A Practical Perspective on Risk Oversight for Modern Boards
During a recent NACD New England Board Member and Audit Committee Readiness Program, James McCusker (Senior Managing Director & Co-leader of Alpha IR’s Corporate Communication team) had the opportunity to join a panel discussion focused on crisis management and lessons learned from the audit committee perspective. The day covered many of the traditional responsibilities that define effective audit committee service such as financial oversight, internal controls, regulatory compliance, governance, external auditors, and emerging risks. These disciplines form the foundation of an effective audit committee.
Alpha’s perspective comes from a somewhat different vantage point as we advise companies across a wide range of high-profile crises, including cyber incidents, W-2 phishing attacks, executive transitions, accounting investigations, restructurings, Chapter 11 bankruptcies, environmental disasters, shareholder activism campaigns, data breaches, and other situations that tested management teams and boards alike. James also represented the American Institute of Certified Public Accountants (AICPA) during the Enron and WorldCom accounting scandals and the subsequent implementation of the Sarbanes-Oxley Act, a period that fundamentally reshaped corporate governance and audit committee responsibilities.
While every crisis is unique, they all share a common characteristic: they rarely remain confined to a single department, function, or committee. Crises test not only a company’s controls and governance structures, but also its ability to make decisions quickly, communicate effectively, and maintain the confidence of employees, customers, investors, regulators, and other stakeholders.
Whether serving on a public company board today or preparing for future board service, Alpha believes there are five lessons every audit committee member should keep in mind.
1. Crises Rarely Stay in Their Lane
Many directors naturally think about risks in categories:- financial, legal, operational, regulatory, cybersecurity, or reputational. In reality, most crises quickly cross those boundaries and often unfold in unexpected ways.
A cyber incident may begin as a technology issue before becoming a regulatory matter, an employee relations challenge, and a reputational concern. A whistleblower complaint may start as a human resources issue before evolving into a legal, governance, and investor relations challenge. A financial reporting issue can quickly attract media attention, shareholder scrutiny, and regulatory review.
One of the most important roles an audit committee can play is recognizing how interconnected these risks have become. The committee’s oversight should extend beyond understanding the immediate issue to understanding the broader implications across the organization.
2. The Speed of a Crisis Often Surprises Directors
In board meetings, issues are discussed thoughtfully and deliberately. Crises operate differently. When a significant issue emerges, management may have only hours, not days, to gather facts, assess risks, engage advisors, communicate with stakeholders, and determine next steps. During a W-2 phishing incident, for example, executives may need to quickly determine what information was compromised, who was affected, what legal obligations exist, how employees will be notified, and whether disclosure obligations have been triggered.
The audit committee’s role is not to manage the crisis itself. Rather, it is to ensure management has appropriate plans, escalation procedures, and decision-making frameworks in place before a crisis occurs. Preparation is often the difference between a manageable event and a much larger problem.
4. Some of the Most Important Risk Signals Exist Outside Traditional Reporting Channels
Audit committees receive extensive information from management, finance teams, internal audit functions, legal counsel, and external auditors. Those inputs are essential. However, some of the earliest warning signs of emerging issues often originate farther down within an organization.
Investor relations teams hear concerns directly from shareholders and analysts. Corporate communications professionals engage with media, customers, employees, and other external stakeholders. Human resources leaders often identify cultural issues before they become public. Cybersecurity teams may detect emerging threats before they escalate into incidents. These perspectives can provide valuable context that may not yet appear in financial reports, compliance reviews, or risk dashboards.
This does not mean audit committees should become involved in day-to-day communications activities. Rather, periodic engagement with the executives responsible for managing external stakeholder relationships can provide valuable insight into risks that may otherwise go unnoticed.
5. Strong Relationships Built Before a Crisis Matter Most During One
Throughout the NACD program, one theme surfaced repeatedly: relationships matter. Effective audit committees build strong working relationships with management, the CFO, internal audit leaders, legal counsel, and external auditors long before difficult issues arise.
The same principle applies to crisis preparedness.
When a crisis occurs, there is little time to establish new communication channels or define responsibilities. Committees that have already established trust and clear expectations are better positioned to provide effective oversight and guidance when the pressure is highest. The most successful crisis responses are rarely the result of improvisation. They are the result of preparation, training, communication, and strong relationships built over time.
Final Thoughts
The responsibilities of today’s audit committees continue to expand as risks become more complex, interconnected, and fast-moving.
Financial oversight, internal controls, and compliance will always remain central to the committee’s mission. But effective oversight increasingly requires a broader view of risk, one that recognizes how quickly operational, technological, legal, reputational, and stakeholder issues can converge.
In Alpha’s experience, organizations rarely struggle because information does not exist. More often, they struggle because information exists in silos. The audit committees best prepared for tomorrow’s challenges will be those that actively seek diverse perspectives, maintain open lines of communication across the organization, and recognize that some of the earliest warning signs of a crisis may emerge far outside the boardroom.
Learn more about Alpha’s Board Engagement and Advisory work.
