Some experts say audit committees take on too many risk-management duties. The SEC's new proxy-disclosure rule should shed more light on the issue.
Sarah Johnson, CFO.com | US

Monday-morning quarterbacks pinned the blame for the financial crisis largely on excessive risk taking, particularly at large financial institutions. Subsequent calls for regulatory reform have increasingly included nonfinancial companies and their boards, which critics accuse of having been lax in overseeing risk management.
Now, the Securities and Exchange Commission is requiring companies to describe in their proxy statements how the supervision of risk is distributed among their boards and board-level committees. Approved in December and effective on February 28, the rule is part of a package of rules intended to improve disclosures regarding executive compensation that may foster risky behavior.
By prompting companies to define their board members' responsibilities for overseeing risk, the disclosure could reveal inefficiencies. You could have a situation where the compensation committee, the audit committee, and potentially a risk committee are all addressing similar areas related to risk, says Mark Plichta, a partner at Foley & Lardner. "[Board members] need to understand the boundaries of who is doing what. There are a lot of gray areas and areas for overlap."
But the disclosure could also show, as a recent survey suggests, that some companies delegate responsibility for overall risk management to the audit committee. That duty, some experts maintain, should be reserved for the board of directors.
Because audit committees tend to straddle the line between overseeing financial-risk management and process, they are sometimes pressed to look at other types of risks as well. (The New York Stock Exchange requires listed companies' audit committees to periodically review the processes for handling risk exposures.) According to a survey of board members and senior executives by KPMG's Audit Committee Institute, 18% of audit committees are primarily responsible for overseeing strategic risk, and 58% oversee IT security and privacy risks.
That kind of data may be troubling to those who believe a broad overview of risk should remain in the board of directors' purview. "There's been some confusion about the role of the audit committees that is sorting itself out," says J. Michael Cook, a former chairman and CEO of Deloitte & Touche who has served on various audit committees and currently chairs Comcast's audit committee. "The audit committee's reason for existing is to address one very significant enterprise risk: that you will issue inaccurate, or misleading, or fraudulent financial statements."
Corporate-governance experts say the perception that audit committees have specialized expertise and knowledge has turned them into a dumping ground for risk-oversight responsibilities.
"There is a tendency at a lot of boards to make the audit committee a repository of governance issues," said Alan Beller, a partner at Cleary Gottlieb Steen & Hamilton and former director of the SEC's Division of Corporation Finance, at a recent conference for corporate attorneys sponsored by the Practising Law Institute.
Some of that push-down appears to come from third parties, such as politicians and media outlets, say observers. "It's easy to theorize what should be done in the governance world, but until you have to sit down and do these things, you don't really have to deal with the impracticalities of some of these suggestions," says Cook.
To be sure, directors themselves are torn about how best to allocate the supervision of risk management. In interviews with board members, Jay Lorsch, a human-relations professor at Harvard Business School, encountered disagreement over who should be responsible for risk management. At least one director told Lorsch that all risks, including broad business risks, should fall under the audit committee's umbrella. "Some people believe that [overseeing] risk management [is] the job of the CEO and the management team, and others say the boards should be worried about that but not the audit committee," says Lorsch. "Then others thought it was a natural thing for the audit committee to do."
What's largely agreed on is that audit committees will be preoccupied with risk this year. Charles Noski, a former CFO at AT&T who sits on four boards and chairs the audit committees at Microsoft and Morgan Stanley, says he found consensus among participants at a recent audit-committee conference that "risk management [is] probably the number-one issue and number-one topic that will be addressed by audit committees in 2010."
The financial crisis, notes Noski, "heightened the level of interest and time that is being devoted to the topic." Audit committees have moved on from the complexities of the first few years of Sarbanes-Oxley implementation and are shifting part of their focus to the broader business-risk issues facing the enterprise, he says.
At Fortune Brands, a consumer-brands company, CFO Craig Omtvedt says he will discuss with his audit committee this week various issues surrounding the company's risk-management program, including how risks are identified and reviewed. The company was one of the first to file a proxy statement under the new disclosure rules.
In its latest proxy statement, Fortune Brands explained that its board is responsible for overseeing the company's management of risk, and its individual committees manage risks within their respective areas. The audit committee oversees the management of financial risks and keeps tabs on the company's overall risk-management program from a process standpoint, Omtvedt says.
Omtvedt doesn't object to the new disclosure rule. "It's reasonable to request that people take more time and be more formal in communicating how they deal with risks that are inherent to their business," he says. What's more, the rule may aid companies in deflecting calls for more-serious reforms of corporate risk-management policies. For instance, a provision in a shareholder-rights bill, introduced by Sen. Charles Schumer (D-N.Y.) last spring, would have required large companies to establish risk committees. Now, the bill appears unlikely to get past the committee stage.