Most boards treat risk management as a reporting function. EY Americas Center for Board Matters leader Pat Niemann argues that audit committees in 2026 need to be asking harder questions — not just whether risks are being managed but whether the organization can actually change course when an unexpected tipping point hits. The difference between those two questions, he suggests, is the difference between resilience and reaction.
With uncertainty a constant in the business environment, audit committees are working closely with management to confirm that their organizations are resilient and ready to navigate the anticipated and unexpected challenges that lie ahead in today’s complex, dynamic world, one that is increasingly nonlinear, accelerated, volatile and interconnected.
In this environment, companies may be caught by surprise as sudden tipping points reach their limit, forcing businesses to swiftly respond to events. Oftentimes, that requires the ability to change course, anticipating interconnected impacts and risks downstream.
Given the rapid pace of change and existential threats to companies in this unpredictable risk climate, boards and audit committees are rethinking and questioning their organizations’ legacy approaches, including risk management frameworks that work in a linear way. They need to integrate risk and strategy to close the gap between such practices and the complex risk challenges of today’s environment.
One indicator of the existing gap in risk management is the rarity with which one finds a chief risk officer (CRO) in the world’s largest companies. An EY analysis found that only 21% of Fortune Global 500 companies have a CRO. Those numbers are skewed high by the financial services industry — 80% of those firms have a CRO, largely due to the unique risk management regulations with which they must comply. However, only 12% of nonfinancial-sector entities have a CRO.
Close the risk management gap
Audit committees and their fellow board members are challenging management teams to evolve their risk management and step beyond static updates to gain a portfolio-driven view based on what-if scenarios.
Not stopping there, leading directors look at what can. What can be leveraged to prepare for a particular scenario? What’s more: Might there be an opportunity in such a situation that could be advantageous to the business?
Given the degree of uncertainty businesses are encountering and the need to respond at greater speed to the unexpected, often volatile nature of the circumstances, audit committees also want to receive more frequent status reports to stay abreast of the effectiveness of the organization’s risk mitigation plans. In tandem with reviewing these reports, audit committees should consider delving deeper to understand how effectively this and other enterprise risk management (ERM) practices and processes are being managed across the organization.
Is the organization becoming more resilient, and can it make the strategic pivots that may be required going forward?
How Boards Are Rewiring for Geopolitical Risk
From tabletop exercises to operational resilience assessments, the new toolkit for strategic oversight
Read moreDetailsManaging the top five risk factors with discipline and an ongoing focus on financial targets
Despite geopolitical and economic uncertainty, 52% of CEOs responding to that EY survey planned to increase their investments to accelerate transformation. They are reshaping business models, entering new markets and adopting emerging technologies to create sustainable competitive advantages.
As organizations pursue growth, they must monitor the following risks: technology disruption and AI integration, labor costs and talent availability, innovation capacity and infrastructure limitations, geopolitical tensions and supply chain fragility and logistics constraints.
In response to these evolving risks and changes in the global economic environment, many companies are adjusting their operating models. They are standing up local and regional capabilities closer to their customers, communities and talent to enable faster adaptation to and compliance with diverging government rules and shifting markets.
Additionally, leading companies are rewiring supply chains for speed and resilience and to facilitate more efficient customer service, with lower costs and fewer policy restraints. Others that find localization impractical for their operations are adopting a hybrid approach that balances global scale with regional agility.
In fact, the EY CEO survey found that nearly 75% of CEOs are either localizing or have localized some part of their production within the country of sale. Audit committees will want to ensure compliance as many governments enact policies to bolster their economies’ digital sovereignty.
Considerations for audit committees and boards in today’s global business environment
To govern effectively amid today’s complexity, audit committees and boards should consider taking seven priority actions in 2026.
- They should conduct regular portfolio resilience reviews to identify underperforming or non-core assets. That is particularly true as CEOs adapt to the US administration’s priorities, placing US investment and job creation at the center of discussions on trade, regulatory requirements and other matters.
- They should focus on areas aligned with shifting customer demand and emerging technologies. For instance, companies can use AI for trend forecasting, to offer tailored customer recommendations or to develop smart inventories to optimize sales and profitability.
- Given the unexpected opportunities that frequently arise, audit committees and other board members should assess the organization’s ability to swiftly reallocate capital to more readily capitalize on high-growth opportunities. To support such moves, does the business have a process to divest itself of legacy assets when a new opportunity necessitates such an action?
- Global organizations also should formulate region-specific strategies that factor in cultural preferences and regulatory requirements as they establish dedicated frameworks or specialized teams to evaluate and address geopolitical risks and opportunities.
- To elevate ERM, the adoption of a control tower approach could also be considered to increase visibility across an organization’s entire risk portfolio, both top-down and bottom-up. This could be achieved by integrating different levels of risk via a taxonomy and through the analysis of risks and their drivers.
- The audit committee may ask management to identify where there are areas of risk concentration and integrate data externally and internally across the various lines of defense to gain a clearer view of the organization’s risk profile and improve risk mitigation planning.
- They also should use scenario analysis and war gaming to anticipate what might happen given connected risks, whether they are tied to the adoption of emerging technologies, cyber concerns, talent or geopolitical in nature and use that knowledge to prepare more effectively for developments that could send a shockwave through the portfolio.
These are among the practices that leading audit committees and their board member peers should consider as they use emerging technologies to mitigate risks and capture opportunities while navigating an increasingly complex, volatile and interconnected business landscape.
As leader of the EY Audit Committee Forum and the EY Americas Center for Board Matters, Pat Niemann is responsible for the EY Center for Board Matters’ audit committee services throughout the Americas, overseeing efforts to support individual directors and audit committees in their oversight roles. He previously managed Ernst & Young LLP’s Los Angeles audit practice and served other leadership roles. He is a graduate of the University of Southern California’s Marshall School of Business, where he is a recipient of the Leventhal Distinguished Service Award. He has been active in his local community, serving on numerous nonprofit boards working toward important charitable missions and civic causes. 
