To be sure, directors themselves are torn about how best to allocate the supervision of risk management. In interviews with board members, Jay Lorsch, a human-relations professor at Harvard Business School, encountered disagreement over who should be responsible for risk management. At least one director told Lorsch that all risks, including broad business risks, should fall under the audit committee’s umbrella. “Some people believe that [overseeing] risk management [is] the job of the CEO and the management team, and others say the boards should be worried about that but not the audit committee,” says Lorsch. “Then others thought it was a natural thing for the audit committee to do.”
What’s largely agreed on is that audit committees will be preoccupied with risk this year. Charles Noski, a former CFO at AT&T who sits on four boards and chairs the audit committees at Microsoft and Morgan Stanley, says he found consensus among participants at a recent audit-committee conference that “risk management [is] probably the number-one issue and number-one topic that will be addressed by audit committees in 2010.”
The financial crisis, notes Noski, “heightened the level of interest and time that is being devoted to the topic.” Audit committees have moved on from the complexities of the first few years of Sarbanes-Oxley implementation and are shifting part of their focus to the broader business-risk issues facing the enterprise, he says.
At Fortune Brands, a consumer-brands company, CFO Craig Omtvedt says he will discuss with his audit committee this week various issues surrounding the company’s risk-management program, including how risks are identified and reviewed. The company was one of the first to file a proxy statement under the new disclosure rules.
In its latest proxy statement, Fortune Brands explained that its board is responsible for overseeing the company’s management of risk, and its individual committees manage risks within their respective areas. The audit committee oversees the management of financial risks and keeps tabs on the company’s overall risk-management program from a process standpoint, Omtvedt says.
Omtvedt doesn’t object to the new disclosure rule. “It’s reasonable to request that people take more time and be more formal in communicating how they deal with risks that are inherent to their business,” he says. What’s more, the rule may aid companies in deflecting calls for more-serious reforms of corporate risk-management policies. For instance, a provision in a shareholder-rights bill, introduced by Sen. Charles Schumer (D-N.Y.) last spring, would have required large companies to establish risk committees. Now, the bill appears unlikely to get past the committee stage.