Maintaining critical alignments during disruption and turmoil

Audit committee oversight of critical alignments—of strategy, risks, incentives, performance metrics, internal controls, and more.

Even in good times, maintaining critical alignments throughout the organization—strategy, risks, incentives, performance metrics, internal controls, and more—is a significant challenge. But the fallout from the COVID-19 pandemic, Russia’s invasion of Ukraine, supply chain disruption, global economic volatility, and regulatory and stakeholder demands for action on climate and a range of environmental, social, and governance (ESG) issues has made the maintenance of critical alignments even more challenging, and a key area of board focus.

As the business and risk environment has become dramatically more complex, companies have had to adjust strategies, restructure operations and supply chains, shift to remote work, change product lines, reduce costs, and respond to stakeholder and regulatory demands for greater transparency. In some cases, the business itself has been transformed, placing greater demands on the risk and control environment.

Patrick A. Lee

Patrick A. Lee

Senior Advisor, KPMG Board Leadership Center, KPMG US

While it is management’s responsibility to maintain these alignments, audit committees, given their role in the oversight of financial reporting, internal controls, and compliance, are in a unique position to oversee management’s efforts to ensure proper relationships among the array of activities that must be aligned and realigned. To address this challenge, the KPMG Board Leadership Center suggests five questions for audit committees to consider.

Does management have a full inventory of the company’s critical risks, including those posed by changes in the business? How has the company’s risk profile changed? What emerging and evolving risks have been added to the risk radar? What’s missing? The events of the past few years have brought to light a range of emerging or evolving risks to be managed, from employee and customer health and safety and the business risks associated with managing remote workforces, to the acceleration of digital transformation, cybersecurity, changing customer demands, and vulnerable supply chains. Extreme weather events have made clear the increasing threat that climate change poses to companies, supply chains, and customers. Also in the spotlight: ESG risks, particularly social issues, including employee well-being, pay equity, racial and gender diversity, human rights, and fulfilling corporate commitments to stakeholders.

Has management identified the risks posed by changes in the business in relation to people, processes, technology, products, or business models? An important part of any discussion about change and risk is complexity: the greater the complexity, the greater the risk. Every company should, at a minimum, consider the need for a formal process to identify the significant changes, planned and unplanned, taking place in the organization and the risks they pose.

Is there a formal process to link changes in the company’s risk profile, including those posed by changes in the business, to the company’s risk management efforts, internal control processes, and compliance program? Changes in the company’s risk profile pose various internal control and compliance issues. It is essential that any changes be communicated so that appropriate risk mitigation activities, internal controls, and compliance initiatives can be implemented. A formal process to ensure that this communication takes place and proper linkages are established is key.

Does internal audit connect the dots and communicate key areas of concern about these linkages? As the role of internal audit evolves, more organizations are looking to internal audit to observe when and where new risks are seeded and how they are managed across the organization. This requires that internal audit have a seat at the table, anticipate emerging risks, and proactively adjust audit plans and activities as changes occur in the business, in the company’s risk profile, in the control environment, and in the compliance environment.

Given the speed of change and the velocity of risk, does management assess the company’s critical alignments on a regular and frequent basis? Recent events have demonstrated that changes are often fast and dramatic. Management and directors need to understand the velocity of risk and the speed at which an emerging risk can manifest and have a catastrophic impact on the business. In this environment, annual or semiannual assessments may not be adequate.

Do the audit committee and other standing committees effectively coordinate their oversight of management’s critical alignments? The full board and standing committees play a key role in helping to ensure that management’s goals, objectives, and incentives are properly aligned, that performance is rigorously monitored and assessed, and that the culture throughout the organization is “right.” Information sharing and communication or coordination among board standing committees regarding these critical alignments is essential.

This article originally appeared in the Fall 2022 issue of NACD Directorship magazine.

Receive the latest from KPMG Board Leadership Center

Sign-up to receive Board Leadership Weekly, Directors Quarterly, and more.

Sign-up to receive Board Leadership Weekly, Directors Quarterly, and more.