Adding risk to the audit committee

Adding risk to the audit committee

When the Queensland board of a major national not-for-profit organisation completed a major risk management exercise late last year, it added the risk overview function to its audit committee.

“The board had finished its identification of risk areas, defined priorities for various risks and assigned various executives with responsibilities over those areas,” says Eric Walters, a recent recruit to the committee.

“While risk is a responsibility of the board, we’re a committee of the board and we were looking at where the responsibilities of the board and the committee start and finish (to complete our Terms of Reference),” says Walters, a senior financial planner with a background as a public accountant.

Researching how other audit and risk committees manage the risk process, Walters says he was surprised to find there was no simple solution.

“When you’re looking at a risk committee’s responsibility, there’s no standard template for it because each undertaking and organisation has different levels and types of risk. And the board itself attributes or allots different priorities,” he says.

For example, in one organisation fraud in a retail outlet might be considered a high risk. But in another organisation, where retail is less important, that risk would not be rated a high priority.

“Another organisation may be more worried about publicity risk or reputational risk and so on,” says Walters.

Following process

Walters says that, as part of defining its role, the committee also found it useful to reconcile the risk management process with the board’s charter.

“In the course of that process we identified some anomalies and have made a couple of recommendations to the board. They’re not major ones, but there could have been a gap. So the process helped to tie all of that together.”

It’s important to work closely with the committee and the board to get the process right, says Walters.

“From our point of view – and the board may have another point of view, the most important thing is that the process the board has come up with to manage risks are okay, and those processes are being properly implemented,” he says.

“So our role is to keep our eye on that, to discuss the various steps with the people responsible; and to test them occasionally – and not necessarily with any warning of our review.”

The Society came through a threat to its operations earlier this year after a storm “ripped through the top floor of our building”, disabling the call centre, says Walters.

“We have people at risk out in the community who need to call that call centre, to make us aware of their plight. We can’t afford to be down for three weeks or so while we’re waiting for insurance to come. But the staff had it up and running within a few hours.

“So, it’s our responsibility to make sure those processes are in place; that people are adequately trained; that facilities are available to switch over as quickly as that,” Walters says.


In other words...

  • Audit and risk committees need to taking direction from the board’s setting of priorities for risk management
  • Reconcile the charter with the risk management strategy and remove anomalies
  • Test that the processes are sound

You may also be interested in…