City Bar Proposes Revisions to NYSE Risk Management Rules

The New York City Bar Association’s Financial Reporting Committee has asked the New York Stock Exchange to reconsider its rule placing responsibility for oversight of risk management within the audit committee of the listed companies. In a letter to Claudia Crowley, the CEO of NYSE Regulation, signed by Michael R. Young, the Committee Chair, the Financial Reporting Committee writes, “The concern prompting this letter is twofold. First, the rule calls upon audit committees to assume some degree of responsibility for the oversight of risks beyond the risks associated with financial reporting. Second, the level of responsibility to be assumed by the audit committee is itself ambiguous and may contribute to ineffective oversight of risk management at the board level.” Because the Sarbanes-Oxley Act describes the audit committee as responsible for “overseeing the accounting and financial statements of the issuer,” the additional responsibilities of Rule 303A.07 would take the audit committee “well beyond responsibility for financial reporting risk,” according to the letter. Specifically, the letter states, Rule 303A.07 would require an audit committee “to assume some level of responsibility for such areas as credit risk, liquidity risk, market risk, legal and compliance risk, and operational risk, as well as additional risks unique to the reporting entity’s particular industry, such as, for example, environmental risk. There is little reason to assume that an audit committee, whose expertise will normally reside in the disciplines of financial reporting and financial statement presentation and disclosure, will possess particular expertise in such broader subjects.” As an alternative, the letter proposes elevating responsibility for risk management to the board level: “While the scope of our committee’s activity does not extend beyond financial reporting, we would observe that one useful approach may be to elevate the rule’s articulation of responsibility to the level of the board of directors as a whole. The board of directors as a whole would thus be required (in the words of the rule) ‘to discuss policies with respect to risk assessment and risk management’ with the objective of vesting in the full board of directors responsibility for the allocation of risk management oversight based upon the particular circumstances of the company, its industry, and its governance structure. The board, in turn, would then have the ability to use its judgment to delegate certain or all aspects of risk management oversight to the audit committee or other committees as the board deems appropriate.” The letter can be read here: