Monday-morning quarterbacks pinned the blame for the financial crisis largely on excessive risk taking, particularly at large financial institutions. Subsequent calls for regulatory reform have increasingly included nonfinancial companies and their boards, which critics accuse of having been lax in overseeing risk management.
Now, the Securities and Exchange Commission is requiring companies to describe in their proxy statements how the supervision of risk is distributed among their boards and board-level committees. Approved in December and effective on February 28, the rule is part of a package of rules intended to improve disclosures regarding executive compensation that may foster risky behavior.
By prompting companies to define their board members’ responsibilities for overseeing risk, the disclosure could reveal inefficiencies. You could have a situation where the compensation committee, the audit committee, and potentially a risk committee are all addressing similar areas related to risk, says Mark Plichta, a partner at Foley & Lardner. “[Board members] need to understand the boundaries of who is doing what. There are a lot of gray areas and areas for overlap.”
But the disclosure could also show, as a recent survey suggests, that some companies delegate responsibility for overall risk management to the audit committee. That duty, some experts maintain, should be reserved for the board of directors.
Because audit committees tend to straddle the line between overseeing financial-risk management and process, they are sometimes pressed to look at other types of risks as well. (The New York Stock Exchange requires listed companies’ audit committees to periodically review the processes for handling risk exposures.) According to a survey of board members and senior executives by KPMG’s Audit Committee Institute, 18% of audit committees are primarily responsible for overseeing strategic risk, and 58% oversee IT security and privacy risks.
That kind of data may be troubling to those who believe a broad overview of risk should remain in the board of directors’ purview. “There’s been some confusion about the role of the audit committees that is sorting itself out,” says J. Michael Cook, a former chairman and CEO of Deloitte & Touche who has served on various audit committees and currently chairs Comcast’s audit committee. “The audit committee’s reason for existing is to address one very significant enterprise risk: that you will issue inaccurate, or misleading, or fraudulent financial statements.”
Corporate-governance experts say the perception that audit committees have specialized expertise and knowledge has turned them into a dumping ground for risk-oversight responsibilities. “There is a tendency at a lot of boards to make the audit committee a repository of governance issues,” said Alan Beller, a partner at Cleary Gottlieb Steen & Hamilton and former director of the SEC’s Division of Corporation Finance, at a recent conference for corporate attorneys sponsored by the Practising Law Institute.
Some of that push-down appears to come from third parties, such as politicians and media outlets, say observers. “It’s easy to theorize what should be done in the governance world, but until you have to sit down and do these things, you don’t really have to deal with the impracticalities of some of these suggestions,” says Cook.