Shifting macroeconomic conditions, and their impact on near- and long-term risk implications for companies, are at the top of today’s audit committee agenda. The range of issues reshaping the corporate risk horizon is broad and complex, from slowing global economic activity, persistent inflation, geopolitical concerns and the re-examination of global supply chains to emerging technologies and a mushrooming array of cybersecurity considerations, including new and anticipated SEC regulations. This begs the question: How can audit committees properly oversee risk management in such a complex environment?
As if these compounding risks and unprecedented levels of uncertainty today were not challenging enough, counterintuitive risk impacts are being observed, adding yet another layer of complexity to risk management. Combined with the expanding scope, scale and interconnectedness of risks, audit committees are constantly challenged to balance the consideration of unpredictable “black swan” events and predictable “gray rhino” events. The possibility of a black swan event may result in a tremendous loss and is difficult to predict, but often is rationalized with the benefit of hindsight, which is inevitable. On the other hand, the gray rhino can have a tremendous impact and could be highly probable, but it is often ignored.
Although the risks associated with a pandemic and other events were on many companies’ risk maps, very few were prepared to navigate the shutdown of global supply chains. Accordingly, building capabilities to anticipate, assess and manage risk impacts and upside opportunities, even if they are considered highly probable or remote possibilities, may require more expertise and enhanced risk management methodologies and planning going forward.
A key takeaway among lessons learned in recent years, which has been underscored amid ongoing business, economic and other market challenges, is that certain historical risk oversight practices may no longer be fit for purpose. As some audit committee chairs also are observing, six practices stand out that can be adopted to mitigate risk.
Break down silos with integrated enterprise risk management (ERM).
Decentralized ERM models that take siloed views of risk and fail to look beyond the enterprise to consider the company’s ecosystem of providers and customers, among other system risks, may fall short of what their organizations truly require. Furthermore, not considering how a risk may impact or intensify another is a shortcoming.
Audit committees can play an important role in driving an integrated approach to risk, especially when it comes to nonobvious interconnected risks.
One innovative way a company gained greater insight into otherwise disconnected enterprise risks and illuminated their implications was by creating a risk council of senior business unit leaders. Within such a council, leaders can collaborate, and discuss risks and their potential effect on strategic and performance objectives — benefiting from a variety of perspectives.
Incorporate external data sources to develop an informed point of view on the risk landscape.
Audit committees should verify that the companies they oversee incorporate internal and external data points in their risk identification process. They also need to continuously monitor risks and trends to watch for any material changes.
Increase scenario planning and incorporate tabletop exercises to enhance preparedness.
Audit chairs say that giving a lot of thought to potential risk scenarios and developing a response framework speeds the reaction time when a threat materializes. Undertaking tabletop exercises to practice responding to various risk situations, whether they are related to environmental, social and governance (ESG), the result of geopolitics or cyber events, can enhance risk responses and improve preparedness for rapidly emerging and evolving risks.
Additionally, leveraging technology, such as artificial intelligence to scan the horizon for outside-in risk perspectives, and using data analytics can lead to fewer surprises by providing more insightful data to help detect weak signals of an atypical threat before it materializes.
Seek ways to incorporate diverse perspectives and specialized expertise.
All risk management may not be reserved for the audit committee. A diverse board with a range of perspectives can provide valuable insight, augmenting risk oversight. When boards recruit directors who bring different elements of diversity in thought and experience, they ultimately broaden and strengthen the collective range of perspectives and insights. For example, in oversight of cyber risks, the audit committee may consider having the chief information security officer (CISO) provide and present updates to the audit committee on a regular basis.
With respect to cyber, directors underscored the importance of receiving a regular cadence of updates from management and outside experts. Some audit committees also use cyber rating agencies for cybersecurity assessments of the company. Audit committees monitor ratings and security scoreboards based on what regulators and investors seek. Audit committees also benefit from hearing from other companies about their cyber situations as such case studies help boards identify weaknesses that are less common.
External advisors, including analysts and independent subject-matter experts, can bring outside-in perspectives that enhance risk oversight.
Be transparent with stakeholders.
Informing investors and other stakeholders about current risk levels and uncertainty on a timely basis is important. In the case of ESG, 80% of investors EY surveyed say that “too many companies fail to properly articulate the rationale for long-term investments in sustainability, which can make it difficult for us to evaluate the investment.” These stakeholders are hungry for insights they can use to help manage their investment portfolios.
Continue to build resiliency and sustainability while staying vigilant to cyber risks.
Looking ahead, audit committees and other board members will need to continue to address changing risk profiles and mitigate risks. As they do, they will need to consider projects companies can undertake to make their business more resilient, even in the face of a black swan or gray rhino event.
Pat Niemann is the EY Americas Audit Committee Forum Leader.