Audit Committees Are Far From Happy

According to New York Stock Exchange listing requirements, it's up to the audit committee to ensure proper oversight of risk management. Somewhere along the way, that requirement has morphed into a massive duty: 66 percent of the Fortune 100's audit committee charters say the audit committee is the only one responsible for overseeing risk.

Clearly, the job has gone beyond what the NYSE rule intended. And audit committee members aren't happy. "Most audit committees I'm talking to will tell you they don't think they should be the only ones responsible for [risk] oversight," says Ken Daly, executive director of KPMG's Audit Committee Institute. "They don't have the time, and they don't have the inclination."

No one debates that financial risks belong under the audit committee's aegis. But operational, management and other business risks often migrate in, too. Unfortunately, pretty much every kind of risk includes a financial component or has potential financial consequences. Running afoul of federal regulations can lead to hefty fines, damage brand identity or even halt production. It's all too easy for the audit committee to wind up debating the pros and cons of a new business strategy because it falls under the huge umbrella of enterprise risk.

But some experts think concentrating too much responsibility in one committee is itself risky. Boards should share the risk-management wealth—or rather, the pain—by making sure issues are discussed broadly, and certainly across committee lines. "If you pigeonhole risk oversight to just the audit committee, you are suggesting that the whole board really shouldn't be that interested in risk," says Charles Elson, a governance professor at the University of Delaware who serves on three public company boards. "Risk oversight is something the entire board needs to think about on an ongoing basis."

Elson suggests that risk oversight shouldn't be reduced to an item on one committee's agenda. "If the board itself isn't thinking about general business risk on an ongoing basis, what are they doing?"

Another danger of laying all the responsibility at the audit committee's feet is that its members will be tempted to micromanage. "I think the danger is that if you get too mired in accounting policies, judgments and estimates, you become effectively another auditor," says Elson. "And that is not what you are supposed to do. Your job is to oversee the audit itself."

Lowell Robinson, audit committee chair at Jones Apparel Group, Diversified Investment Advisors and International Wire Group, tells the story of a former CFO from a $1 billion-plus company who, after being elected to chair a much smaller company's audit committee, was spending three days a week poring over its accruals and reserves. That level of involvement, Robinson hints, wasn't really helping governance; the novice director had not yet learned his proper role.

One way to guard against responsibility creep is for the audit committee to engage in frequent and robust information- sharing with other committees and with the full board. "The question becomes," says KPMG's Daly, "how does the audit committee help sensitize other committees about matters which are particularly important?" A continuing dialogue between the audit and compensation committees is critical— think of the issues surrounding options awards—but other committees have overlapping concerns, too.

Information-sharing seems to be improving, perhaps because board members are seriously worried about letting anything slip through the cracks. Some boards have developed procedures to facilitate internal communications, such as scheduling periodic meetings for the various committee chairs, hosted by the lead director or head of governance. Others hold regular, joint meetings between, say, the audit committee and the enterprise risk committee. And others invite the full board to attend committee meetings, paying directors by the meeting.