With the credit crunch showing no sign of diminishing and an economic slowdown seemingly taking hold, audit committee members are putting risk management at the top of their agendas, according to the annual Audit Committee Member Survey conducted by KPMG's Audit Committee Institute (ACI). Risk management is now the clear first priority of audit committee members, ahead of the more traditional areas of accounting judgments and estimates, and internal controls. But Gary Simon, FSN's managing editor finds that few businesses have the processes in place to support the heightened level of concern identified in the survey.
The KPMG survey - in which nearly 150 UK audit committee members of public companies, and over 1,000 audit committee members globally, shared their perspectives and priorities for the year ahead – revealed that only 46% of audit committee members are very satisfied that their company has an effective process to identify the potentially significant business risks facing the company; and only 38% are very satisfied with the risk reports they receive from management.
But Tim Copnell, Head of KPMG's Audit Committee Institute in the UK , suggested that the figures may not be as bad as they appear. Commenting to FSN he said, "It seems that many companies have invested in systems and processes necessary to comply with SOX and Turnbull (depending on jurisdiction) but the question is; are those processes capable of identifying the next credit crunch?"
"Furthermore even if the risks are identified, have they been fully evaluated, does someone have ownership of the risk and does the company know how to respond if the risk arises?" he challenged.
"The problem with many risk management systems is that attention is directed inwards towards the risks that are easy to identify and measure rather than the external risks that are likely to sink you," he added.
The prominence of risk management on audit committee agendas this year is likely fuelled by a number of factors, including the fallout from sub-prime exposure and the credit crunch, increasing awareness of significant business risks and their potential impact, and heightened scrutiny of risk management and its oversight, particularly given the perceived shortcomings of risk management processes during the sub-prime crisis.
Although the study identified shortcomings in risk management processes the good news is that there is a burgeoning Governance Risk and Compliance (GRC) industry shaping up to help those companies that have yet to put their systems in place.
According to Paisley , a specialist vendor of GRC software solutions, the increase in government regulations, growing pressure from financial markets and additional compliance requirements has heightened the focus on integrated governance, risk and compliance. But Tim Copnell, also points to remuneration policies being a significant risk driver.
"Recession-related risks as well as the quality of the company's risk intelligence are two of the major oversight concerns for audit committee members. But there is also concern about the culture, tone, and incentives underlying the company's risk environment, with many saying the Board and/or audit committee needs to improve their effectiveness in addressing risks that may be driven by the company's incentive compensation structure. While oversight of compensation plans may generally fall within the responsibility of the remuneration committee, audit committees are focusing on the risks associated with the company's incentive compensation structure. In addition to risks associated with an emphasis on short-term earnings, audit committees want to better understand the behaviour and risks that the company's incentive plans encourage and whether such risks are appropriate."
According to Paisley , one of the limitations of traditional approaches to governance, risk and compliance is that they have relied upon separate 'point' solutions to address the requirements of each business process and each new wave of regulatory requirements. This fragmented approach says Paisley leads to inefficiencies, added costs and an inability to maintain compliance initiatives and make informed and accurate decisions. As a result, Paisley 's Enterprise GRC solutions provide a central data repository and common functionality for risk assessment, reporting and issue tracking across GRC disciplines. ERP vendors are also joining the GRC bandwagon with both SAP and Oracle offering GRC platforms as part of their overall offerings.
Unsurprisingly, with poor systems and process support Audit Committees are beginning to feel the heat. O ver half of the Annual Survey respondents expressed some concern that the audit committee has been assigned, or has assumed, too much responsibility for risk oversight (beyond financial reporting risk), and many said the communication and coordination of risk oversight activities among the audit committee, Board, and other committees could be improved.
Furthermore, nearly two thirds of respondents are also concerned that the personal risk attached to being an audit committee member has increased over the last year. Three quarters believe they face greater risks and legal obligations than other members of the Board.
KPMG's Copnell concluded: "It is not all bad news. Nine out of every ten audit committee members say their audit committee is more effective than it was five years ago - with just over half saying the committee is "much more effective." Audit committee members, by and large, are most confident in their oversight of "traditional" financial reporting matters, including accounting judgments and estimates, and internal controls and regulatory compliance. However, many say the committee's effectiveness may be hampered - or negatively impacted - by overloaded agendas, compliance activities that at times detract from substantive discussion of issues, and inadequate communication and coordination of oversight activities with the board and other standing committees."
