What does your audit committee know about risk?


One of the key factors to a successful partnership between chief audit executives and the board is risk maturity. Here, we explore this idea and things you can do to build a more powerful partnership with your board, audit and risk committees.

UK governance for listed and private companies makes it clear that the board has responsibility for an organisation’s risk management system regardless of its delegation to a board committee for oversight. Without sound knowledge and understanding, this is like putting a passenger in the pilot seat of an aircraft and turning off the autopilot. Does your board know enough about risk?

Who owns risk?

One of the key principles of corporate governance is that “the board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.”

It goes on to state that the board “should establish an audit committee of independent non-executive directors.” One element of their remit is to review “the company’s internal financial controls and internal control and risk management systems, unless expressly addressed by a separate board risk committee composed of independent non-executive directors, or by the board itself.”

Whilst chief audit executives will report to the audit committee chair, they may also be asked to report on risk to any or all of the board committees depending on the resourcing of risk management. Internal audit has legitimate roles within risk management, as defined by the Chartered IIA.

In the financial services sector risk committees are mandated.

Why is risk maturity so important?

Risk maturity is all about taking informed risk, knowing when to seize an opportunity and when to say stop. For the board and particularly the non-executive…