Still, many boards continue to explore building expertise into the current board or finding ways to bring it in from outside. At Radian, for example, the board called on a director from each committee to adopt and watch over a functional area. “It allows each person to take a deeper dive in an individual area and really know what’s going on,” Serio explained. “We also don’t hesitate to hire external experts. We spend time with cyber auditors and have experts in compliance come in every two to three years. So there are ways to get it done.”
Some audit committees chose to adjust their meeting practices to cope with the workload. “We broke our audit committee meetings into two separate one-day sessions in order to cover everything,” noted Kathleen Camilli, a director at Unifirst. “We have very deep dives where management comes in and very deep dives with internal and external experts. Meetings also go on longer and longer.”
Board members also need to walk in prepared, noted Samantha Holroyd, lead director and an audit committee member at Chord Energy. “I’ve been challenging my board members to educate themselves outside of our boardroom,” she said.
“The culture has to be perpetual learning,” agreed Jeff Geygan, a director at Wayside Technology and Rocky Mountain Chocolate and CEO of Global Value Investment. “I tell people when they join the board, ‘This is a roll-up-your-sleeves kind of assignment. You’ll get paid pretty well, but you’ll do some homework at night, for sure. And if you don’t want to take that on, this is probably not the right place for you to sit."
Shifting to subcommittees
In some cases, recognition of the significance of a particular risk has led audit committees to hive off subcommittees devoted to a single area of concern. For example, healthcare company Ensign’s audit committee formed a separate entity focused on cybersecurity. “A healthcare data leak impacts every single aspect of the business, regulatory, financial, compliance—the criticality was so big that to have it buried by other matters would not be right,” explained Swati Abbott, a director at the company. “So we spun out a committee where we have internal audits for regulatory and compliance, for how we bill patents, how we protect privacy, and then that committee reports up to the board and the audit committee.”
The shift enabled more effective oversight of the broad spectrum of cyber risk. For example, Ensign’s board was able to look more closely at billing risk, at the regulatory environment, and at the role technology and data analytics can play in privacy. “We can have those interactive discussions, and then the audit committee gets the shout-out reporting,” explained Abbott.
For other boards, the solution entailed taking a hard look at scope creep for the audit committee. “As chair, I try to keep our focus on reporting risk,” explained Ellen Masterson, director, and audit committee chair at both Insperity and Westwood Holdings. “What are the systems and processes that build the information, and are they auditable? Are we using internal audit now to build the platform so that when these things do require an auditor’s report, we’ll be there? So when someone says, ‘Oh, the audit committee is responsible for ESG,’ I say, ‘Wait a minute, we’re responsible for the reporting and auditability, but not for the performance.”
While audit committees have historically taken a triage approach to prioritizing competing risks, assessing and agreeing on the levels of various risks has become more complex. “We use dashboards to identify the top 10 financial risk items each year and then set our agenda to make sure we get through them all during the year,” said John Kurtzweil, director and chair of the audit committee at both Axcelis Technologies and SkyWater Technology Foundry, whose audit committee regularly brings in outside expertise both with management present and for private sessions. “Management always gets concerned, but I’ve told my CFOs, ‘Just get over it.’ Because we’re the audit committee; we’re not management. So we’re going to do independent research, and we’re going to ask independent questions.”
Ultimately, it’s that challenge today’s audit committees must navigate: having the willingness to continually dig in, learn and evolve along with the company and its industry enough to be able to ask the right questions about the right risks. “We’re all brought onto boards to scrutinize, ask probing questions, take in the information we are provided—or not provided, as the case may be—and challenge management,” said Serio. “We don’t need to be, and we never will be, the subject matter experts. We’re never going to be able to afford all the subject matter experts we want.
“So we have to focus on: Is management handling this information well? Are they responding to things in the marketplace? Despite everything that’s emerged the past few years and that will emerge as time goes on, the job is still the same job. At the end of the day, the question that will come from a shareholder, from a regulator, from a lawyer, will be: Was the board asking the right questions?”
This article appeared in the Q1 2023 issue of Corporate Board Member. Reprinted with permission.