Learn@IoD
Cart
Aerial view of a highway at night with blurred lights from fast-moving cars, creating vibrant streaks. Curved roads and intersections are visible, highlighting city life.

Navigating a broader, faster agenda for audit and risk committees

Boards are dealing with more complex, interconnected risks, requiring stronger prioritisation, integration and forward-looking oversight.

author
Judene Edgar, Principal Governance Advisor
date
5 May 2026

Audit and risk committees are operating in an environment where the breadth, pace of change and interconnection of risks continue to expand. What was once a largely retrospective function focused on financial reporting and assurance has become a forward-looking, strategic role at the centre of organisational resilience.

Recent global insights, including KPMG’s 2025 audit committee survey, reinforce what many directors are already experiencing. The agenda is getting heavier, the risks more complex and the expectations higher. The challenge is no longer simply overseeing risk. It is making sense of it, prioritising it and ensuring it is meaningfully integrated into decision-making. 

A more complex risk landscape

Unsurprisingly, macroeconomic and geopolitical uncertainty remain dominant concerns. Trade tensions, shifting regulatory settings and economic volatility are creating a persistent backdrop of uncertainty. 

Cybersecurity, data governance and third-party risk continue to rank among the most pressing issues facing audit and risk committees. The rise of generative AI is amplifying these concerns, introducing new dimensions of risk – from intellectual property exposure to data privacy and reputational risk. 

Overlaying this is the growing impact of climate-related events and the energy transition. Increasingly frequent and severe weather events are testing operational resilience, supply chains and asset values. For many organisations, climate and nature-related risks are no longer distant or theoretical – they are immediate and financially material.  
Audit and risk committees are being asked to engage with these issues in ways that go beyond disclosure, extending into scenario analysis, controls and assurance. 

From oversight to insight

The implications for audit and risk committees are significant. Traditional approaches to risk oversight are no longer sufficient. Directors are being called on to provide deeper insight and challenge. 
One of the most persistent issues highlighted in global surveys is the gap between the pace of risk and the maturity of risk management. While many organisations believe they are keeping up, far fewer describe their capabilities as sophisticated. For audit and risk committees, this reinforces the need to probe the effectiveness of risk systems and reporting:

    • Are management’s processes identifying the risks that truly matter?
    • Are risk indicators forward-looking or largely retrospective?
    • Is there a clear, shared understanding of the organisation’s mission-critical risks?
    • Does the organisation have the right information and expertise to manage these risks effectively?
    • Is risk appetite clearly understood and reflected in decision-making? 

These questions go to the heart of effective oversight. Without clarity and alignment, even well-developed frameworks can fall short. 

The challenge of integration

Another recurring theme is the need to better integrate risk with strategy. Too often risk is treated as a parallel process rather than an integral part of decision-making. Strategy is shaped by risk appetite, requiring alignment between ambition and the level of risk the organisation is willing and able to take on.

Detailed risk conversations are often concentrated within the audit and risk committee, while strategy is primarily discussed at full board level. This separation can make it more difficult to connect risk and strategy in a meaningful way.

Leading practice suggests a shift towards a more integrated approach, linking strategy, performance and risk through common metrics and reporting. This includes identifying risks that could materially impact strategic objectives, defining risk appetite in practical terms, and establishing key risk indicators that provide early warning signals and support forward-looking oversight.

Scenario analysis is becoming an increasingly valuable tool in this context. By exploring plausible and extreme scenarios, whether related to cyber events, supply chain disruption or climate impacts, boards can better understand vulnerabilities and test the resilience of strategy. Importantly, this moves the conversation from “what are our risks?” to “what could disrupt our strategy and how would we respond?”

Oversight in a distributed model

As the risk agenda expands, so too does the question of who oversees what. Many boards are grappling with how to allocate responsibilities across committees without creating gaps or duplication.

Audit and risk committees continue to carry a significant share of the load, overseeing not only financial reporting and controls but also cybersecurity, data governance and elements of enterprise risk management. This concentration can create pressure on agendas and on the depth of discussion.

Clear delineation of responsibilities, supported by strong coordination between committees, is essential. Equally important is ensuring the board as a whole retains ownership of risk, recognising that oversight cannot be siloed – it must be connected across the board’s work. 

Capability and composition

The expanding risk landscape is also prompting questions about capability. Surveys consistently highlight gaps between director expertise and emerging risk areas, particularly in technology and climate.

For audit and risk committees, this underscores the importance of ongoing capability development, through targeted education, the use of external expertise and, where appropriate, board refreshment.  

This aim is not to turn directors into technical experts, but to ensure they are sufficiently informed to ask the right questions and challenge assumptions, and test whether management has the capability and resources to manage these risks effectively.

Making room for what matters

With expanding agendas, audit and risk committees are under pressure to prioritise effectively.

Many are responding by sharpening the focus of meeting materials and presentations, moving away from volume towards relevance, with greater emphasis on material risks and issues that warrant board attention. Agendas must allow space for discussion, not just reporting. This includes time to consider emerging risks, hear from external experts, and explore forward-looking scenarios.

In a complex environment, the quality of conversation matters more than the quantity of information.

Looking ahead

Audit and risk committees are increasingly operating as stewards of resilience and insight, not just guardians of compliance.

Strong oversight will continue to underpin trust – in financial reporting, in governance and in the organisation itself. But effective oversight in today’s environment relies on clarity, focus and the ability to see around corners, rather than more reporting or more regulation.

For audit and risk committee members, the task is not getting easier, but it is becoming more central to the long-term success of the organisations they serve.

Board and committee chairs also play a critical role in advocating for a more strategic and integrated approach to risk, both at the board table and across the organisation.