Given the accelerating speed and complexity of business, it is the rare board today that isn’t spending more time talking about strategy and risk. Yet some boards are going a step further and taking out the proverbial stepladder to get a better view of the company’s key governance activities. Are risk management, contingency planning, financial reporting and controls, compliance, internal audit, strategic planning and execution, and board oversight all working in sync? Do all of these moving “piece-parts” of the company’s governance have a shared—and current—view of the top risks to the enterprise?
Survey findings from our latest KPMG Roundtable Series in more than 25 cities are telling: Only 39 percent of the 1,200-plus directors and senior management polled during the series said they are satisfied that their company’s governance activities are appropriately focused on the greatest risks to the company’s reputation and brand. Less than a quarter said they are satisfied that key governance activities are aligned with the company’s risk hot spots, and that the company’s governance activities are integrated into the strategy and add “real value” beyond simple compliance.
KPMG’s Roundtable Series highlighted a number of ways that boards can help assess whether a company’s governance activities are keeping pace in a fast-changing environment:
Understand the company’s risk hot spots and how the company monitors and manages these risks. Specific risk hot spots vary by company and industry, but typically they include emerging technologies/new IT systems, disruption of the business model, cybersecurity and the protection of IP, globalization and systemic risk, the extended global organization (vendors and suppliers), M&A, compliance and government regulation, business transformation and changes in the operating environment. In light of the volume, complexity, pace and interconnectivity of these risks, boards should be asking not only whether risk management is keeping up, but whether all key governance activities are keeping pace together.
Do key governance activities have a shared view of the company’s risk hot spots? Every company has a number of governance activities or “lenses” through which its risk hot spots are viewed—e.g., risk management, contingency planning, financial reporting and controls, compliance, internal audit, strategic planning and execution, and ultimately board oversight. Are all of these perspectives and moving piece-parts in sync? No one size fits all, but the right governance framework—driving the right culture and tone throughout the organization—can help ensure that various governance activities are coordinated and integrated into the strategy to add “real value” beyond simple compliance (e.g., so that strategy and contingency plans can be recalibrated as the risk environment changes).
The audit committee is uniquely positioned to help ensure alignment. At a time of dramatic change in the business environment, the risk of misalignment of governance activities can be high (e.g., the company’s supply chain or IT systems may be undergoing critical changes, posing new risks to be managed and requiring new mitigation activities, controls and contingency plans). The audit committee—perhaps in coordination with other board committees, such as a risk or compliance committee—can serve as a catalyst to help ensure alignment, as it typically has oversight responsibility for, or at least substantial involvement in, so many of the company’s core governance activities. The audit committee also can help set the tone and culture regarding the importance of governance, including elevating the stature of management responsible for key governance activities (e.g., general counsel, CRO, chief information officer, chief compliance officer and chief audit executive).
Set expectations and spot gaps. A key role for the board and audit committee is to help set expectations for an integrated approach to governance (i.e., is there a single up-to-date “governance view” of the enterprise?), and to help identify potential gaps. Who is responsible for identifying and monitoring risk hot spots on a real- time basis, and aligning governance activities accordingly? What roles do the CEO, CFO, GC, CRO and CCO play? Is internal audit properly focused and resourced? Are the roles of the board, audit committee and other committees in overseeing key governance activities clear?
Also consider whether the board and the audit committee are keeping pace. Do they have the resources, agenda time, expertise and boardroom culture to effectively challenge and advise management in these times of rapid and dramatic change? Are the board’s governance processes keeping pace with technology, globalization and business change?
Dennis T. Whalen is partner in charge and executive director of KPMG’s Audit Committee Institute.