Ditch the Audit & Risk Committee? That’s governance heresy, surely?
Bear with me for a moment:
The ‘ARC’ or ‘FARC’ (Finance, Audit & Risk Committee) is often seen as vital for best practice governance. Surely it shows that directors are prioritising protection of the business and assets they’re responsible for … doesn’t it?
But is this really true?
What types of people do we need on these committees?
For Audit, we think of financial literacy, an understanding of financial reporting and internal controls, typically the ability to get into the detail, drilling into how the company actually operates and measuring it accurately. We need these people. These functions are crucial for the business, ensuring we stay solvent, have the internal protections and controls we need, and that our reporting is not only accurate and compliant with the standards, but also timely.
Now, what type of people do we want for our Risk Committee? Risk requires a different mindset. While financial and compliance risks matter, they’re seldom the ones that threaten a company’s future. The real dangers are more likely to come from strategic over-reach or external events we can’t control – natural disasters, trade or shooting wars, pandemics, or shifting social attitudes. We’ve all navigated some of these in recent years.
In my experience, these strategic and external risks seldom sit high on the agenda of a committee focused primarily on finance, accounting and compliance. Similarly, these guardians of our financial integrity and legal conformance aren’t always those best suited to the forward- and outward-looking work of Risk oversight. (For more, see my earlier post, ‘Who saw that coming?’)
I’ll admit: this isn’t an original idea. In 2009, Sir David Walker reviewed the British banking system after the Global Financial Crisis. He noted that many failed banks had Audit & Risk Committees, yet few had anticipated the ‘Black Swan events’ of the previous two years. Walker recommended separating these committees, particularly for larger institutions, but for reasons slightly different from mine, arguing mainly that Audit Committees were already overburdened.
Let’s take Sir David’s thinking a stage further:
Who’s responsible for overseeing development and implementation of our Strategy? Typically, the full Board.
Risk, defined by the International ISO Risk Management Standard as ‘the impact of uncertainty on objectives,’ is neutral – neither good nor bad.
If the Board is responsible for Strategy, why wouldn’t it also oversee the ‘uncertainty’ around achieving that Strategy?
In the same vein, why not also put Risk under a committee of the whole Board, so all directors can contribute?
Who then should chair this committee? After leading powerful debate and helping to develop great Strategy, our Board Chair is perhaps not the most effective leader for our discussion on what could possibly upset it. I typically recommend that we invite another senior Director to chair our Risk committee.
So, will you de-couple Risk from your Audit Committee?
Or will you stick with the more traditional model – if so, for any reason more than institutional inertia?
Your Board’s choice … please let me know your thoughts and experience.
