Stephen Austin
Stephen Austin

Audit Committee Oversight or Ownership of ERM?

Audit committee's responsibility for understanding, communicating and actively addressing enterprise risk management issues.

May 2, 2011
by Stephen Austin, CPA

A recent (April 18, 2011) article in The Wall Street Journal titled "Most CEOs Prize Growth, But Other Priorities Vary" captured my attention. This survey of over 700 global CEOs conducted by the Conference Board listed the "Top 10" priorities of today's CEOs. Number 1 was "Business Growth" and Number 10 was "Investor Relations." Interestingly, "Enterprise Risk Management (ERM)" did not make the Top 10 ... though perhaps in a veiled manner as Number 6 was "Corporate Brand and Reputation," while "Sustainability" came in at Number 8.

While recovering from our most severe recession in history, we would clearly understand why Number 1 is "Business Growth." However in the last 12 months to 24 months we have endured record-setting oil spills, nuclear-plant disasters, a global financial crisis triggered by toxic mortgages and derivatives, billions of dollars of bailouts and air traffic control tower naps ... the fact that ERM did not strike CEOs as a Top 10 concern is a bit puzzling!

It is safe to say that ERM has been a challenging concept to articulate and to grab the headlines it deserves.

From a Board of Director's perspective it would appear it needs some help. As an audit committee chairman who has already embraced the topic — I believe it is appropriate for the audit committee (in coordination with governance and as necessary the full board) be responsible for understanding, communicating and addressing ERM issues actively. I strongly lean towards the audit committee due to its natural disposition to provide healthy skepticism as it evaluates financial matters of the company and it is typically comprised of the kinds of accountants, auditors and evaluators needed to deal with risk issues.

Reader Note: Don’t miss Stephen Austin’s session on how to change accounting firms – risks and rewards, at the upcoming AICPA National Audit Committee Forum, June 21 - 22, in Washington, DC.

If you need a nudge, here is one approach for an Audit Committee Chairman to consider:

  1. Educate the Committee on the topic of ERM:
    1. The AICPA and Committee of Sponsoring Organizations (COSO) have excellent tools such as:
      1. Embracing ERM — Practical Approaches for Getting Started (COSO, January 2011)
      2. Developing Key Risk Indicators to Strengthen ERM — How Key Risk Indicators can Sharpen Focus on Emerging Risks (COSO, December 2010)
      3. AICPA's Top 10 'Next' Practices for ERM — 2010 Survey Results
  2. Brainstorm at the committee level how ERM issues should be addressed throughout the company on a broad base including interviews with various Senior Management members within functional areas of the company.
  3. Identify the senior management member in the company (internal audit? CFO? general counsel?) who has a passion and understanding of the critical importance of this element of the company's long-term survival.
  4. Strongly consider implementing the 10 steps identified as "practical approaches for getting started" set forth in the January 2011 COSO publication, such steps as:
    1. Conducting an initial enterprise-wide risk assessment and developing an action plan;
    2. Checking the existing risk-management practices;
    3. Developing your initial risk-reporting mechanism.

And finally, the most critical element to making an effective ERM program really work is one of timely reporting and proactive responsibility for risk data that comes to the attention of the ERM team. This can mean that action needs to be taken as frequently as necessary to reduce to acceptable levels any risk alarms that come to the attention of the committee. This proactive approach is in alignment with the need for Corporate America to move to a "continuous monitoring" model of not only its internal accounting controls assessments but also its risk management evaluation and reaction process.

 Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Stephen G. Austin, CPA, MBA, services audit and business consulting engagements with a focus on technology, manufacturing, telecom, software, drug discovery and medical device companies. He is the author of Rise of the New Ethics Class, with a focus on SOX. Prior to joining Swenson Advisors, LLP he had over 22 years of experience as an audit partner with Pricewaterhouse Coopers LLP and with McGladrey & Pullen, LLP.