Editor's note: Mr. Greco is past president of the American Bar Association and a partner in the Boston office of K&L Gates LLP. He advises clients on managing risk and crisis. Mr. Missal is a partner in the firm's Washington, DC office and is the practice area leader for the firm's policy and regulatory practices. Mr. Lawson is an associate in the firm's Harrisburg office.
On December 15, 2006, Lehman Brothers and Bear Stearns reported profits of $4.05 billion and $2.08 billion, respectively, for the fiscal year ended November 30, 2006.Other Wall Street firms reported similar financial successes. The tremendous performance of these Wall Street firms was attributed to fixed-income credit products, such as mortgage-backed securities, asset-backed securities, and credit derivatives. Now, less than two years later, Lehman Brothers is in bankruptcy and the federal government bailed out Bear Stearns and it was sold. The collapse of these venerable Wall Street firms was in large part the result of investments in risky securities and trading practices. The collective failure of these and other financial titans begs the question: could more have been done to prevent these failures?
The high-profile corporate scandals of the early 2000s placed more responsibility on the audit committee. These scandals led to legislative and regulatory developments designed to expand the audit committee's role and responsibilities, including passage of the Sarbanes-Oxley Act of 2002, related SEC rulemaking, and the New York Stock Exchange and NASDAQ Stock Market corporate-governance listing standards. The changes strengthened audit committee's composition and authority, increased audit committee responsibilities and enhanced the audit committee's monitoring role. The result was a shift in the audit committee's responsibilities from a largely monitoring role to a more proactive oversight role.
Part of these increased responsibilities for audit committees is to play a critical role in overseeing and assessing the management of risk. Risk includes not only the traditional catastrophic risks, but also financial and reputational risks. Best practices require an audit committee to review and analyze the guidelines and policies that govern the process by which a company's exposure to risk is assessed and managed.
Audit committee standards enacted under Sarbanes-Oxley and related SEC regulations provide the audit committee of a publicly traded company with the mechanisms necessary to conduct a thorough review to ensure the completeness and accuracy of the company's financial statements, including an assessment of the company's risk-exposure. These standards empower an audit committee to investigate risk and to ensure that the company's financial statements accurately reflect that risk. As part of that investigation an audit committee should determine what risks exist, how those risks are being accounted for and reported, and how those risks are being managed.
To fulfill its responsibilities, an audit committee should use all available tools, including its internal audit function, external auditors, and, if necessary, the retention of outside counsel and advisors. Each of these tools serves a key function. Internal audit can provide the audit committee and management with an assessment of the internal controls in place with respect to the mitigation of risk, as well as the efficiency and effectiveness of the operations of the company. External auditors review and report on a number of matters, including the company's financial statements, its reporting processes and the sufficiency of its internal controls. Outside counsel and advisors can be retained to investigate or review areas of particular concern to the audit committee.
Given the current credit crisis, it is clear that the oversight role of the audit committee will continue to expand and to grow in importance. Audit committees need to be independent and must review management decisions with healthy skepticism.This process necessarily includes a close analysis of the way companies assess and manage risk.It is easy to forget the truly stunning returns that financial firms reported less than two years ago.With perfect hindsight, however, we can now see that these companies failed properly to assess and manage their risk.
There are tough lessons to be learned from this crisis. Given the enormity of the global costs being paid for them, we had better learn the lessons well, and quickly.
Published November 1, 2008.