Audit Committee Oversight of Enterprise Risk Management
Originally Published: April 01, 2008
Key stakeholders are pressuring boards of directors to better handle near-term risks and to identify strategic risks that might affect future operating performance. More companies are implementing enterprise risk management (ERM) to identify strategic and operating risks, in addition to financial risks, and define the organization's overall risk appetite.
Rising Expectations for the Audit Committee
Boards are seeking more risk intelligence to help them evaluate the trade-offs between risk and return when weighing strategic alternatives. The audit committee is responsible for oversight of the internal and external auditors as well as financial reporting. In part because the assessment of internal controls over financial reporting is risk-based, the audit committee is increasingly being charged with overseeing management's risk policies and discussing the enterprise's key risk exposures with management. Audit committees charged with risk oversight are placing demands on management for more information about key risk exposures and risk management processes.
The Role of the CFO and Internal Audit
The CFO is the executive most often responsible for reporting on risk issues to the board according to The Conference Board's 2006 report, The Role of U.S. Corporate Boards in Enterprise Risk Management. CFOs are well positioned to lead an enterprise's risk management effort because they are required to understand key activities related to financial and operational performance in their management of the enterprise's finances. This understanding facilitates the tasks of defining risk terminology, identifying potential risk drivers and risk events, and assessing the probability and impact of risk events using uniform criteria across the enterprise.
The internal audit function is involved in risk assessment and risk management activities. However, an Institute of Internal Audit position paper, The Role of Internal Auditing in Enterprisewide Risk Management, recommends that internal audit should not be involved in developing the risk management process for board approval, imposing risk management processes, managing identified risks or setting the risk appetite of the enterprise. Internal audit should monitor the effectiveness of ERM processes designed by senior management by evaluating and giving assurance on risk management processes, evaluating the reporting of key risks, and reviewing the management of key risks.
Realistic Expectations for Enterprise Risk Management
ERM implementation is a process, which also involves cultural changes for the enterprise, whereby risk oversight improves over time. ERM efforts should be designed to more effectively manage risks on an enterprise-wide basis while realizing that effective ERM will help the enterprise better identify and manage risk, but not lower risk.
In its 2006 report, The Role of U.S. Corporate Boards in Enterprise Risk Management, the Conference Board found that a majority of boards believe that strategic risks pose the greatest threat to a company. Boards believed that more risk intelligence would help them evaluate risk/return trade-offs when considering strategic alternatives. Audit committees are exerting pressure on their external auditors to share risk information and key business risks affecting the enterprise identified during the process of understanding the entity and its business environment necessary to complete audits of the financial statements or internal controls. Auditors of publicly traded companies may also identify deficiencies in risk responses as they assess the effectiveness of internal controls surrounding core business processes that affect financial reporting.
The board of directors, and specifically the audit committee, is under increasing pressure from stakeholders to improve management's process for identifying, assessing, and responding to specific risks in the near term and anticipating future risks. IBM's Global CFO Study 2008 found that 62% of enterprises with revenues in excess of $5 billion encountered a major risk event in the last three years and 42% of CFOs indicated that their enterprise was not adequately prepared. In response to the increase in the volume and complexity of risks, the audit committee is being increasingly relied upon to oversee the management of risk.