The debate over board oversight of risk management continues. And the central issue is the same. How is risk most effectively overseen by the board of directors? Should there be a board-level ‘risk committee’? Should risk oversight be spread among a number of committees? Should risk management oversight reside with the full board?

Some board members are dead set against a separate risk committee. They point out that risk oversight is a full board responsibility. And they observe that risk is inseparable from strategy and that a board-level risk committee might operate to unduly constrain those able to participate in key discussions.

Others argue that a board-level risk committee is critical. They point to perceived risk management failures during the financial crisis and the particular expertise needed to interact with the risk management professionals. They also contend that some sort of board-level risk committee needs to exist, if for no other reason so that there is some place for enterprise risk management to go.

Audit committees have a lot of skin in this game. In the absence of a board-level risk committee, audit committees can find themselves with responsibility for oversight of all sorts of risks. They may include credit risk, liquidity risk, operational risk, cyber security, environmental risk and ‘overall legal compliance’. That is a lot to ask of a committee whose expertise resides in financial statement presentation and disclosure.

But the problem is not just one of expertise. Another problem is time. As audit committees get drawn further and further into collateral areas of risk management, they stand to be increasingly distracted from their core responsibility: financial reporting. Sarbanes-Oxley places squarely within a US audit committee responsibility for the oversight of financial reporting. And the statute contains no exception for audit committees that are too busy with other things.

Jul-Sep 2014 Issue

Willkie Farr & Gallagher LLP