Is the introduction of an audited resilience statement, to assess ability to cope with existential threats, enough to protect companies?

When the first case of coronavirus (COVID-19) was officially reported in Wuhan, China, on 31 December 2019, few people could have predicted the widespread impact less than two months later, which has brought entire countries to a halt and seen global stocks face their heaviest decline since the 2008 financial crisis .

Most boards would have listed the very real prospect of a pandemic on their risk register. But how many stress-tested the possibility of business travel being banned and central offices having to close, let alone brought forward their digitisation plans to allow as many people as possible to work remotely under quarantine measures?

With ever increasing pressure on the audit and risk functions to better protect clients from risk, the recommendations in the recent Brydon report, into the quality and effectiveness of audit , include the recommendation that directors publish a Resilience Statement and stress-test various scenarios that could threaten the company’s business model. This would allow auditors and shareholders to pass opinion on how well directors are strategically positioning the business to address the risks of existential threats, such as, say, climate change or pandemics.

But how far will this go towards protecting companies from existential risk?

Broadening the scope of audit
Given the uncertainty and complex interdependencies of the global world in which we now operate, any measure that encourages directors to prepare their companies for the future is to be welcomed.

The concern is how well-equipped directors and auditors actually are to pre-empt risks over the timescales put forward for each of the three components of the Resilience Statement:

The Report discusses how auditors would be expected to express views on each component with varying levels of confidence. It places on auditors an obligation to disclose any information they find (within the company or from external sources) during the course of the audit that materially contradicts anything in the Resilience Statement. It will primarily be for shareholders to judge the extent to which a company’s Audit and Assurance Policy enables satisfactory assurance over the Resilience Statement as a whole.

Preparing for the unexpected
In broadening the potential scope of audit beyond mere re-assurance of the truth and fairness of financial statements, the Brydon report raises an expectation that boards can and should be able to assure and inform its shareholders on a far broader array of issues than just the financials as per the diagram below.

This new model, not only requires the board to give a level of ‘audited’ assurance over ESG, cyber and mineral reserve areas, that it is now expected will require a pre-determined level of audit assurance, but also the culture of their clients, given the direct bearing of company culture on the behavior of boards and their attitude towards risk.

However, despite broadening the scope of audit and raising expectation about what this can achieve, Brydon stops short of asking auditors to acquire the skills needed to do this, conceding that, ‘whilst auditors may have a wide variety of skills, it is not a requirement of today’s auditors to have formal expertise in assessing business models, corporate strategy, culture, values and principles and management ability.’

Instead it is proposed other experts, be these cyber, cultural or environmental, be brought in to provide assurance on specific risks. With Brydon going on to recommend that the scope of the audit process be defined by the Audit and Assurance Policy and made available for scrutiny and comment by shareholders prior to the audit.

Who audits the board?
With directors themselves still retaining influence over deciding which topics matter when it comes to preparing for risk, the board’s thinking on risk and the cultural factors influencing this, such as the ability of directors to voice concerns and listen to one-another, is vitally important.

Although it is outside of the scope of an external board reviewer to judge the decisions being made by the board, as this could never be achieved in a three day review, an effective board review can and should look at whether conversations around risk are sufficiently challenging, or a bit too comfortable. As well as how regularly the board reviews the point at which an operational risk, causing business disruption, turns into strategic risk that could cause the company to fail.

An external review can also look at whether or not the board has the right skills, information and expertise to consider risk. Or if the topic is not being given sufficient time on the agenda or non-executive directors, with important expertise, not being given the opportunity to raise concerns.

Any recommendations on how the board can increase its effectiveness in this, and other areas, will then go on to form part of the annual report and be available for further scrutiny by both the auditors and shareholders.

In this sense, while a board review never can or should constitute an audit of the board , under the new broader guidelines being put forward by Brydon, board reviewers will have an increasingly important role to play in guiding directors to think about how they can create the right culture and relationships to give the topic of risk the attention it deserves. Only then will the Resilience Statement have any hope of achieving any of the outcomes desired.