Committee.

Some regulators, Russia for example, even legislated the idea that risk management oversight as well as other risk management matters are the responsibility of the Audit Committee.

According to FRC, the audit committee should review related information presented with the financial statements, including the strategic report, and corporate governance statements relating to the audit and to risk management.

The audit committee should ensure that the internal audit plan is aligned to the key risks of the business. The audit committee should pay particular attention to the areas in which work of the risk, compliance, finance, internal audit and external audit functions may be aligned or overlapping and oversee these relationships to ensure they are coordinated and operating effectively to avoid duplication. (FRC)

I am sure IIA Global provides similar guidance for the Audit Committees on risk management. Although it wasn’t on the first Google results page, so it doesn’t count ))) Let me know if you found it. I wouldn’t be surprised if IIA again totally missed the plot on audit and risk.

Anyway, this seems both logical and practical. Whenever the internal auditors present an audit plan, it should be risk based (RM2). The Audit Committee agenda should be risk based (RM2). The Audit Committee should receive a report on the risk management effectiveness (although I have a very different views on what this report should look like and the methodology for its preparation compared to conventional RM1 thinking). Audit Committee may probably ask for ad-hoc reports on specific compliance risks from time to time (RM1).

Very often however I see other risk management matters relegated to the Audit Committee, including risk management strategy and other risk management activities. Write in the comments if you have observed something similar, where the Audit Committee becomes the place for all risk matters.

And that is totally against the whole purpose of risk management. If risk management is a decision making tool (under RM2 it sure is), then discussing risks, goals, objectives, performance targets or actual performance separate from risks is insanity. Risk is not a standalone item that needs to be managed (except few compliance risks, but only because regulators missed the plot and now we all have to pretend compliance risks need to be managed and not a driver in business decision making), risk is the other side of the performance coin.

Business performance is 2 dimensional: reward and risk. How much did we make and how much did it or could’ve cost us (how much risk did we take on to generate the revenue).

Separating the risk conversation from planing, budgeting and performance conversations should stop asap.


The oversight should stay at the Audit Committee but all the other risk matters, including risks associated with strategies, business plans, budgets, investment decisions, internal change projects, pandemics and the like should move back to the full Board or at least the Staretgy Committee. Risks should be quantified and their effects discussed at the time of making decisions, not later when the Audit Committee meets. We seem to have a place for RM1 at the Board but no place for RM2.

I did a couple of surveys, both in Russia and globally, and was amazed to find that 60% of the risk managers saw no problem with this. I guess it’s easy when you are RM1.

Ask yourself this, if this current practice worked, why do we still have deterministic strategies, business plans and investment decisions? Why does management present a single scenario, sometimes 3 scenarios if we are lucky, instead of transparently showing the volatility associated with key assumptions and the probability of achieving objectives for each decision?

What do you think?

RISK-ACADEMY guides and templates:

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


6 thoughts on “Why Board Audit Committee is the worst place for risk management and having a separate Board Risk Committee is even worse

  1. Totally agree that risk related matters should be discussed at Board level directly. Probably the first half of the meeting should be discussing all the risks associated with the strategic/investment decisions and budget prior to approval. This is where all Board members will be fully conversant with the challenges and opportunities of the business and can eventually take full responsibility of their decisions. However, to achieve this, i think we should first ensure that risk culture is permeated across the whole decision making process within the business and is not a one person or one department job working in isolation or as an ‘after effect’ / ‘by the way’ process.

  2. I can only agree with you, Alex, and I wonder every day about the reasons for such confusion. Either we use the same words: “risk management” to name completely different things, or each function and each committee speak only for its silo of responsibility while giving, through its language and its vocabulary, the illusion of covering everything which can affect the strategy and the achievement of objectives. It seems normal to me that the audit committee takes a close look at the management of risks that may affect the sincerity objectives of the financial accounts, I am more doubtful of the relevance of their analyzes when it comes to the uncertainties related to the development of a new product or new technology.

    1. Totally understand where you are coming from Alex. Absolutely, Risk strategy and Risk Activities cannot be within the Audit responsibilities..Yes, review of these by all means is an IA Responsibility. Also, Risk Management has gotten quite complex or so it may seem and many a times whilst IA are made responsible for review and oversight, not sure if they are always given the tools/budget to do so.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.