Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

How Audit Committees Really Think About Risk

Matt Kelly | October 19, 2015

Several weeks ago the latest Compliance Week executive roundtable debated how to move from siloed exercises in compliance to a broader program of enterprise risk management. So we spent lots of time talking about risk, and who at the company bears ultimately responsibility for overseeing risk management, which of course is the audit committee.

Finally someone asked: “Do you know how much your audit committee is supposed to worry about risk? Has anyone actually pulled up your audit committee charter and counted how many times the word ‘risk’ appears?”

That struck me as an excellent question. So I pulled up a bunch of audit committee charters and started counting.

The conclusion: most audit committee charters don’t mention risk very much, and some don’t mention it at all. And if you are looking for rules on setting risk tolerances—you know, what all the best-practice guides say boards and audit committees should do—well, forget it.

Instead, we have everyone talking about the importance of risk management, since risk gone awry brings bad headlines, shareholder litigation, restatements, government investigations, pink slips, and much other trouble. But so far Corporate America still struggles to articulate how boards should approach risk management methodically.

First, the research I conducted. Per my friend’s suggestion, I looked at the audit committee charters of the Fortune 50 companies (with the exception of State Farm, a mutual insurance firm that doesn’t disclose a charter like publicly traded corporations). I counted how often the words “risk” and “tolerance” appeared in the charter.

A crude analysis? Perhaps. But let’s consider some of the findings first, since they do support lots of what we see in the corporate world every day.

Overall, the median number of times that Fortune 50 companies use the word “risk” in their audit committee charter is 5. The word “tolerance” appears only once in all the charters for the entire group. Several major businesses—Exxon Mobil, Home Depot, Pepsico, MetLife, McKesson, Ford—mention risk only twice. Costco, with $116 billion in annual revenue and 117,000 employees, is the only Fortune 50 company that does not mention the word risk at all.

Most surprising, however, are 10 companies within the Fortune 50 whose boards talk about risk a lot—far more than the other 40. Take a look at who they are:

Company

'Risk' mentions in audit charter

Wells Fargo

52

JP Morgan Chase

27

Bank of America

15

Citigroup

14

Freddie Mac

10

Target

9

General Electric

8

General Motors

7

Fannie Mae

7

AIG

5

All of these companies have separate board-level risk committees in addition to the audit committee. The median number of times the audit committee mentions “risk” in its charter is 9.5, almost double the number for the other 40 companies in my study. In other words, having a separate risk committee to think about risk correlates to your audit committee thinking about risk more frequently too.

Now, eight of these 10 companies are heavily involved in financial services. (I include General Electric there because of its former GE Capital unit.) All of them have had major risk management failures in recent years. Is it possible that the real cause for all this attention to risk is some sort of risk management failure, that jolts the whole board into taking the subject more seriously? Sure. I wouldn’t recommend experiencing a risk meltdown as a best practice, but I would recommend creation of a risk committee, simply to get all the other directors thinking about risk as part of their standard duties too.

Then there’s the question of these other 40 companies without risk committees. I randomly selected 10 of them—Amazon.com, Archer Daniels Midland, Chevron, Comcast, CVS Health, Dow Chemical, Home Depot, Target, United Technologies, and Walgreens—and dumped the texts of their audit committee charters into a program that generates word clouds. The result was this:

You can see “risk” halfway up the left side, under “including.” It’s a small word among the many others that most audit committee charters use.

The most common words—independent, financial, auditors, internal, management, accounting, compliance—all speak to other priorities for the audit committee. Those words make sense, because a successful audit and reliable financial statements are the paramount concern for any audit committee. But compliance with financial reporting rules and accurate financial statements do not equal enterprise risk management. You can have a solid audit and vigorous financial reporting, while other enterprise risks metastasize into disaster at the same time. Just consider General Motors (faulty ignition switches), Target (cybersecurity), or JP Morgan (the London Whale Trade)—and those are examples from the companies that do think about risk smartly.

Having a separate risk committee to think about risk correlates to your audit committee thinking about risk more frequently too.

Amid my small study, remember that the Securities and Exchange Commission, the Public Company Accounting Oversight Board, the Center for Audit Quality, and many others are debating how to make the corporate audit a smarter, more informative process for boards and investors alike. I applaud that. Overseeing the corporate audit is a huge headache right now. It needs help.

Still, to a certain extent, we have two audiences talking past each other—or more precisely, the audit-industrial complex is talking to itself about the corporate audit, while investors and employees worry about enterprise risk failures that cause loss of market capitalization, bad publicity, and restatements.

Should the audit committee be responsible for all risk management? Probably not, and I’m glad to see at least some large companies give enterprise risk the separate board committee it deserves. Still, too many others don’t. And when disaster does strike, rest assured, people will be asking, “What was the board doing?”

Let’s hope those people haven’t read your audit committee charter before they do.

Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com