BRYAN'S BLOG

Bryan’s Blog: Should Audit and Risk Committees be Separate?

Within an organisation, it is management’s responsibility to identify and manage risk and opportunity within a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board. Management is also responsible for reporting to the Board that risks and opportunities have been identified and managed appropriately.

The Board’s “assurer role” is to provide stakeholders with assurance that management has identified and managed the organisation’s risks and opportunities. Secondly, the Board’s “mentoring role” is to provide oversight of the risk and opportunity management process, based on its experience and understanding of the organisation and the industry(s) in which it operates.

As the Board acts as both mentor and assurer the question arises as to whether the Board is able to fulfil this role via one committee such as a Board Audit and Risk Committee or whether it requires two committees, one an Audit (Assurance) Committee and the second a Risk (Mentor) Committee.

Within an organisation, it is management’s responsibility to identify and manage risk and opportunity within a predefined risk appetite which has been established in consultation with the oversight body, most commonly a Board of Directors or an Advisory Board. Management is also responsible for reporting to the Board that risks and opportunities have been identified and managed appropriately.

The Board’s “assurer role” is to provide stakeholders with assurance that management has identified and managed the organisation’s risks and opportunities. Secondly, the Board’s “mentoring role” is to provide oversight of the risk and opportunity management process, based on its experience and understanding of the organisation and the industry(s) in which it operates.

As the Board acts as both mentor and assurer the question arises as to whether the Board is able to fulfil this role via one committee such as a Board Audit and Risk Committee or whether it requires two committees, one an Audit (Assurance) Committee and the second a Risk (Mentor) Committee.

In my view, if the organisation has sufficient resources, the Board Audit and Risk Committee should be separated. This removes the inherent difficulty of being both a mentor as well as an assurer. Both roles are integral to a healthy risk management culture. Management is more likely to seek guidance and support from a mentor than an assurer. The assurance role is necessary as well, however, as management must be held accountable.

In the absence of sufficient resources to create two committees, the Board Audit and Risk Committee’s first priority must be its assurance role and its second priority, its mentoring role. Given the appropriate charter, culture and skills of individuals on the committee and within management, this model can be successful, providing there is a strict separation of roles and responsibilities for Audit and Risk Management in the executive team. The Chief Audit Officer should be focussed on assurance while the Chief Risk Officer should be focussed on mentoring and facilitating so that the risk management culture of the organisation is strong and effective.

In August 2009 the NSW Government launched a new Internal Audit and Risk Management Policy and there is no call for a separate risk committee, even for the largest agencies. RMP believes this has the potential to create confusion as to whether audit and risk should be combined in the executive ranks or, as RMP contends, should be strictly segregated. In RMP’s view the policy should simply be called the “Internal Audit Policy” as the oversight role is described more with an assurance tone than a mentoring tone.

In my role as the NSW Chapter President of RMIA I was invited by the Editor of MIS Magazine of the Australian Financial Review to attend a very nice luncheon the other day. The topic was essentially about what keeps CIO’s awake at night.

There were many discussions and views on availability of systems to users. I felt that availability was a 100% expectation 99.9% of the time and if a CIO was losing sleep over this they were in mighty trouble.

My view of what should be keeping CIO’s awake at night was whether they were doing their bit to help ensure the organisation could deliver on its objectives. Availability is obviously necessary, however, if CIO’s are not helping to provide a competitive advantage through sound system investment they are not doing the job the rest of the Executive is expecting.

Three of us were interviewed after lunch. You should be able to see the interviews at the link below.

http://tv.misaustralia.com/video/Roundtable/117/8441