Late last year the SEC proposed new rules requiring more disclosure of, among other things, compensation policies and practices that present material risks to the company and the board’s role in risk oversight. The new rules,are in effect from February 28, 2010.
For calendar year companies, those new rules are beginning to bite right now as 2010 proxy material and other disclosures are being prepared and released. We will soon begin to see how companies are interpreting and responding.
Many people in the risk management community are cautiously optimistic that better disclosure will result. But some, me included, believe that an overhaul of risk management practices must precede effective risk oversight effective oversight. Quite apart from the global experience over the last 24 months, plenty of evidence exists to support my view.
Here are some examples:
• 85% of corporate executives say they need to overhaul their approach to risk management … (Accenture 2009 Global Risk Management Study)
• 62% of enterprises encountered material risk events in the last three years. Of those nearly half, 42%, admitted to not being prepared for it … (IBM CFO Study 2008)
• 44% of respondents have no enterprise-wide risk management in place and have no plans to implement one (2009 ERM Initiative at NC State University – conducted on behalf of the AICPA)
The evidence suggests that management isn’t happy with current practices, that today’s risk management results are unreliable and that many executives have thrown in the towel and don’t plan to even begin to implement risk management practices.
It’s against this background that directors are now required to oversee risk management and improve disclosures. Is risk oversight possible without an overhaul of current practices?
Over the next week or so I will explore that question in a series of blogs. First though, let’s see what the new rules say.
Enhanced Compensation Disclosure
The notion that compensation practices drive behavior is simple to accept. Presumably that is what they are designed to do. But extreme compensation can drive extreme behavior and leave the reward with the employee and the risk with the stakeholder. Understanding and disclosure of that risk is now required. Much of the following is extracted directly from the new rules.
Companies will be required to discuss and analyze their broader compensation policies and overall actual compensation practices for employees generally, including non-executive officers, if risks arising from those compensation policies or practices may have a material effect on the company. The following examples of situations that potentially could trigger discussion include, among others, compensation policies and practices:
• At a business unit of the company that carries a significant portion of the company’s risk profile;
• At a business unit with compensation structured significantly differently than other units within the company;
• At a business unit that is significantly more profitable than others within the company;
• At a business unit where the compensation expense is a significant percentage of the unit’s revenues; and
• That vary significantly from the overall risk and reward structure of the company, such as when bonuses are awarded upon accomplishment of a task, while the income and risk to the company from the task extend over a significantly longer period of time.
There may be other features of a company’s compensation policies and practices that have the potential to incentivize its employees to create risks that are reasonably likely to have a material adverse effect on the company. However, disclosure under the amendments is only required if the compensation policies and practices create risks that are reasonably likely to have a material adverse effect on the company.
Enhanced Disclosure about the Board’s Role in Risk Oversight
The SEC noted that risk oversight is a key competence of the board, and that additional disclosures would improve investor and shareholder understanding of the role of the board in the organization’s risk management practices. Accordingly “… disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals. “
Far from prescriptive, the new rules are principle based. The question is, will today’s widely varied and fragmented risk management practices provide a foundation for the new disclosure requirements.
Over the next two weeks I will discuss in this blog:
• What attributes and characteristics directors should consider in overseeing their risk management practices.
• What factors directors should consider in deciding to overhaul their risk management frameworks.
• How to ensure their risk management framework is producing reliable information.
• The role of technology in managing and overseeing risk.
As always, comments and suggestions are welcome.
