When primary risk oversight is delegated to an audit committee, rather than handled at the board level or within a separate risk committee or subcommittee, that committee should schedule time for periodic review of risk management outside the context of its role in reviewing financial statements and accounting compliance.
This role is consistent with the New York Stock Exchange (NYSE) rule that requires an audit committee to discuss policies with respect to risk assessment and risk management. It should, however, be noted from the outset that an audit committee cannot and should not be involved in actual day-to-day risk management. Members of an audit committee should instead focus on their risk oversight role.
Broadly speaking, the members of an audit committee should satisfy themselves as to a number of key risk management issues, including the following:
- That the risk management policies and procedures designed and implemented by the company's senior executives are consistent with the company's strategy and risk appetite
- That these policies and procedures are functioning as directed
- That necessary steps are taken to foster an enterprise-wide culture that supports appropriate risk awareness, behaviors and judgments about risk, and that recognizes and appropriately escalates and addresses risk-taking beyond the company's determined risk appetite
- The board should be aware of the type and magnitude of the company's principal risks and should require that the CEO and senior executives are fully engaged in risk management
By leveraging its oversight role, an audit committee can communicate to management that enterprise risk management is not a drag on the business, but rather an integral component of strategy, culture and business operations.
Key risk management issues that should be periodically considered by an audit committee include the following:
- Evaluate possible going-concern issues
- Consider finance, liquidity and capital structure risks: Are the company's products and solutions sustainable for the foreseeable future?
- Critically analyze which areas of the business contribute liquidity and profitability and which do not, and determine how to optimize or eliminate weaker contributors
- Confirm that resources are allocated in accordance with the company's strategic plan
- Consider the financial and accounting risks of the strategic plan
- Review allocation of responsibility for oversight of
major substantive areas of risk
- Identify most significant risks in the next year and the long term
- Focus on management processes ‒ identify strengths and weaknesses
- Consider if operational risks are likely to manifest in the
next year's financial statements
- Consider whether new accounting pronouncements, particularly those that call for management judgment or that implicate key financial matters such as revenue and EBITDA, raise the risks of manipulation and therefore call for enhanced controls
- Have management clearly articulate the risks in its strategic plan and confirm that it is properly applying the company's risk tolerances to its decision-making
- Advance board governance and oversight processes as risk
environments become more complex
- Identify new or evolving areas of company risk
- Review fraud detection and controls
- How might this apply to the company's environment?
- What processes are in place to detect fraud?
- Stay up to date on cybersecurity and data privacy protections
- Has management assessed highest risks for the company?
- Are processes in place to periodically evaluate risk management programs?
- Have employees been properly trained?
- Are response plans in place to handle problems if they occur?
- Has the company evaluated possible cyber insurance coverage?
- Conduct Foreign Corrupt Practices Act (FCPA) education and training
- Consider environmental, sustainability and growth (ESG)
risks
- Issues can include environmental liabilities, labor standards, leadership succession and contingency planning for macro-level risks, including by identifying supply chain and energy alternatives and developing backup recovery plans for climate change and other natural disaster scenarios
- Increasingly important to institutional investors and customers
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
