I spent a lot of time these days reading audit committee charters, to see how boards address risk management. I’ll be giving a talk on that subject later this year at the Society of Corporate Compliance & Ethics annual conference, and what better way to prepare than to go straight to the raw material?
How boards handle risk management has been a governance pet peeve of mine for years. We all know boards talk about business risks extensively, and companies disclose plenty of those risks in their filings with the SEC (even if much of that disclosure is vague). Managing those risks, on the other hand—we still have lots of confusion there about what the board should do and what should be left to management.
So when in doubt, go to the board committee charters that are supposed to be the foundation of a company’s operating principles.
Alas, the charters I’ve read so far (most of the Fortune 100) make for fascinating reading—without illuminating much that we could call a trend or emerging best practice. They do, however, raise a philosophical question you might want to have with your own audit committee, as you all try to define the right approach to risk for your business.
Is your audit committee defining risk expansively enough to fit the company’s needs?
I was surprised at how many audit committee charters still talk about financial risk and nothing else. That’s a dated view of the subject, as if the audit committee updated its charter in the mid-2000s after the Sarbanes-Oxley Act arrived and has never considered refreshing its mission since then. For example, Comcast’s charter addresses risk as follows:
Review the company’s policies and practices with respect to financial risk assessment and management, including discussing with management the company’s major financial risk exposures and the steps that have been taken to monitor and manage such exposures.
Review the company’s processes and practices with respect to enterprise risk assessment and management.
Discuss the guidelines and policies related to risk assessment and risk management, including the company’s major financial exposures and the steps management has taken to monitor and control such exposures.
Perhaps you could argue that those boards (and others) deliberately want vague language, to allow them more flexibility in how they manage risk. On the other hand, this language looks remarkably similar to the language in the NYSE Listings Manual, which spells out what audit committees are supposed to do:
While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. (NYSE 303A.07)
Now, compare those dry charters with this from Pfizer’s audit committee:
Review and discuss the company’s policies with respect to risk assessment and risk management, and review contingent liabilities and risks that may be material to the company and relevant major legislative and regulatory developments that could materially impact the Company’s contingent liabilities and risks. To the extent that a review and evaluation of healthcare-related regulatory and compliance issues are relevant to the committee’s responsibilities, the committee may rely on reports, analyses and recommendations of the regulatory and compliance committee.
Review and discuss, at least annually, the company’s information security and technology risks (including cybersecurity), including the company’s information security and risk management programs.
Caterpillar is another good example. It pays the necessary attention to financial risks, but also cites business risks as a concern and clearly communicates that the board expects business units to be aware of risks and have a plan for them:
The audit committee shall, at least annually, review Caterpillar’s risk assessment and risk management policies and procedures, including its major financial risk exposures and the steps management has taken to monitor and control such exposures. As determined by the Audit Committee, business units shall provide reports on their key risks and steps taken to mitigate those risks.
Corporate governance has moved well beyond SOX and financial reporting risk. Charters such as Caterpillar’s and Pfizer’s show how your board can demonstrate it’s paying attention to that reality.
After that first step, many more remain ahead, and I’ll address them in future posts. For example, I’d like to see committee charters talk in more detail about how they work with internal audit and compliance departments on risk management. From what I’ve seen in audit committee charters so far, most committees do say they oversee the internal audit, with all the usual language about an enterprise risk assessment—but that’s as far as it goes. They say they meet with “management” to talk about compliance, and say little else.
Broadly, though: does the language in the audit committee charter matter? Isn’t it enough that executives and directors just talk about risk, since they already do?
In a word, no. Charters matter, because they focus the director’s mind and help the committee as a whole build a process—and that’s what the modern enterprise needs, as risks pile up in every corner of the operation. A charter that keeps pace with the times is important.