The New York Stock Exchange’s Corporate Governance Standards provide that the audit committee shall “discuss policies with respect to risk assessment and risk management.” (See Rule 303A.07(b)(iii)(D).) The somewhat ambiguous commentary to this rule seems to require the audit committee to exercise general oversight over a company’s risk management. Noting that it is management’s job to assess and manage a company’s exposure to risk, the commentary provides that “the audit committee must discuss guidelines and policies to govern the process by which this is handled.” While stating that companies can manage and assess risk through “mechanisms other than audit committee,” the NYSE also says that the processes “should be reviewed in a general manner by the audit committee.” In light of the increasing focus in recent years on risk management, including by the SEC in new disclosure rules and guidance, many audit committee members and others have questioned whether the audit committee is the best location for the risk oversight function, particularly for risks other than those related to financial reporting.
Recently, the Committee on Financial Reporting of the New York City Bar submitted a letter to the NYSE urging the Exchange to consider whether the rule reflects an optimum approach to risk management in the current environment. The Committee recommended that while audit committees should retain responsibility for risks associated with financial reporting, it should not be required to assume broader risk management oversight responsibility. It suggested that the responsibility for oversight of risk assessment and risk management be placed at the board level. The board would have the ability to delegate aspects of risk management to the audit committee or other committees as the board deems appropriate.