Your Risk Management Magazine
Are audit committees in control of risk management?

Font size : + -

email print

Do audit committees have the necessary skills to undertake the implementation of enterprise risk management, asks Steve Halliday

The losses recently incurred by Société Générale as the result of a “rogue trader” only confirm the stance taken by the Australian Securities Exchange (ASX) Corporate Governance Council last year, which requires that Australian listed companies strengthen their risk management efforts. The first completed section of a research project into the governance of risk management in leading Australian companies has found that risk management, or more correctly, enterprise risk management (ERM), while still trying to find its place in the Australian corporate entity, has largely been placed under the custody of the audit committee.

Over the past 10 years, enterprise risk management has become firmly embedded on the corporate governance agenda. With origins in the insurance, occupational health and safety industries, the rise of risk management has been fuelled by regulatory responses to the international corporate collapses experienced over the past decade. In the United States, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Framework highlighted risk management and likewise in the United Kingdom, the Turnbull Report succeeded in bringing risk management to the board table.

In Australia, the risk management standard AUS/NZS 4360:2004 has become the benchmark for risk management, to such an extent that many overseas countries have adopted that standard. The original ASX Principles of Good Corporate Governance introduced risk management in a governance context and recent revisions to those principles have strengthened the risk management requirements for listed companies.

Indeed, the impact of these regulations plus increased director liability, shareholder activism and the influence of institutional investors have all contributed to an increased focus on risk management. This is clearly evidenced by the fact that Standard & Poor’s (S&P) now take the governance of risk management into account for ratings purposes thereby potentially affecting a firm’s cost of capital.

The study upon which this article is based looks at the governance of risk management at board committee level and at functional level in Australian companies and seeks to flesh out the issues that are associated with the risk management discipline coming of age.

The first part of this study, which is now completed, looked at the board committee structure over risk management in leading Australian companies.

Using the S&P/ASX 200 companies as a surrogate for companies adopting best practice in governance, the research found that 73 per cent of these Australian companies used the audit committee to oversee risk management. This aligns with overseas findings which show that the audit committee is the preferred vehicle for board oversight of risk management, while still acknowledging that the full board is primarily responsible for risk management.

The next stage of the study will flesh out the issues that this dominance of risk management by audit committees creates. Financial literacy for audit committee members is recommended in Australia by the ASX corporate governance principles, and mandated in the US by the Sarbanes-Oxley Act.

However, with the addition of risk management oversight to the audit committee’s duties, how well qualified and skilled are audit committee members to understand the principles of risk mitigation and management?

Directors are also becoming concerned at the amount of time allocated to audit commitee meetings. In addition to coping with complex issues like the requirements of International Financial Reporting Standards (IFRS), audit committee members have to find time for thorough consideration of risk management. Four two-hour meetings per annum may no longer do justice with this added burden.

Not all S&P/ASX 200 companies have combined audit and risk management committees. Seventeen per cent or 34 Australian companies have set up a board risk committee in addition to, but separate from, the audit committee. The study found that more than half of these companies, with separate board risk committees were from the industry classifications that included financial services companies such as banks and insurance companies. This suggests that companies faced with managing complex derivative trading risks (energy, interest rate, credit or foreign exchange) tend to be setting up a separate board committee to manage these specialised and potentially explosive risks.

It is also possible that the heavy focus on a risk management process, as required by the Australian Securities and Investments Commission and the Australian Prudential Regulation Authority may also be in play.

Finally, some S&P/ASX 200 companies have no board risk management committee. There were only 20 companies, or 10 per cent in this category. They tended to be a mix of smaller mining start-up companies, where risk management had not matured, or listed property trusts affiliated with a larger organisation that may be providing the risk oversight. Interestingly, these smaller companies, with no board risk committee, are still required to comment on ASX governance principle number seven (recognise and manage risk) in their annual reports.

In some cases, these smaller companies stated that they have sound risk management processes, namely: (1) the directors are picked using a robust process; (2) the executive management team is skilled; and (3) important issues are discussed at board level.

In these cases, the term ERM was not mentioned, there appeared to be no chief risk officer and the AUS/NZS 4360:2004 standard was not quoted as a benchmark. It appears, at first glance, that these companies are saying that normal board governance processes equate to a sound risk management process. It would be interesting to see how such a proposition fared under litigation. When faced with a legal action after a corporate disaster such as has occurred at SociétéGénérale, would the three controls noted above, be taken as evidence of a robust risk management process?

Steve Halliday is group manager assurance (combined audit, compliance and risk management executive) with the Tasmanian-owned and Australia’s largest renewable energy generator, Hydro Tasmania. Halliday is currently completing a Doctor of Business Administration in corporate governance through CharlesSturtUniversity in Bathurst.

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.