Just as businesses are rapidly adjusting their strategies and operations to deal with unprecedented pressures and mounting uncertainty, boards and audit committees also are undertaking a more intense level of oversigh
Henry Keizer, global head of audit at KPMG International, sees a fundamental change taking place in how audit committees and boards work. “Oversight today is very different than it was a year or two ago,” he said. “We are witnessing a previously unseen velocity of change—whether it is business ownership models, valuations, or investor confidence levels. This mandates that audit committees and boards keep pace with the rate of change.”
To help directors tackle the significant oversight challenges ahead, KPMG’s Audit Committee Institute hosted the 5th Annual Audit Committee Issues Conference in Miami and Phoenix, co-sponsored by the National Association of Corporate Directors (NACD) and Weil, Gotshal & Manges. During a pre-conference roundtable discussion, the consensus was clear: 2009 will mark a critical inflection point for governance and oversight.
Audit committee agendas will be notable not only for what’s on them, but for how they will be carried out. Audit committees and boards are now approaching their responsibilities with greater intensity and vigilance—and with a sharp focus on accountability. (See related article,“More Focused, Intense Oversight Marks a New Era,” page 75.) They also recognize that being effective in their oversight role—particularly in a volatile and uncertain environment— requires a solid, real-time understanding of the business, the people who run it, and the board. In other words: It’s back to basics.
“You simply cannot leave your common sense at the door,” said Irvine O. Hockaday Jr., who serves on the boards of Crown Media Holdings, Estee Lauder, Ford Motor Co., and Sprint Nextel. “And that includes holding people accountable.”
Managing Through the Crisis
Economists and business leaders are painting an increasingly bleak picture of the economic outlook. They now expect the recession to be deeper and longer and have a greater impact on most companies than previously expected. While the banking crisis placed tremendous stress on many companies, that stress is now compounded by unprecedented uncertainty— about the U.S. and world economies, the markets, our financial system, and many of the fundamental assumptions underlying corporate strategies.
Helping to guide the company through the crisis and deal with the unprecedented uncertainty is now a top priority for boards and audit committees. By listening to the concerns, questions, and practices shared among top audit-committee members, how to manage becomes clearer. In fact, roundtable participants identified four general steps that audit committees (and in some cases the whole board) need to take to provide proper oversight in current conditions.
1. Monitor the impact of the economic crisis.
Timely and accurate forecast information is critical to obtaining a clear picture of where the company is heading. Identify possible red flags and closely monitor the company’s performance, including forecasted earnings and cash flow, and compliance with debt covenants. Be sure to test the forecasting models being used and develop worst-case scenarios.
“Management seems reluctant to embrace worstcase scenarios,” said one Issues Conference participant. “But there are data points that require rigorous analysis. If that’s the case, the board needs to say, ‘We don’t buy these assumptions. You need to come back to us with a different analysis.’”
Given increased consolidation in the financial industry, audit committees should consider the need to diversify sources of capital and establish new lines of credit. They also should expect to operate with tighter debt-to-equity ratios and more restrictions on the use of capital. Monitoring the impact of the crisis on the company’s ability to hedge against currency, interest rate, and commodity price volatility is also imperative. “Liquidity and alignment,” said Ellen J. Odoner, partner at Weil, Gotshal & Manges, “are clearly two of the greatest issues facing audit committees.”
2. Assess exposure to third parties affected by the economic crisis.
The impact on the company’s supply chain, key customers, and other third parties is a major area of exposure for most companies. Monitor the company’s exposure to all companies in financial distress; in addition to the supply chain and sales and distribution channels, key third-party dependencies include customers, banks, lenders, underwriters, insurers, guarantors, and counterparties. Identify critical dependencies, such as foreign suppliers and key customers. Understand, too, who in management is responsible for managing these risks and ensure that the company has a complete inventory of its third-party exposures.
3. Focus on internal controls—particularly as costs are cut.
As management seeks to reduce costs and implement layoffs, maintaining internal controls may pose a particular challenge. The control environment is very much on the minds of executives and audit committee members, said Mary Pat McCarthy, U.S. vice chair of KPMG LLP and executive director of KPMG’s Audit Committee Institute. “Consolidation and workforce reduction creates new worries about basic internal controls. When people are stressed and stretched they may cut corners and take greater risks,” McCarthy said. With the economic crisis placing tremendous pressure on management and employees, there may be an increased risk of fraud, so audit committee members should be prepared to inquire about the adequacy of fraud controls.
4. Understand the impact of the crisis on company financial statements, particularly the balance sheet.
How vulnerable is the company’s investment portfolio to changes in value in this environment? Have all exposures been identified and quantified? Consider how changes in financial markets affect the valuation of pension plan assets and funding requirements. Focus on possible asset impairments: Has management identified all assets that should be tested for possible impairment? Has management identified triggering events that may warrant impairment assessments of goodwill and other intangibles? If so, are the values that are determined realistic based on current market conditions— or were they based on historical assumptions? Question the assumptions that underlie management’s accounting judgments and estimates that might be impacted by the economic crisis. Help ensure that management’s disclosures (MD&A) accurately describe the impact of the financial crisis on the company, including the company’s liquidity risks, and the application of fair value.
“Clearly, 2009 is going to be a year of survival,” said Maureen J. Miskovic, executive vice president and chief risk officer of State Street Corp. “There will be tremendous pressure to swing for the fences—and we have to be alert to that.”
James N. Chapman, who sits on the boards of Chrysler, AerCap Holdings, Scottish Re Group, Tembec, and LNR Property, cited “embedded leverage, accountability, and tone at the top and throughout the organization” as critical areas of focus in the year ahead.
Prepare for a Crisis
More than half of the directors attending the Issues Conference said their audit committee had been involved in a crisis. The message: be prepared— ideally, with a written crisis-response plan. In developing a crisis-response plan, the audit committee should think about the range of issues that could trigger a crisis—from financial statement errors to compensation issues, fraud or misconduct, and going concern issues. Knowing who to involve— independent outside counsel, forensic accountants, auditors—as well as when (and what) to communicate to various stakeholders is critical to ensuring confidence in the process, and a thorough and timely resolution.
As one director who has been involved in major investigations emphasized, “getting it right the first time” is essential.
Keeping Up With Regulatory Changes
According to attorneys and governance professionals attending the conference, significant changes in the regulatory and governance environment are expected. On the regulatory front, Congress has already begun holding hearings on the financial crisis—trying to understand the cause and determining how to avoid such problems in the future. It’s expected that Congress will alter the underlying architecture of financial and market regulation, including possible regulation of credit rating agencies and hedge funds, as well as some modification of the structure and authority of regulatory agencies.
Conrad Hewitt, who in January stepped down as chief accountant for the Securities and Exchange Commission, pointed out that in 2005 the Commission began requiring some discussion of risk factors in company filings. Subsequently, in the proxy statements he reviewed, the discussions were generally bland and couched in more defensive tones, rather than as open communications with shareholders. Hewitt thinks that’s likely to change: “The disclosure of risk in the filings to investors should be more a communication than a defensive posture and this is fairly new…It’s an evolving situation and will continue to be.”
NACD president and CEO Kenneth Daly believes that while there’s currently “little or no energy” around efforts to create legislation on par with the Sarbanes-Oxley Act of 2002, there has been a shift of power to Capitol Hill. “There’s tremendous anger,” Daly said, “so the new Administration and Congress are reaching out to do something. They have all the cards now.”
On the governance front, institutional investors, regulators, and politicians have been scrutinizing the actions of boards, particularly in the context of the financial crisis, and exploring greater shareholder involvement in certain governance decisions, including executive compensation (say on pay), selection of director candidates (proxy access), and board leadership (independent board chair).
Holly J. Gregory, a partner with Weil, Gotshal & Manges, noted that together with more firms adopting majority voting, these initiatives reflect interest by some to pursue a more “shareholder-centric” model of oversight.
All of these issues make the job of the audit committee more difficult. And the challenges, as well as the potential legal liabilities, underscore the importance of adaptability in the face of extreme circumstances.
The ‘Risk Conversation’
There is clearly an intense focus on risk management today, given what’s happened in the financial markets and the economy. And while risk management has been on the radar—if not a priority—for most companies and boards over the past several years, many are asking whether we are really “moving the ball forward,” and if we need to be thinking about risk management in a different way.
During the conference, audit committee members took a different approach to the topic, and discussed the types of conversations that boards and audit committees (whoever oversees risk) are having—or perhaps should be having—about risk. Among other recommendations, these basic questions should be part of such conversations:
-
Can management provide a holistic view of the company’s major risks—both on and off the balance sheet? What are the top five risks facing the business?
-
How tolerant is management of risk, including low-probability yet “catastrophic” risks?
-
How rigorously does management stress-test key risk assumptions?
-
Are the board’s information sources sufficiently varied and objective?
-
How does culture—including incentive compensation— impact the company’s risk profile?
In addition, it’s imperative that directors engage in a dynamic dialogue with the executive team to satisfy themselves that management can, and does, identify, assess, and manage risk effectively. This means having the right people at the table— the CEO, CFO, chief risk officer, general counsel, auditors, business-unit leaders responsible for managing the risks, and others. Effective oversight, for any committee, requires that directors understand, question, and test management’s core risk assumptions and perceptions, and are prepared to ask that vital “second question,” advises J. Thomas Presby, a director at American Eagle Outfitters, First Solar, Tiffany & Co., World Fuel Services, and Invesco. “As directors, we need to take control of what we do. It’s personal responsibility and you’re not limited to five days a year,” said Presby.
Sidney E. Harris, a director at TSYS and Ridgeworth Funds, concurred: “It’s clear that boards need to be digging deeper and asking harder questions.”
Focus on the models and the underlying assumptions— and here visualization can be helpful so that directors can see the impact of changing key underlying assumptions. Obtain input from third parties— auditors, outside counsel, consultants, and others— to test and validate management’s core risk assumptions and perceptions. Be particularly sensitive to the effect of compensation and incentives on the company’s strategy and risk culture.
It’s also imperative to understand the risk culture and constantly question different aspects of risk. “Enterprise risk is a continuous cycle,” noted Mary R. “Nina” Henderson, a director who serves on the boards of AXA Financial, Del Monte Foods, and Pactiv. “I don’t think that you should ever feel like you’ve got it finished. Done. It should be something that is constantly re-evaluated.”
“Directors need to consider whether a more dynamic interaction between directors and management is viewed as ‘too adversarial’ for the boardroom,” said Michael D. Schrage, a fellow at MIT Sloan School of Management Center for Digital Business. “If so, that may speak to the health, or lack of it, of the organization’s governance or boardroom culture.”
Consider the nature and flow of information and how risk is talked about within the company, and be wary of any reluctance, or “spinning,” when discussing risk. Periodically talk to the heads of the operating units who own and manage risk on a daily basis. To get a view of the risk culture from outside the boardroom, visit remote locations, “walk the halls,” and attend employee gatherings.
Laban P. Jackson Jr., an independent director and audit committee chair at JPMorgan Chase, recommends spending “informal time” with the CEO to get to know him or her outside of the boardroom. Accountability is also high on his priority list. Jackson strives to hold a weekly call with his CEO. “Remember who works for whom: Management works for me and I work for the woman in Kansas who depends on the 200 shares she has in our company,” he added.
Explore non-traditional risks such as long-term shifts in demographics, climate, or technology; the impact of organizational design on how the company manages risk; and the risks posed by the company’s culture, tone at the top, compensation structure, and reputation risk. “Management risk”—i.e., that management may be unable or unwilling to perform— should be a key area of focus, as should the risks posed by succession planning. Use a “mystery shopper” approach to probe for vulnerabilities by looking at the company from the outside in.
Discuss “black swan” risk scenarios and “darkside budgets”—those that we think can never happen— and play them out on paper. Said William R. Graber, director at the Mosaic Co., Archimedes, and Kaiser Permanente: “The improbable will happen more often than you think. Do management or audit committee teams really want to think about the Armageddon scenarios and what the risks are? Not really, but having been on both sides, it’s possible, and it’s productive to have an open dialogue with management.”
Also consider the risk of ineffective performance by the audit committee or full board. “The board should continually monitor its oversight processes,” said director and Northwestern University Prof. William J. White, who outlined a number of key elements of effective oversight. “This is not simply a once-a-year activity—it’s ongoing and dynamic.”