Investors, lawmakers, regulators, and the public have been piling responsibilities onto the corporate audit committee for years. So it’s fair to ask whether, under that heavy workload, the audit committee is struggling to get the job done.
Audit committees might not be in a full-blown crisis yet, but they do seem to be heading in that direction. For example, KPMG surveyed more than 1,300 audit committee members at the end of 2019 to ask how comfortable they were with overseeing issues such as regulatory compliance, cybersecurity, and enterprise risk management (ERM) — that is, duties beyond the committee’s responsibility for financial reporting. Forty-seven percent said finding sufficient time for those additional duties was increasingly difficult; 45% said the same about sufficient expertise.
One could say that picture — of audit committees keeping their noses above water, but working hard to do so — was a snapshot in time. Except, even worse, that snapshot was before the pandemic, which has done nothing but pile on more concern about regulatory compliance, cybersecurity, and ERM. Who knows what surveys will tell us once the hellish experience otherwise known as 2020 is included.
If audit committees are now doing too much, when should those nonfinancial oversight duties be offloaded to some other committee? “Well, how long do you want an audit committee meeting to be?” quips Les Sussman, chair of the audit committee for East West Bank, a publicly traded bank with about $50 billion in assets based in California. Overburdened audit committees, he says, can be a very real threat to corporate governance. “The more you pile on, the more it becomes a check-the-box exercise just to get through the agenda.”
Leonard Shen, who spent many years as a chief compliance officer and these days sits on the board of Toronto-based payments processor OFX Group, agrees. An overburdened audit committee simply might not have the attention for a meaningful discussion with a compliance or risk officer after a long day of reviewing financial, technology, and information security briefings. “That absolutely happens,” Shen says. “There’s definitely a dilution risk” as the audit committee’s focus keeps getting spread further and further.
Know When to Say When
Alas, there is no easy answer as to when security, regulatory compliance, and other issues should go to a separate risk committee or to the full board. The answer typically hinges on several factors, such as the organization’s size and complexity, the regulatory burdens it faces, and the potential legal liability for oversight gone wrong. “It also depends on whether the audit committee can handle it,” says Michael Purcell, an audit committee member who has been pondering this exact question lately.
Purcell serves on several boards, including publicly traded health-care technology firm Tabula Rasa HealthCare and publicly traded payments processor International Money Express. He chairs the audit committees of both. “We’ve been spending more and more time in our audit committee meetings talking about risk issues … so we’re having discussions right now, on both of them, about whether we need a risk committee or not,” he says.
At the moment, Purcell says he is confident that the audit committees at both businesses can handle oversight of regulatory compliance and cybersecurity in addition to the usual financial reporting duties. But his statement raises another interesting question: How long can audit committees keep up with all this work?
The issue isn’t that there is some line, beyond which the audit committee has too much to do and a risk committee might be warranted. Everyone grasps that idea already. The issue is that the line is moving toward audit committees, perhaps rapidly so. As cybersecurity and regulatory compliance seep into every aspect of business operations and an organization’s value to shareholders, they are becoming corporate governance concerns much earlier in the natural life cycle of many businesses. So, more boards may want to consider reallocating those risk oversight duties more quickly.
“Five years from now, I think we’ll see a serious migration either to a separate risk committee, or a subcommittee of the audit committee that deals with risk issues,” Purcell says. Boards need to anticipate that challenge now, but the implications don’t necessarily offer easy solutions.
Talent Hunts and Musical Chairs
The first question is where to find board director candidates with suitable cybersecurity, regulatory compliance, or risk management expertise. That’s not impossible. For example, some boards have begun recruiting compliance officers to help with regulatory compliance issues. Recruiting a chief information security officer to serve on the board isn’t a new idea, either.
“Plenty of people have that experience,” Sussman says. “The question is when you talk about board composition, there are a lot of competing interests.”
Indeed, that’s probably the harder part: finding room for new committees and directors. Boards already need directors versed in strategy, operations, and financial management. Many also now need women or minority representation.
So do you give current directors even more committee assignments, and impose more demands on their time? Do you expand the board to allow for a risk committee, which might complicate efficient decision-making? Or do you wait for that dream director who can check multiple criteria all at once?
And that’s only one governance challenge the board must confront.
If a board does decide it should establish a risk committee, and it has the director expertise to do so, there’s still the question of how to coordinate what audit committees, risk committees, and the full board all do.
One common arrangement is to have the audit committee chair serve as a member of the risk committee, and the risk committee chair serve as a member of the audit committee. That’s the arrangement Sussman has on East West Bank’s board. It helps to avoid duplication of oversight or, even worse, no oversight of a risk that each committee thought the other was tackling.
Boards also need to assure that committees’ charters and reporting relationships are aligned. For example, what internal control issues should still belong to the audit committee, compared to any control issues that might affect cybersecurity or regulatory compliance? If there is an in-house executive who serves as a chief risk officer, does that person report to the audit committee, the risk committee, or both?
If the internal audit function could help with any part of this challenge, it’s here: reviewing the board’s approach to risk management. Stability in board structure and composition is good, but an organization shouldn’t allow its risk profile to evolve so much that the board structure no longer makes sense.
So considering questions of just what the organization’s primary risks are, the standards of oversight expected of the board, and reporting relationships to keep board committees informed — they all need attention from time to time. Given the whirlwind of risks brought on by the pandemic, the 2020 U.S. election, and the protests for racial equity, perhaps now is the time.