Audit and Risk Committees (ARCs) are the topic today in response to a request from a respondent to my recent survey on your preferences on what you would like me to blog about. I am moving on from the strategy for your enterprise risk program to reporting on risk and first cab off the rank is the role of the ARC. “What should they be doing and what should be their KPIs?” was the request.
I’ll start with a problem I have experienced from my roles in the past as an independent on ARCs. I was given information about risk but nothing about current performance of the business other than for sessions on budget setting or re-forecasting. And then I had to infer a lot of it from the numbers and the commentary on some of the numbers. As I have written and preached time and time again, performance and risk reporting should be integrated and should reflect on whether the organisation is operating within appetite for risk.
Therefore, the most important item on an ARC agenda from a risk perspective, is the assurance they can provide the Board that the performance and risk report on its way through the ARC, to the Board, appropriately reflects reality.
Second, if the reporting includes unacceptably high risks or the organisation is substantively outside of appetite for risk, the ARC should question, provide commentary or even recommend action on any apparent mismatch of risk and the allocation of resources. That is, if one area has all the resources and little risk, perhaps some of the resourcing should be re-allocated to other areas of risk.
In addition to all the different audit (internal and external), compliance, WHS, fraud matters (etc. etc. depending on industry), I recommend the ARC always have a senior executive make a presentation on their risk profile to provide additional assurance that senior leaders are engaged with the risk program.
When it comes to KPIs, I must admit I have not spent much time considering or advising on this. I would be happy to hear about yours if you have some good ones. Otherwise, what comes to front of mind is the extent the risk profiles (that made it through the ARC to the Board) reflected reality. That is, a KPI on the number of surprises in a year that upon investigation, the risk was never properly acknowledged and reported by management.
Of course this leads to a whole new set of questions about how the ARC can provide assurance and the budget they may be required to do so.