The Pontificators

The Pontificators

Audit and Risk Committees (ARCs) are the topic today in response to a request from a respondent to my recent survey on your preferences on what you would like me to blog about. I am moving on from the strategy for your enterprise risk program to reporting on risk and first cab off the rank is the role of the ARC. “What should they be doing and what should be their KPIs?” was the request.

I’ll start with a problem I have experienced from my roles in the past as an independent on ARCs. I was given information about risk but nothing about current performance of the business other than for sessions on budget setting or re-forecasting. And then I had to infer a lot of it from the numbers and the commentary on some of the numbers. As I have written and preached time and time again, performance and risk reporting should be integrated and should reflect on whether the organisation is operating within appetite for risk.

Therefore, the most important item on an ARC agenda from a risk perspective, is the assurance they can provide the Board that the performance and risk report on its way through the ARC, to the Board, appropriately reflects reality.

Second, if the reporting includes unacceptably high risks or the organisation is substantively outside of appetite for risk, the ARC should question, provide commentary or even recommend action on any apparent mismatch of risk and the allocation of resources. That is, if one area has all the resources and little risk, perhaps some of the resourcing should be re-allocated to other areas of risk.

In addition to all the different audit (internal and external), compliance, WHS, fraud matters (etc. etc. depending on industry), I recommend the ARC always have a senior executive make a presentation on their risk profile to provide additional assurance that senior leaders are engaged with the risk program.

When it comes to KPIs, I must admit I have not spent much time considering or advising on this. I would be happy to hear about yours if you have some good ones. Otherwise, what comes to front of mind is the extent the risk profiles (that made it through the ARC to the Board) reflected reality. That is, a KPI on the number of surprises in a year that upon investigation, the risk was never properly acknowledged and reported by management.

Of course this leads to a whole new set of questions about how the ARC can provide assurance and the budget they may be required to do so.

Votes: 0
E-mail me when people leave their comments –

Bryan is a management consultant operating since 2001, specialising in risk-based decision making and influencing decision makers, born from his more than twenty years of facilitating executive and board workshops.

Bryan’s experience as a risk practitioner includes the design and implementation of risk management programs for more than 150 organisations across the public, private and not-for-profit sectors.

Bryan is the author of Risky Business : How Successful Organisations Embrace Uncertainty; Persuasive Advising : How to Turn Red Tape into Blue Ribbon, and Team Think : Unlock the Power of the Collective Mind [to be published in 2022].

He is licenced by the RMIA as a Certified Chief Risk Officer (CCRO) and is the designer and facilitator of their flagship Enterprise Risk Course since 2019.

<a href="http://www.bryanwhitefield.com">www.bryanwhitefield.com</a>

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead