Have you ever wondered about the role of an audit committee in risk management?

An audit committee’s role will be outlined in the committee’s terms of reference. However this may only state the committee has oversight of risk management.

What exactly does that mean?

In CIPFA’s guidance document Practical guidance for local authorities and police (2018 edition) three main roles are outlined:

• Assurance over the governance of risk.
• Keeping up to date with the risk profile and the effectiveness of risk management actions.
• Monitoring the effectiveness of risk management arrangements.

So how do audit committees go about meeting these roles?

It largely depends on the risk information Committees receive and the processes they have for reviewing and challenging risk reports.

A recent survey of London borough audit committee risk reports aimed at trying to find an answer to this question, and there have been some interesting findings.

Survey headlines

Of the 24 audit committee risk reports in the survey, some 61% were published on a council’s committee database. That’s great, as it means most reports were discussed in public or in an open session.

It also showed that most report risk information at every meeting or quarterly, with a few reporting half yearly and annually.

Most reports to committees have a specific cover risk report and attach a risk register, although in one case risk information is contained within a performance report.

Various terms are used to describe risk registers, including; corporate, strategic or principal.

These risk registers vary from a detailed risk register to a brief summary. A few councils do not RAG rate their risk according to a warning system of red, amber and green, at least in committee reports. A couple of councils have alternative scoring systems.

Many committees undertake deep dive reports into specific risks with a relevant chief officer present, allowing the committee to have a more detailed understanding of the risk, as well as the controls being implemented.

One committee holds regular informal risk challenge sessions with individual chief officers about their risk management arrangements within the department.

What are the top five most popular risk categories in priority order?

• Financial
• Contractual and partnerships
• Safeguarding
• Resilience
• Information governance.

However, when analysed for those who have RAG rated risks, the red risks are all the above, but also included Brexit and were minus information governance. That’s not necessarily surprising but useful as a check on our own corporate risk registers.

Some councils are now using infographics to provide a more visual way of reporting risks. I’m sure this trend is likely to grow.

The survey also highlighted other means by which audit committees undertake their role including deep dives on top risks as well as informal rick challenge sessions with chief officers on their departmental risk management arranges and departmental level risks.

Some produce annual audit committee reports which includes all the work the committee have done in the previous year (including in risk management) to evidence how they are meeting their responsibilities outlined in their terms of reference

Its not surprising the councils do have different approaches in providing risk information to audit committees and committees themselves decide how best to fulfil their roles. However, I think it’s worth reflecting on the three roles that CIPFA outlined in their guidance in terms of what more can we do, as risk managers, to help them fulfil these roles. Is the risk information provided is too much or too little detail, can the information be presented in a more meaningful way, does the audit committee receive risk information with sufficient regularity for them to fulfil their role adequately? These questions may help in determining your approach to this issue.

Paul Dudley, Corporate Risk Advisor, City of London and ALARM Finance Director