The Critical Role of Risk Assessments for Public Companies

Risk assessments are critical for any company, regardless of headcount or revenue size, especially public companies or those preparing for an IPO. We’re finding many organizations are challenged to continuously evolve and keep pace with more complexity in their operations. Risk assessments act as a safeguard and have proven to be a valuable strategic tool to identify focus areas, trends, and emerging risks preparing the organization for increased regulatory, financial reporting, and operational challenges.  

The process of a risk assessment allows companies to identify, evaluate, and manage potential risks that threaten a company’s operations or objectives. For organizations with optimistic growth forecasts, the question remains whether their infrastructure can scale to not only support their growth but identify, monitor, and mitigate risks facing the organization in an evolving environment, including expanded scrutiny by both the external auditor and regulators.   

The evolving compliance, regulator, and auditor landscape 

The Sarbanes-Oxley Act (“SOX”) was a groundbreaking development for public companies, enacted two decades ago, and it still fundamentally reshapes how companies view their operations and processes related to financial integrity and transparency. With that, SOX has also transformed the role of the auditor and the regulators, particularly the Public Company Oversight Board (“PCAOB”) and the Securities and Exchange Commission (“SEC”), which oversees the PCAOB.   

Since SOX was enacted, the PCAOB and SEC have played pivotal roles in transforming how risk assessments are conducted and reported. Auditor responsibilities have also expanded significantly, making their role in the risk assessment process more important than ever.  

Like a waterfall, identification of enterprise-wide, high-risk area allows for targeted reviews to drill down risks further and design effective controls to mitigate those risks to be within the organization’s risk tolerance. Some examples include scoping and risk assessment identifying financially material risks to facilitate SOX compliance, including the intersection to cybersecurity risks given the responsibilities under SOX in this evolving digital era.   

Cybersecurity risks are increasingly viewed as material risks that can impact a company’s financial statements, and a cyber risk assessment is essential to comply with SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (adopted July 2023). Without continuous and proper risk assessments, public companies might struggle to adapt and ensure they have meaningful outcomes around internal controls. 

Knowing high-level risks allows for an organization to manage that risk according to their risk appetite, organizations can leverage the enterprise-wide risk assessment to drill down and pinpoint their high-risk areas. For companies looking to raise capital through public equity or are already publicly traded, risk assessments are not only a best practice and a component of a proper governance structure, but there is an increased focused on and requirements for risk assessments from public company regulators and auditors. In August 2023, the SEC issued a statement on The Importance of a Comprehensive Risk Assessment by Auditors and Management. In that statement, the SEC’s Chief Accountant indicates that:  

“Risk assessment processes are critical to the decisions regarding financial reporting and the effectiveness of internal control over financial reporting (“ICFR”). Accordingly, we are troubled by instances in which management and auditors appear too narrowly focused on information and risks that directly impact financial reporting while disregarding broader, entity-level issues that may also impact financial reporting and internal controls. Such a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information.”   

Furthermore, in June 2023, the PCAOB, which oversees public accounting firms, proposed to change AS 2405 Illegal Acts by Clients to Non-Compliance with Laws by a Client (“NOCLAR”).  The proposed changes would, among others:  

“Enhance the auditor’s procedures for obtaining an understanding of the company and the auditor’s risk assessment procedures related to a company’s noncompliance with laws and regulations and improve identification of noncompliance with laws and regulation, through targeted amendments to AS 2110, Identifying and Assessing Risks of Material Misstatement.” 

Best practices 

A top-down, enterprise-wide risk assessment is advantageous on several levels inclusive of regulatory and financial reporting. The assessment identifies operational and reputational risks along with various technology risk areas, including cybersecurity and data privacy. Modernized risk programs have shifted to incorporate risk-sensing approaches such as digital delivery, continuous oversight and controls monitoring, strategic change, and real-time market awareness.  

It is crucial to go beyond assessing general risks that impact companies and examine risks specifically tailored to your business. Modern SOX compliance efforts should focus on:  

• Adopting best practices to improve processes by eliminating redundancies.  
• Leveraging technology and automating compliance efforts. 
• Staying current and adapting quickly to regulatory changes and auditor requirements. 
• Properly assessing materiality and deficiencies, including discussions with auditors. 
• Implementing data analytics for continuous controls monitoring.  

Effective risk assessment is crucial for public companies not only to comply with regulatory requirements, like SOX, but also to safeguard their assets and reputation. Assessing risk should be an evolving and adaptative process, aimed at continuous improvement through fostering a strategic approach to managing risk woven throughout an organization’s governance structure and allowing for emerging risks to be identified and mitigated as they develop.  

An experienced enterprise risk management consultant can provide valuable insight to companies by helping them create and sustain a resilient risk management infrastructure. Contact us below if you have questions about implementing or updating your organization’s risk assessment program.