Board Audit Committee & Board Risk Committee: The Interrelationship
Are there areas where the roles and responsibilities of the Board Audit Committee (BAC) and Board Risk Committee (BRC) overlap? If there are, is it a good thing, or is efficiency and effectiveness of both committees improved with clear delineation of duties? In the course of business, companies are inevitably exposed to risk, i.e., anything which prevents the organisation from achieving its objectives. Wouldn’t it be better, therefore, if risks were more widely understood by more board members, as it is the overall responsibility of the board to ensure that risks are properly identified, evaluated and managed? Or will both committees suffer from decreased effectiveness instead, because of duplication or the overlap?
The BAC traditionally deals with audit plans, findings and other related items, which include non-financial items and the effectiveness of the organisation’s internal controls, processes and systems; reliability of its financial statements and disclosures; compliance with codes of business conduct and ensuring that the firm complies with the various regulatory requirements. The role of the Audit Committee has expanded significantly in recent years as the firm’s risk profile is continually changing due to internal and external circumstances.
The BRC, on the other hand, tends to deal with oversight of risks at the strategic, operational and management levels – risks which may prevent the organisation from attaining its goals.It also ensures the identification of opportunities that may arise as a result of managing risk.Risk is usually managed by taking the risk if it is tolerable or insignificant, or reducing it through internal control. It can also be transferred, as in the case of having it underwritten by insurance, or terminated if it is deemed too high or exceeds the levels determined by the board. These are just some of the risk treatment options that may be applied. There are others which companies can consider, according to their particular requirements. Risk management and internal control rely on regular evaluation of risks and the performance of the risk management systems in place. This provides reasonable assurance that the firm’s objectives are being met.
BRCs play an integral role in supporting the board’s decision-making, and its oversight responsibilitieson risk management. This is usually done by monitoring risk, including emerging risks, and identifying significant incidents, breaches, root causes and trends. Besides this, risk management plays a crucial role in ensuring the corporate governance mechanism is functioning appropriately, and the right tone from the top is established from the outset.All these functions are supported by information provided by management; the BRC is therefore crucial to determining the firm’s balance between risk and opportunity because it is in a position to evaluate and assess the firm’s risk exposure.
Where there is an overlap with audit activities, such as in internal or external audit issues relating to risk management policy or practice, the BRC will have to coordinate its activities with the BAC. But it is worth noting that as with all board committees – such as compensation, nomination, disclosure, governance etc – the goals of the BAC and BRC are intertwined as their ultimate aim is to ensure the performance, competitiveness and sustainability of the organisation. It is in the best interests of the firm, therefore, to clearly define or delineate the roles and responsibilities of the BAC and BRC, including where the overlaps lie, so that the committees’ respective members are aware.
In the course of its work, the BAC will also ensure the audit the organisation’s corporate governance process as part of the normal audit circle. The BRC’s role is more comprehensive, in that it is responsible for ensuring the risk is addressed, and aligned with strategy, while simultaneously monitoring risks and overseeing risk exposure of the firm, and advising the board accordingly. BRC members must therefore constantly ask themselves if they have current, reliable data that supports the board’s decision-making, and if the data has the required degree of integrity.
Being effective will require BRC members to stay abreast of best practices. For their part, management needs to constantly scan the horizon for new or emerging risks, be able to develop responses to these risks and offer suggestions to the board. Approaching the risk oversight process in this manner allows for a better understanding of the risks which confront the company over time, and supports its value-creating efforts. The BAC must cover a myriad of tasks to ensure the proper functioning of the firm’s systems and processes.
However, not all firms may have the human resources – such as the necessary number of board members with the prerequisite skill sets – to undertake the work of the BAC and BRC separately. If boards require BACs to do the work of BRCs, particularly in the areas of risk oversight, identifying and evaluating risk and putting in mitigation measures, then these boards must ensure that their BACs have the right resources, including the necessary skills, for it. Auditing and risk management are two very different areas of expertise, although there are some areas which overlap. At BAC and BRC level, members need to have sufficient knowledge and experience in their respective fields to be effective.
Additionally, many members may already be serving on multiple committees, particularly if the firm has a small board. The BAC, as a third line of defence committee, should focus on providing independent assurance and avoid getting involved in the decision-making process. The BRC, however, will need to be involved in the decision-making process as it is a second line of defence committee. Boards should be clear of the potential contradiction and conflict of interest if these two committees are merged or if the BAC becomes involved in managing risk.