Audit committees are increasingly focusing on risk management this year, according to two leading surveys of executives.

Enterprise risk management (ERM) ranked second (45 per cent) – behind cybersecurity (63 per cent) – as one of their top areas of focus in 2023, according to a survey by Deloitte and the Center for Audit Quality in the US.

“Due to an increasingly complex risk landscape, audit committees need to stay abreast of new risks and dynamically adapt their models,” the report said. “They should also understand management’s process to identify emerging risks and focus on risks that matter most to the strategy.”

Who is responsible?

Most commonly (43 per cent), respondents said that the audit committee was responsible for overseeing ERM. Over a quarter (28 per cent) said the board was responsible for ERM oversight. But in the financial services sector, 51 per cent said they delegated this role to a dedicated risk committee.

The report urged audit committees to have ERM on the agenda at every meeting. “Finally, ERM isn’t an audit committee-only topic,” it said. “Similar to cybersecurity risk, the board should understand management’s approach to enterprise risk, periodically receive an update on enterprise risk processes, and play a role in identifying key risks.”


The consultant EY said that many audit committees have made risk management a top priority in 2023, in a recent report. With slowing global economic activity, high inflation and rising interest rates, organisations are reframing their strategies and focusing on risk management and resilience.

As organizations prepare to address questions from analysts, investors, regulators and other critical stakeholders on topics such as customer demand, liquidity, supply chain stability and capital allocation, they will need to re-examine their processes for risk identification and assessment to ensure that they have a holistic view of interrelated risks and better understand the related implications,” the report said. “Leading organisations are performing risk assessments more frequently (for example, quarterly) and leveraging real-time data to better understand their risks and related exposures, including how those exposures are changing quarter over quarter.”

The report said that audit committees are dedicating more time on the agenda to discussing resiliency and they are using scenario planning tools for key risks. “Leading organisations are using simulations, triggers and multi-faceted scenarios, including exercising more rigor in developing base plans and alternative scenarios,” it said.