If you are an audit committee member of a public company your audit committee charter might and in some cases must in some manner list risk management oversight as a responsibility.
If you are a nonprofit, private business or company, or governmental entity, and if you have an audit committee charter, your charter also might list risk management oversight, and if it doesn’t, then that oversight is the sole responsibility of the entire board.
In relevant part for example the NYSE Listed Company Manual states under Audit Committee Additional Requirements that the audit committee’s purpose in part at a minimum must be to:
- Assist board oversight of (1) the integrity of the listed company’s financial statements, (2) the listed company’s compliance with legal and regulatory requirements, (3) the independent auditor’s qualifications and independence, and (4) the performance of the listed company’s internal audit function and independent auditors (if the listed company does not yet have an internal audit function because it is availing itself of a transition period pursuant to Section 303A.00, the charter must provide that the committee will assist board oversight of the design and implementation of the internal audit function); and
- Discuss policies with respect to risk assessment and risk management.
And under related Commentary with respect to risk assessment and management: While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.
The Listed Company Manual also states that each listed company must have an internal audit function.
And under related Commentary with respect to the internal audit function: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. While Section 303A.00 permits certain categories of newly-listed companies to avail themselves of a transition period to comply with the internal audit function requirement, all listed companies must have an internal audit function in place no later than the first anniversary of the company’s listing date.
Further, General Commentary to Section 303A.07 states: To avoid any confusion, note that the audit committee functions specified in Section 303A.07 are the sole responsibility of the audit committee and may not be allocated to a different committee.
From an audit committee member perspective, here’s the issue that I have with risk management oversight – it’s whether the audit committee and the board primarily, and possibly other necessary stakeholders or people involved, really have reached an understanding about what that “risk management” oversight means, both in terms of substantive risk oversight areas that are (and therefore also that aren’t) included in your oversight responsibilities, and exactly what you are expected to do to satisfy that oversight? And then, how those areas and responsibilities are described in the charter. Without clarification the term “risk management” is or can be vague and potentially extremely broad.
As risk management oversight has grown, or you might say, exploded, in importance for the board and its committees, over the past several years I have regularly received materials from risk management professionals discussing and disagreeing about exactly what risk management is, what terms and criteria to use, and how to go about performing risk management. I’m not trying to duplicate their efforts. But risk management can be a complicated area requiring a substantial investment of oversight effort and time. Obviously it’s an important area for the board, and for an audit committee or risk committee to which that oversight has been delegated. Even with delegation to a committee, the board should still maintain risk management oversight.
And risk management also is an area that relates to other areas of oversight such as internal controls (COSO 2013), personal safety, anonymous reporting processes and investigations, compliance with laws, and other areas.
You as an audit committee member, and other stakeholders need to understand what is involved, and what is expected of you, so that hopefully, to the extent possible (because it isn’t possible to avoid all surprise or unexpected situations) the important possible risks or surprises and related processes that are under your oversight have been and are being evaluated, addressed (designed and implemented), monitored and updated as necessary, including what to do and how to act to mitigate and remedy the situation if a surprise or unexpected situation does occur.
You can find additional discussions on this blog and on Tate’s Excellent Audit Committee Guide, the January 3, 2016, version of which can be found at http://wp.me/p75iWX-q
Wishing you the best.
Dave Tate, Esq. and CPA licensed in California (inactive), San Francisco and California