The changing role of audit committees
The changing role of audit committees
The article was published in The Business Times on 2 May 2017
They now have a bigger part to play in managing risks and thinking about how to benefit from them
In thinking about risk, there is a natural compulsion to shrink back at the word. For many, it represents a threat and a danger which must be extinguished immediately.
Today, risk is a much more complicated idea especially in a landscape where business environments have become complex beasts. Simply put, risk can be both a threat as well as an opportunity.
Take the well-known story of Uber and Grab. Both start-ups saw the potential for innovation which would serve unmet customer needs, and allow them to profit from it.
From the point of the taxi industry, while these start-ups represent an existential threat, it also represents an opportunity for evolution.
The taxi companies have responded to the challenge and are exploring new ways of meeting the demands of customers. Several now have their own apps and compete head-on with the disruptors at their own game.
Even taxi drivers have gotten in on the act, realising that the best way to compete with Uber drivers is through better service.
As taxi companies evolve to meet the competition, their resources and understanding of the regulatory landscape, could for example help them race ahead of the tech companies in adopting new technology, such as driverless cars.
One question remains: Whose role is it to anticipate such changes? The management, for one. Increasingly, however, audit committees have a big role in forestalling these risks and thinking about how to potentially benefit from them.
Creating value from risk management
Audit committees (ACs) have traditionally focused on reviewing financial reporting, internal controls and compliance. But over time, the roles have evolved. Many ACs now oversee risk management as well.
A recent survey bears this out. The KPMG 2017 Global Audit Committee Pulse Survey showed that the majority of ACs, including Singapore, identified risk management, legal/regulatory compliance and cyber security risk as the top challenges in the year ahead.
The survey also found that internal audit can maximise its value to the organisation by focusing on key areas of risk and the adequacy and effectiveness of the company’s risk management processes generally.
Audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks, such as cyber security and technology, and related controls—and not just compliance and financial reporting risks.
It’s not hard to see why. Companies are facing economic risks and general volatility in the environment. Brexit fears have yet to die down while the global economy faces a testing period of rising interest rates. Furthermore, the threat of disruption hangs over all industries.
In this environment ACs can not only play a pre-emptive role in insulating companies from risk but also drive value within companies in managing these risks. I see three areas in which this can be done.
First, ACs can help set the right levels of risk appetite and tolerance to provide the board with the appropriate amount of control.
This is crucial because not all risks are the same, and the approach has to be customised for each set of risks. Armed with properly-adjusted risk tolerance levels, companies can make quick decisions, a key advantage for corporates navigating in the fast-changing business environment.
For instance, even though credit and solvency risks are clearly the main problems for oil and gas firms, many still place health and safety and operational risks at the top of their risk registers. Focusing on one set of risks creates tunnel vision and increases the chance of becoming blindsided by other challenges that may emerge.
Second, ACs are key players in raising the levels of transparency, which, in times of uncertainty, can boost a company’s profile.
Last year, new reporting requirements kicked in for annual periods ending on or after 15 December 2016. Among the key changes is the requirement for auditors to identify and report on Key Audit Matters (KAMs) in the audit report. In Singapore there is a push for ACs to provide commentary on the enhanced auditors report.
Increased levels of transparency in an era of elevated risks can pay off, especially if it attracts investors looking to invest in open and transparent firms.
Third, ACs can also help build a culture of enhanced risk management in companies.
The KPMG survey found that tone at the top, culture and short-termism are major challenges that ACs will need to grapple with. Nearly a quarter of global audit committee members and 38 percent of Singapore audit committee members surveyed ranked tone at the top and culture as a top challenge.
In the current complex environment, risks can emerge from anywhere. There is no simple solution except to ensure that everyone in the company, from the management down, is sensitised to scanning for risks. ACs can play a role in engendering this culture, cultivating and nurturing it, and measuring it.
Radar for risks
But there is more work that needs to be done. The KPMG survey showed that one in five AC members said they are not satisfied that their committee agenda is properly focused on the key issues at stake.
ACs need to seek better and faster assurances from internal audit as well as external audit to maximise the effectiveness of such risk management drives. Data analytics can also help sharpen the focus and clarity on the risks at hand; too few companies make good use of such tools.
It is the right step to start evolving ACs now. They can play a bigger role in not simply acting as a check on internal processes but also as a radar scanning for external risks. The management will need to equip them with the right tools in order to effectively monitor, manage and deal with these risks.
This will not only help prepare companies for external shocks but drive even greater efficiency for businesses which need to quickly adapt to an ever-changing landscape.
The writer is Irving Low, Head of Risk Consulting, KPMG in Singapore.
The views and opinions are the author’s and do not necessarily represent the views and opinions of KPMG in Singapore.