Risks Confronting Boards 2016 - Audit Committee Most Significant Risk
To get a better breakdown of the risks boards are faced with, we asked directors an open-ended question about what the committee feels is the most significant risk under its responsibilities. For directors on audit committees at public and private organizations, financial statement accuracy is the most significant risk, while financial risk is the most cited risk for not-for-profit audit committee members. Directors on private boards' audit committees also identified cybersecurity, while not-for-profit directors included internal controls.
To further explore board committee's top-of-mind risks, we asked how directors felt about the oversight and management of each committee's most significant risk.
Across all three board types – public, private and not-for-profit – we see satisfactory results (59%, 55% and 52% respectively) indicating that the audit committee is providing adequate oversight of its most significant risk.
However, when asked whether management is adequately addressing this risk, the results were less favorable – 40% public, 34% private and 36% not-for-profit.
Generally, when asked if management was adequately addressing the risks of each committee, the executives yield lower percentages (in some cases as much 20%+) than the board/committee providing adequate oversight.
Another interesting result is driven by the members of the risk committee. This committee, along with strategy, shows less confidence in itself than other committees. Boards are charged with providing the organization with strategic planning, which also includes managing risk.
A growing trend within boardrooms is audit committees with too many responsibilities to effectively manage and oversee. With the creation of additional committees (risk, technology, strategy, and others), some pressure can be alleviated from the audit committees to oversee and understand all the key issues and risks, provided that non-audit committee members (who have the skill set) are assigned to these committees. Having the numerous tasks and efforts spread more evenly through the different committees should enable more effective risk management.
In last year's survey (2015), it became obvious as the results were analyzed that boards were concerned with a range of risks: What should be top-of-mind, and which risks could be most detrimental to the organization. However, it seemed there was little to no action in terms of addressing the key risks. This year, we delved into the issue directly. In an open-ended question, directors were queried about which risks garner the most board discussion, with the least management action.
Public boards see senior management succession planning as the most discussed risk with the least amount of action from
management, followed closely by cybersecurity risk. Product risk is the third most popular response. Public board members cite these
3 risks more than private and not-for-profit boards combined.
Directors from private boards showed greater variance. Their top responses included:
- Senior management succession planning
- Key skill deficits
- Global economic conditions
Not-for-profit directors commented most frequently around financial risk and fundraising issues, including long-term financial management.
Senior management succession planning follows financial risk in popularity, with prioritization/strategy rounding out the top 3 risk areas with no action.
With such a variety of risks that public, private, and not-for-profit organizations have to combat, it can be a daunting task for boards and management to focus on and prioritize all of the potential issues that can and probably will arise. Throughout this year's survey results, it is clear that boards are concerned with how to prioritize and focus on the most important issues and risks while guiding a strategy that benefits the organization.
We polled directors on which best practices they wish to see their boards implement to better address their companies' risks. The results varied dramatically among the 3 company types surveyed: more than 70% of public boards want to see an integration of risk and strategy board discussions; 59% of private boards would like to see this change as well, and only 40% of not-for- profit boards would employ this best practice. There is not a one-size fits all solution nor a standard set of practices that boards must do in order to thrive. It is certainly whatever works best for the organization and shareholders, which can be radically different on not only an organization type level, but also on a case-by-case basis.
As stated above, public boards would like to see an integration of risk and strategy during board discussions. Also of some interest is more frequent risk deep dives during board-management meetings.
Private boards were also interested in an integration of risk and strategy during board discussions. More than public boards, scenario planning at the board level and board training on emerging risk areas garnered favorable results in private organizations. Overall, private boards seem to be more concerned with board-level involvement than public boards.
Not-for-profit boards are focused on implementing more frequent risk deep dives during board- management meetings.
Concerns About Risks Confronting Boards - 2016 Survey Results