The increasing complexity and fusion of risks unfolding simultaneously requires a more holistic approach to risk management and oversight. At the same time, investors, regulators, ESG rating firms, and other stakeholders are demanding higher-quality disclosures – particularly on climate, cybersecurity, and other ESG risks – and about how boards and their committees oversee the management of these risks.
Given this challenging risk environment, many boards are reassessing the risks assigned to each standing committee. In the process, they are considering whether to reduce the major risk categories assigned to the audit committee beyond its core oversight responsibilities (financial reporting and related internal controls, and oversight of internal and external auditors) by analyzing the transfer of certain risks to other committees or potentially creating a new committee.
The challenge for boards is to clearly define the risk oversight responsibilities of each standing committee, identify any overlap, and implement a committee structure and governance processes that facilitate information sharing and coordination among committees. While board committee structure and oversight responsibilities will vary by company and industry, we recommend four areas of focus:
- Recognize that rarely does a risk fit neatly in a single, siloed risk category. While many companies historically managed risk in siloes, that approach is no longer viable and poses its own risks.
- Does the audit committee have the time and members with the experience and skill sets necessary to oversee areas of risk (beyond the committee’s core responsibility) that the audit committee has been assigned – such as cybersecurity, data privacy, supply chain, geopolitical, climate, and other ESG-related risks – as well as the adequacy of management’s overall ERM system and processes?
- Does another board committee(s) have the time, composition, and skill set to oversee a particular category of risk? Is there a need for an additional committee, such as a technology, sustainability, or risk committee? Is there a need for new directors with skill sets or experience to help the board oversee specific risks?
- Identify risks for which multiple committees have oversight responsibilities, and clearly delineate the responsibilities of each committee. For example, in the oversight of climate and other ESG risks, the nomination, remuneration, and audit committees likely each have some oversight responsibilities. And where cybersecurity oversight resides in a technology committee (or other committee), the audit committee may also have certain responsibilities. To oversee risk effectively when two or three committees are involved, boards need to think differently about how to coordinate committee activities. For example, some boards in the UK have established a new board committee composed of a member of each standing committee to oversee management’s preparation of the company’s ESG disclosures – including sustainability reports and other ESG publications – for quality and consistency with strategy, as well as consistency across the company’s various ESG reports and publications.
Essential to effectively managing a company’s risks is maintaining critical alignments – of strategy, goals, risks, internal controls, incentives, and performance metrics. Today’s business environment makes the maintenance of these critical alignments particularly challenging. The full board and each standing committee should play a key role in helping to ensure that (from top to bottom) management’s strategy, goals, objectives, and incentives are properly aligned, performance is rigorously monitored, and that the culture the company has is the one it desires.