Point of View: New SEC rule prompts companies to disclose how their boards oversee risks

Related thought leadership:

• To the point: Current issues for Boards of Directors
• What Directors think survey
• 10Minutes on Managing risk & performance
• Seizing opportunity: Linking risk & performance
• Our views on ERM

The SEC's new requirement

The SEC’s new proxy disclosure rules, effective February 28, 2010, are intended to improve shareholder and investor understanding of the board’s role in risk oversight, including how it interacts with management.

Another step to promote transparency

US public companies contended with the new disclosure requirement for the first time in the 2010 proxy season—and most responded thoughtfully by sharing substantive information about their boards’ involvement in risk oversight. PwC’s review of just-filed proxy disclosures shows they exhibit specificity and differentiation rather than boilerplate language.

An opportunity to enhance risk-oversight practices

Many companies have provided insight into the risk categories boards oversee, their interaction with management in addressing those risks, and the division of oversight responsibility between different board committees and the board as a whole. Preparing these disclosures may have facilitated the refinement and formalization of risk-oversight practices within companies.

Persistent pressure on boards

Boards come under scrutiny

The US Securities and Exchange Commission (SEC) recently adopted final rules that augment and revise corporate governance disclosure requirements for US public companies. The new rules require companies to provide enhanced disclosure in proxy and information statements on a number of issues, including the board’s role in the oversight of risk management.

The SEC noted in its release of the rules that its intention is to elicit disclosure of how boards administer risk oversight, observing that “risk oversight is a key competence of the board, and that additional disclosures would improve investor and shareholder understanding of the role of the board in the organization’s risk management practices.”¹ Companies were encouraged to share information about how the board and management work together in addressing the material risks facing the company.

Recognizing the board’s role is oversight while the management team’s responsibility is day-to-day execution of risk management activities, the disclosure requirement provides companies some flexibility in describing how the board fulfills its duty. For example, is risk oversight administered through the whole board, a separate risk committee of the board or the audit committee? Do individuals who assume day-to-day risk-management responsibilities report directly to the board as a whole or to a board committee? How does the board or a committee receive information from these individuals?

Immediately following the SEC’s adoption of this rule, PwC had suggested that boards consider formalizing the division of responsibility between the full board and individual board committees, establishing a clear process for how those committees report back to the full board on the major risks under their purview.²

Detail prevails in disclosures

Many disclosures we’ve reviewed reflect these principles. In April 2010, PwC analyzed the proxy disclosures of 100 companies in the S&P 500. These covered a range of industries including retail and consumer, energy, finance, healthcare, industrials, information technology and telecommunications, and materials. We found that the majority of registrants had avoided boilerplate language, and many had provided informative and insightful descriptions of the board’s role in risk oversight. We did note that some disclosures could have provided additional clarity regarding the role of committees, the nature of risks over which boards were exercising their oversight, and the role of management in supporting boards’ oversight.

Increased focus on risk within boardrooms

This emphasis on risk should come as no surprise, given that corporate executives and board directors acknowledge the need for fortified risk management in the wake of the recent economic crisis. In our 13th Annual Global CEO Survey conducted in late 2009, about 70 percent of CEOs in the US and around the world said their boards were more engaged in assessing strategic risks as a result of the crisis. Around 60 percent also said directors were constructively engaging the management team on strategy.

Earlier, in the PwC and Corporate Board Member What Directors Think survey, directors themselves widely recognized the need to increase their focus on risk management, with 66 percent saying they would like to devote more time to it than they did in the previous year. In the same survey, 71 percent of directors also said they expected the risk of regulatory investigation to rise over the next two years, possibly in response to the proposals and statements released by the SEC following the economic crisis.

An opportunity to enhance risk-oversight practices

The disclosures report practices, not their effectiveness

It is important to note that the disclosures afford shareholders a clearer picture of risk-oversight processes, without necessarily providing any insights on the effectiveness of those processes. Regardless, the disclosure exercise is increasing the focus on the board’s responsibilities with regard to risk oversight. Our discussions with clients suggest this is cascading to management teams which, in turn, are reexamining their interactions with boards on risk management. For example,they are considering how to support the board with more comprehensive and timely risk information. Compliance with the SEC’s new rule presents an opportunity to the leadership of public companies to enhance, refine and formalize their risk-oversight practices.

No ambiguity about the board's responsibilities

Our review of disclosures finds boards taking full ownership of risk oversight, with a vast majority of companies explicitly stating that the board as a whole was responsible for risk oversight. Almost all companies addressed the role of management in communicating relevant risk information to boards. Many also discussed the involvement of board committees in risk oversight.

A number of disclosures provided useful insight about:

• Specific risk categories: Many disclosures enumerate the various categories of risk facing companies such as those related to strategy and execution, financial stability, health, safety and environmental concerns, and risks related to corporate governance and leadership.
• Divisions of responsibility: The more extensive disclosures also spell out the separation of risk-oversight responsibilities between management functions and boards and/or their committees. Committees mentioned include audit, governance, compensation, public policy, etc. and the corresponding areas of risk they oversee. They also describe what areas of risk are overseen by the board as a whole and by the committees individually. Finally, they indicate which management functions are responsible for providing the board with risk information in specific areas.

The most informative disclosures shed light on relationships and processes

The most informative disclosures described not simply what boards are doing but how boards and management work together in making decisions related to risk management. These disclosures stand out for the following reasons:

• Disclosure of internal relationships: Some companies viewed the disclosure requirements as an opportunity to articulate their organizational cohesion. Their disclosures reveal how the board interacts with management and how the board committees interact with one another. For instance, these companies explain how senior executives share risk information with board members through formal reports and face-to-face meetings. Others explain how the full board maintains oversight of a specific risk area that is delegated to an individual committee.
• Disclosure of decision-making processes: These companies revealed how the moving parts of an organization work together in ultimately enabling boards to make sound decisions related to risk oversight. For example, one company notes that its audit committee and senior management report to the full board on the company’s risk management practices—and that if an identified risk poses a potential conflict with management, a lead independent director may conduct the risk assessment alone or with the help of other independent directors.

In summary

Taking a hard internal look and communicating the findings to stakeholders is difficult—and it also increases expectations. Many companies took advantage of the flexibility inherent in the SEC’s new rules to closely examine the board’s role in risk management processes and share it openly with regulators and shareholders. In the process, they have created an opportunity for themselves to build upon this effort and continue to raise the bar on corporate governance practices going forward.

A closer look at disclosure practices

Q&A

Q: Are the lengthier disclosures more informative than shorter ones?

A: Companies may have been motivated to furnish detail on risk oversight for many reasons such as to address the current “trust deficit” among stakeholders and cultivate investor relations. Detail can help achieve these goals so long as it is substantive and coherent, regardless of volume. Some of the brief disclosures we reviewed were concise but informative and thus as effective as the more descriptive ones. Substance, however, is paramount: Scant detail on key issues of interest could leave shareholders asking for more questions while an overabundance of it can prove just as counterproductive if it inundates and confuses the recipient.

Q: What types of risks are discussed in the 2010 proxy disclosures? And which board committees are administering risk oversight?

A: See table “Risk Categories and Board Committees” at left for examples.

Q: Were there certain aspects of risk oversight that the disclosures did not adequately address?

A: Most companies did not define risk management as an explicit competency of board directors—perhaps believing it is implied in their background and experience. On certain select matters some disclosures avoided particulars. For example, some companies explained generally that their boards convene meetings “on a regular basis” without mentioning frequency, perhaps reflecting a desire to maintain the board’s flexibility.

Q: What characteristics did you observe in less effective risk-oversight disclosures?

A: Disclosures that limited their discussions to just one type of risk (e.g., financial)—or a narrow range—without addressing categories such as strategic risks, compliance risks, or operational risks, were less effective. A small number of disclosures were silent on how management supported the board's risk-oversight role. It is hard to tell whether the board's oversight in these companies is limited to episodic status reporting or more effectively integrated with the executive team's risk management capabilities.

Q: Are companies mentioning whether their boards’ risk-oversight practices are newly formulated?

A: Generally, no. But in a few instances companies specified the year in which their boards began formulating risk-oversight processes. A few companies mentioned their boards’ intention to continue the process annually.

Download