Board Audit Committees The NACD (National Association of Corporate Directors) are correct to say that board audit committees face overwhelming issues typically beyond their classic SOX, audit & finance line of sight.
Cyber, fraud, ESG, risk and especially compliance violation topics should be “spun off” into a “risk and compliance committee”.
Or “ESG and compliance committee”. To cover cyber security / compliance issues since cyber / major crimes / fraud cut across short-term (shareholder) and especially long-term (environment, society / community, employee) stakeholders.
What we’re really experiencing is:
That today’s governance challenges do not fit for purpose for our “grandparents” board.
Like the game of “Limbo”, the Caremark shareholder litigation exposure bar is far lower for directors’ liability exposure since Marchand v Barnhill (2020).
– The “limbo” Boards must face is proving their duty of care. If cyber and especially compliance are after-thoughts (no metrics, active oversight) and then disaster strikes, shareholder litigation more likely will win.
The governance of “G” in “ESG” must be more proactive, practically angry at CEOs to address cyber, fraud, ESG and collaterally-damaged violations. Because this “scope creep” has been under-appreciated / low-priority in focus by our “grandparents” audit and other board committees today.
There is no E nor S if there’s an ineffective G.
1. Require bona fide risk / compliance skill sets so that board members truly challenge management and hold their feet to the cyber / compliance risk fire – especially the emerging smoke. CPAs and financial control skills address important SOX issues. But are they fit for purpose to understand and challenge the revenue-focused CEO about cyber, and financial crimes in a digital age?
2. Recognize that each of the board issues noted in the article are not mutually exclusive. And in fact, that cyber, and compliance breaches impact all the issues including our “in-scope”. Moreover, traditional accounting and audit issues – and vice versa.
3. In conclusion, re-prioritize board agendas. Which too often focus on our “grandparents” issues: revenue, revenue, revenue, and strategy (and then litigation matters). And not enough on the foundational controls – which affect revenue – and reputation.
4. Lastly, spin off and feature cyber and compliance issues prominently with a dedicated committee and for the full board agenda.