Will Audit Committees Evolve?
In fact, many experts are taking a hard look at how audit committees do, or don’t, get involved in risk management. “I think we will begin to see audit committees evolving into risk committees,” Lam says. “A primary function of the board is strategy development and execution. But, as risk management becomes a key agenda item for corporate boards, linking strategy to risk management becomes a logical and desirable goal. You need to define and assess the key risks that can prevent the organization from achieving the strategic objective, and you do that by establishing key performance indicators along with the key risk indicators. This will require that audit committees improve their expertise in risk management, or that the board form a separate risk-management committee with this competence.”
Ristuccia supports that view with some hard numbers. “We did a study last year of the S&P 500, and 58% of respondents said their audit committees were responsible for risk management,” he says. “Yet, if you talk to the members of these committees they’ll tell you they have enough trouble getting through the regular audit-committee agenda without having risk management tossed at them, too. Either the audit committee improves its grasp of risk management or a separate risk committee needs to be formed.”
Others agree that audit committees are overwhelmed and ill-prepared for risk-management duties. “Audit does not have sufficient time to handle the responsibility,” says Suzanne Donner, interim CFO at payment-processing company WorldPay. “The big debate now is the need for a separate risk committee, and I predict great momentum in the next couple of years in its formation.” (Donner formerly was a director in the ERM practice at KPMG and is a partner in executive-services firm Tatum.)
“Audit shouldn’t be the default simply because risk management doesn’t seem to fit the other committees,” says Jack Bergstrand, former CFO of Coca-Cola Beverages Ltd. and the CEO of consulting firm Brand Velocity. “Depending on the type of organization, you need an oversight committee that can address the breadth of key risks to the enterprise, someone with IT expertise to look at IT risks, or someone with marketing expertise to look at market risks. Audit is good for accounting and reporting risks, but you need directors who can actually improve the company by minimizing risks.”
Erwann Michel-Kerjan, managing director at the Wharton School’s Risk Management and Decision Processes Center, advocates the creation of what he calls an “audit-plus committee,” with clear responsibility for risk management. “It’s the board’s responsibility to oversee internal and external factors that can jeopardize the organization, but there is very little structure right now to allow this, and not many board members have the desire or expertise to do it,” he says. “You can’t just expect the audit-committee members to suddenly take on the responsibility, unless you train people in charge of audit to do risk management. Since the CFO is responsible to the audit committee from a reporting standpoint, he or she needs to lead this charge.”