1. Has the audit committee reviewed the effectiveness of management’s risk management programs in relation to identifying both risks and opportunities?
2. How effective is the organization in adjusting its risk appetite in response to changes in the risk landscape?
3. How is the organization deploying new tools and technologies to identify patterns and correlations in company data to identify potential warning areas?
4. Does the organization have the necessary skill sets, talent and culture to effectively manage the organization’s significant risks? If not, what are the gaps, and how will management address them?
5. Has the audit committee considered the company’s total risk exposure for a cyberattack, including the financial, legal and reputational impacts? Have escalation and response plans been developed and simulations conducted?