The Role of the Audit Committee In Risk Management

Abstract

Risk is a Board responsibility, which cannot be delegated. The boundaries of the audit committee lie somewhere below strategic risk, which is a Board function, and above detailed internal control, which belongs to management. However, there was no consensus about just where those boundaries lie. The flipside of risk is opportunity, and the Board should set a risk appetite for the organisation that reflects this. The Combined Code suggests a role for a Board-level risk committee, comprising independent non executives. The participants in the discussion did not think this to be practical: risk management must involve executives. There is a danger that too much focus on the process of risk management could lead to complacency or to a lack of focus on the risks themselves. The review of risk at Board and audit committee level necessitates having non executive directors with a suitable range of backgrounds. The skills mix, as well as financial, should include high-level business knowledge, for example the understanding of significant opportunities/risks specific to the business. A key aspect of risk management is understanding the culture of the organisation. Non executives, with limited contact below Board level, may find difficulty in understanding the culture at lower levels of the organisation. The audit committee's role in risk management requires a strong relationship with the internal audit function of the organisation, one of whose roles is as a ‘financial policeman'. Different types of risk should be addressed in different ways. Financial, operational and strategic risk have little in common, and their management and review should reflect the context of the particular compan