Richard Chambers is the CEO of Richard F. Chambers & Associates and also serves as Senior Internal Audit Advisor at AuditBoard.
In this era of continuous disruption, risk oversight responsibility of board members has never been more critical. To fully execute their responsibilities, board members must proactively seek out the information they need to govern effectively. The first half of 2023 has yielded yet more uncertainty across the full portfolio of risks facing corporate entities large and small. Geopolitical instability, declining global trade, banking sector turmoil and a recession loom over every decision.
However, the horizon offers a degree of optimism as the Covid emergency was declared officially over in early May and year-over-year inflation statistics have continued to moderate. Corporate boards and their committees, particularly the audit committee, face extraordinary challenges as they strategize for the second half of 2023.
Fortunately, most boards can rely on risk and audit professionals in the organization to provide assurance about the overall effectiveness of risk management and controls that help the company protect and create value for its shareholders. Assurance teams are an excellent source of information, and board members should reach out to them without hesitation for deeper insight into the company’s risk management program. The key to getting the right information is asking the right questions.
Looking ahead, at least five questions that boards should pose to risk and audit professionals come to mind. As a career internal auditor and as a board member, these are the questions I would ask—and would want other board members to ask their assurance teams—in this period of heightened uncertainty.
1. Are the internal risk management teams collaborating to ensure continuous monitoring?
Risk management must be a team sport, not a solo endeavor. Most organizations have different groups focusing on specific assurance and risk management areas, such as enterprise risk management (ERM), internal audit, compliance, legal, IT security and others. In their risk oversight role, boards should insist these different players work together as a collaborative team, something I talk about in my previous Forbes Councils article. Board members should question the extent of internal collaboration. One indicator of collaboration could be whether the groups present to the board jointly or in separate, disconnected sessions. The board should convey its expectation of collaboration and an aligned assurance approach regarding risk management.
2. Is risk management also focused on emerging risks?
Effective risk management includes a predictive element to identify the risks on the horizon. Boards should understand how assurance teams identify and monitor emerging risk indicators and the mechanisms for alerting management when a risk warrants attention. For example, at the start of 2023, few were considering the risk of uninsured deposits as warranting attention. Yet, after bank failures, companies holding large cash deposits suddenly had a significant risk to monitor. Considering the uncertainty around macroeconomic conditions, geopolitical instability and rising worries about using artificial intelligence, boards should regularly discuss the impact of emerging risks with their assurance teams.
3. What are the top five risks internal audit is NOT addressing, and why?
When the board, especially the audit committee, meets with the chief audit executive (CAE), focus the conversation on risk coverage instead of resources. Generally speaking, the CAE will work within the resource limitations of their budget to address the company’s most significant risks. Boards should ask about the risks the CAE does not plan to cover and why. The answer could be due to budget or even expertise constraints. Boards can decide if they are comfortable that the audit plan fits within their risk appetite, or they could open the discussion to ask what it would take to increase coverage.
4. Are aspects of the company’s culture creating unknown risks?
Corporate culture should be top of mind for board members. Looking back to WorldCom and Enron, or even high-profile failures in the past year, toxic culture is a risk that can quickly unravel a company. While risk and audit teams should call out dangerous aspects of a company’s culture, recognizing the problem can be difficult when you are too close or when you don’t feel empowered to do so. To mitigate an unknown cultural risk, boards should openly discuss cultural concerns with risk and audit leaders to ensure they are supported when they raise concerns.
5. How are ESG risks being addressed?
Boards should ask their assurance teams hard questions about the accuracy, completeness and reliability of the company’s environmental, social and governance (ESG) public disclosures. To start, board members must be informed about ESG and understand the risk of misleading or fraudulent claims made by organizations to achieve financial results or enhance public opinion. Once the board understands these risks, the company’s audit and risk teams can assess and provide assurance that they are being effectively addressed by management.
Keep your eyes on the horizon.
Board members should always look to the horizon to anticipate the next challenge. With the dynamic nature of risk, any set of questions will only suffice for a short time. Look ahead to what is coming and constantly update the questions you pose to the assurance teams. By engaging in continuous, candid and conversational dialog with the company’s risk management and audit professionals, the discussions will be an invaluable source of insights that enable boards to fulfill their responsibility for effective risk oversight.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here