Risk just got riskier: insights from audit committee members on the changing nature of risk.

• Author: Rodriguez, Jose R.
• Position: ON THE GOVERNANCE AGENDA

Discussions about risk have an added sense of urgency in the boardroom today thanks to a mix of volatility, uncertainty, opportunity, and complexity, and audit committees are often the conversation catalysts.

Audit committee members discussed a number of critical challenges and concerns, and how they're continuing to sharpen the audit committee's focus and effectiveness in a series of peer exchanges at our Annual Issues Conference. Highlights from those conversations, which are captured in our new report, Risk Just Got Riskier, include the following insights:

Risk oversight

Risk management remains top of mind given expectations for slow growth, economic uncertainty, mounting cyber risk, unrelenting technology innovation and business model disruption, and U.S. policy shifts. As one audit committee member said, "We still rely on the three lines of defense--compliance, risk management, and internal audit--but we've shifted the emphasis to the first line compliance. You can't just expect quality and integrity at the end of the process.You have to get it right the first time, before it comes downstream."

Corporate culture

Discussions indicated that most audit committees and internal audit departments are in the early stages of determining how to audit culture. "We're starting to see some frameworks and criteria for culture audits," said one director, suggesting many companies are "already doing some of this work, just not in a systematic way." Discussions also highlighted an increasing focus on the potential risks posed by compensation and incentives.

Heavy risk agendas

Audit committee members say it's getting more difficult to oversee the major risks on their agendas. "We're fine owning the oversight of the company's risk process, but the audit committee's job, first and foremost, is financial reporting and internal controls, and oversight of the auditors," one noted. "We're very cognizant of risk topics crowding out the committee agenda and diluting our main focus."

While risk oversight from a defensive perspective--e.g. regulatory compliance, cybersecurity, internal controls--may be appropriate for the audit committee, most attendees emphasized that the full board is responsible for connecting risk and strategy.

Cybersecurity

Companies and boards are evolving their cybersecurity approaches to focus more on detection and containment. "I think it's finally sunk in that we simply can't wall off the company from cyber risk," said one director...