Risk management is inadequate in many companies. Just look at the major scandals that engulfed firms like SNC Lavalin, Sino-Forest and HSBC in recent years. The circumstances behind each case are wildly different, but they all amount to risk management failure, specifically by each firm’s audit committee.
Proper risk management requires internal controls to mitigate risk. (Internal controls are processes and procedures such as segregation of duties, IT security and prevention of management override, to name a few.) The trouble is that there’s an inherent aversion to risk management by management, in part because it’s not an intrinsically profit-making duty.
That’s why regulators are targeting boards and audit committees with greater risk governance obligations. For instance, recent bank governance guidelines in Canada require much stronger risk oversight, while guidelines from the Ontario Securities Commission offer advice to boards and audit committees with operations in emerging markets (in the wake of the Sino-Forest debacle).
As you can see, audit committees play a crucial role in corporate governance beyond the oversight of financial reporting. They also oversee the risk management process, independent external auditors, the internal audit function, and internal controls and compliance.
That being said, not every audit committee is adequately prepared to meet these expectations, as we’ve seen in so many high-profile instances.
Here are a dozen questions to determine whether your audit committee needs a reset:
- Do your board and board committees have coordinated coverage, assurance and reporting over all material enterprise risks, both financial and non-financial?
- For any non-financial risks that your audit committee may oversee, do the skills and experiences on the committee match the oversight?
- Has the audit committee proposed a written risk appetite framework, approved by the board, which translates into explicit limitations and thresholds throughout the organization?
- Are there any acute risks that you do not understand, or over which management is capable of overriding existing controls?
- Do all audit committee members have tenure on the board for fewer than nine years? (Exceeding nine years is a red flag for lack of independence.)
- Do your independent external auditors have tenure for fewer than nine years? (This is also a red flag.)
- If your company operates in an emerging market, do you have one audit committee member with direct experience working in this market?
- If your company has over 300 employees and it is a financial institution, or over 600 employees for any other type of company, do you have an effective internal audit function reporting directly to the audit committee?
- Has your audit committee benchmarked the company’s risk management and internal control framework against best practices, using an independent external advisor?
- Do you have an effective risk function that reports directly to the audit committee or board of directors?
- Does your audit committee understand fraud implications of accounting policies, methods for making estimates, and compensation metrics?
- At each audit committee meeting, do you meet separately with each of: the CFO, the internal audit function, the risk function and the independent external auditor, without any member of management present?
I recently asked these questions to a crowd of audit committee members in Niagara-on-the-Lake, where I was speaking on best practices. (See my slides here.) When I asked for a show of hands—from those answering yes to these questions—not a lot of hands went up.
If you answered yes to all questions, or even most, you likely have a truly outstanding audit committee. You may even wish to apply for a governance award, here.
If you cannot answer yes to the majority of these questions, you have work to do.
Join me in my next blog post, where I will ask if your compensation committee needs a reset.
Richard Leblanc is a lawyer, corporate governance academic, speaker and independent advisor to leading Canadian and international boards of directors. He can be reached at firstname.lastname@example.org.