Audit committee members, in particular, face several new requirements under Section 303A. While acknowledging the roles of management and the CEO in managing the company's risk exposures, Rule 303A mandates that audit committee members assist the board in overseeing "the integrity of the company's financial statements," a responsibility that could open up audit committee members to increased shareholder litigation in a case of alleged management accounting fraud.

Another hot-button issue that 303A rules touch on is CEO compensation, a subject that Sarbanes-Oxley had little to say about. Section 5 requires that the compensation committee of listed companies "review and approve corporate goals and objectives relevant to CEO compensation, evaluate the CEO's performance in light of those goals and objectives, and…determine and approve the CEO's compensation level based on this evaluation."

These regulations could mark a major departure from how executive compensation is currently set at NYSE-listed companies. The major change is that the broad wording of this provision potentially introduces a new range of issues that a compensation committee might connect to compensation. Thus, in addition to the traditional yardstick of shareholder value created, members of the senior management team could potentially have their compensation related to employee retention, new product development, revenue targets, etc.

To comply with these and other NYSE regulations, listed companies must be able to assess risk throughout the organization. An effective response to such NYSE mandates is to develop an enterprise-wide risk management framework that includes comprehensive risk assessment and risk management programs implemented across the company. Executives concerned about the enterprise-wide risk ramifications of the revised corporate governance rules of the NYSE should ask themselves the following questions:

• Do we have guidelines and processes for risk assessment and risk management in place?
• Are our risk management capabilities aligned with the company's risks?
• Is our risk management integrated with ongoing business planning and operations?
• What are our processes to assess risk?
• How will we report to the board on risk management processes?
• Is our audit committee taking responsibility for overseeing the company's major financial risk exposures?
• Are audit committee members aware that they are also responsible for overseeing risk assessment and risk management guidelines, policies, and processes?
• Does our internal audit function currently report on our risk assessment policies to the audit committee?
• Has our board accepted oversight responsibility for the assessment and management of non-financial risks?
• What are the corporation's most critical risks, and what strategies are in place to manage these risks?
• Is there management consensus regarding risk management policies, procedures, and protocols?

To meet the demands for broader risk management, many companies are taking a comprehensive approach to risk management by adopting enterprise risk management (ERM), which the Harvard Business Review (February 2004) hailed as one of the breakthrough ideas of 2004. In fact, a 2004 survey conducted jointly by Mercer Oliver Wyman and The Conference Board showed that 92 percent of respondents either plan to implement ERM, or are currently doing so already.



Estimates on the number of companies that might fail the SOX 404 test have varied widely, with most predicting that 10 percent may receive adverse opinions by auditors. In January, 9.7 percent of the 10-Ks (filed by companies with over $75 million in revenue) included a weakness or deficiency disclosure, and only 4.7 percent of the 10-Qs included such an announcement.
Compliance Week 2/8/05

ERM is a comprehensive, structured, and disciplined approach that meets the strictest of corporate governance standards, because it addresses risks throughout the organization. It aligns strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties a company faces. This approach offers a number of benefits, including:

• Alignment of risk management with strategic intent and related objectives
• Identification and prioritization of risks beyond financial risks
• Integration of risk management into day-to-day management culture
• Proactive management of critical threats to minimize the potential for loss
• Quantitative and qualitative risk management analysis

Designing and developing an ERM framework requires significant effort. Many organizations assign a chief risk officer (CRO) or an executive-level ERM committee to guide the process. Most companies begin their ERM efforts with a current-state diagnostic or a risk assessment.

Marsh professionals can both perform these diagnostics and risk assessments, as well as assist in developing an ERM framework that can help your company proactively understand and deal with complex risks—tangible and intangible, existing and emerging, and across the entire organization. For more information, please contact Mat Allen (212-948-2522) or William Spinard (202-263-7959).

If you have questions, please contact us.