Rising Expectations: Audit Committee Oversight of Enterprise Risk Management
Beasley, Mark S., Branson, Bruce C., Hancock, Bonnie V., Journal of Accountancy
* More companies are placing oversight responsibility for risk management with the board of directors. While embracing this responsibility, boards are also finding that better risk intelligence is a significant aid to their strategic planning responsibilities.
* In many companies, boards are assigning the additional task of risk oversight to the audit committee. Audit committees (or other board committees) charged with risk oversight are placing demands on management for more information about risk management processes and for up-to-date information about management's assessment of key risk exposures.
* The volume and complexities of risks affecting the enterprise continue to expand. In response, many boards have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization.
* Because an ERM approach to risk management involves a top-down view of risks, leadership from senior executives is a critical component to an effective ERM process. The CFO is uniquely positioned to lead the overall enterprise risk management effort.
* Most experts argue that internal audit's role should be to monitor the effectiveness of ERM processes designed and implemented by senior management.
* Audit committees are also exerting pressure on their external auditors to share risk information they glean from audits of financial statements, and the audit of internal controls over financial reporting for publicly traded entities.
* Implementing ERM is an evolutionary process, whereby risk oversight improves over time.
Recent events such as the massive trading losses at Societe Generale, the subprime lending crisis and product recalls associated with Mattels international toy manufacturing operations continue to shock financial markets and negatively impact shareholder value.
These events have also fostered rising expectations for boards of directors to exert greater oversight of their organizations' risk management processes, leading in turn to the growth of enterprise risk management (ERM) as a strategic planning tool.
Not only are key stakeholders pressuring boards to get a better handle on management's process for identifying, assessing and responding to specific risks, but stakeholders are also expecting boards to more effectively anticipate far-horizon risk exposures and to continually monitor those risks to ensure that strategic and operational decisions remain aligned with the organization's risk appetite. In response, more companies are turning to ERM.
BOARD'S ROLE IN RISK OVERSIGHT
Deloitte's Global Risk Management Survey (5th edition) reports that 70% of financial institutions participating in the survey place oversight responsibility for risk management with the board of directors, up from 59% in 2004 and 57% in 2002. This increase was due in part to emerging regulations, such as the New York Stock Exchange's 2004 Final Corporate Governance Rules that require audit committees to discuss and monitor risk management processes and Standard & Poor's 2007 proposed scoring of ERM quality as part of the rating agency's credit evaluations (see description in Exhibit 1).
Exhibit 1 Governance Expectations for Board Risk Oversight 1. Excerpt from the NYSE's 2004 Final o orate Governance Rules (1) Among numerous other responsibilities, duties and responsibilities of the audit committee include: (D.) discuss policies with respect to risk assessment and risk management; Commentary: While it is the job of the CEO and senior management to assess and manage the company's exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company's major financial risk exposures and the steps management has taken to monitor and control such exposures. …