Directors and executives of, and counsel to, public companies have become well aware that the duties of directors and officers involve assessing and managing risks.
From a business perspective, the traumas and challenges of the last several years have provided ample reminders of risks that businesses face. From a legal perspective, existing, new and proposed legal requirements have caused companies to think more carefully about their risks and the processes they use to assess and manage them.
Among the varied legal requirements, one in particular has been a key catalyst for this extra attention to the process of assessing and managing risk. This is the new requirement, imposed by the Securities and Exchange Commission in changes to Item 407 of Regulation S-K and applicable to the current 2010 proxy season, that proxy statements disclose "the extent of the board's role in the risk oversight" of the company, "such as how the board administers its risk oversight function."
The SEC's adopting release indicates that this requirement "gives companies flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals."
As a result of this new requirement, recently filed proxy statements shed some light on what processes companies are using to assess and manage risk. Those proxy statements, together with discussions in literature, in corporate and securities law seminars and in interactions between counsel and company directors and executives, provide an emerging picture of common and, at least early stage, best practices being used by companies to address risk. This article attempts to describe that picture.
The Role of the Board
Companies generally recognize that the board has an important oversight role in addressing risks. This often includes, first, a recognition that strategic decisions generally include risk considerations and therefore the board, in its role in overseeing strategy and making key strategic decisions, inevitably addresses risk.
Second, the board is generally viewed as bearing the responsibility for seeing that processes that the company uses to assist in assessing and managing risk are appropriate. Third, the board is generally considered responsible for maintaining familiarity with the principal risks the company faces and how they are addressed.
These second and third responsibilities are often delegated, at least in part, to one or more committees of the board. If so, the board's fourth responsibility is to make certain that clear and appropriate delegation is in place so that these responsibilities are properly allocated.
The processes boards use to address these four responsibilities vary.
Typically boards include risk related topics as an agenda item for meetings. Some boards devote one meeting per year to risk related topics. Some include risk as a separate agenda item in some or all meetings during the year. Some call for risk to be included in reports to the board from board committees or from management and for a formal risk report, often from the chief risk officer (or the functionally equivalent officer), at least once per year.
There seems to be a recognition that codifying in some way the schedule for regular attention to risk is in the best interests of both the company and the directors.
To the extent that the board delegates responsibilities, it is important that this be done in a formal way. Since delegation to standing board committees is the most common and appropriate form of delegation, boards should, and do, approve amendments to committee charters so that all responsibilities are clearly allocated.
The board should also consider including topics related to risk in ongoing director education programs and opportunities. In addition, the board may find it useful to have consultants or other outside sources provide information and insight regarding the risks faced by the company and others in its industry and regarding processes and resources available for assessing and managing risks. These various alternatives can, in addition or alternatively, be implemented at the committee level, rather than for the full board.
The Role of Committees of the Board
While retaining an oversight role regarding risk, virtually all boards in fact delegate significant risk-related responsibilities to one or more committees.
All New York Stock Exchange companies do so, at a minimum, as a result of the NYSE listing requirement that the audit committee "discuss policies with respect to risk assessment and risk management."
Although the board is allowed to delegate risk responsibilities to other board committees, the audit committee in any event retains the responsibility for discussing the company's "major financial risk exposures" and discussing the "guidelines and policies to govern the process by which risk assessment and management is undertaken."
As a matter of practice, in part in recognition of the other legal responsibilities held by various committees and in part to reflect the various areas of business overseen by committees, boards generally allocate risk responsibilities to other committees in addition to the audit committee, including the compensation and nominating and governance committees, as well as in some cases other committees. Allocation of risk responsibilities generally tracks the areas of the respective business responsibilities of the committees.
Compensation risk is, for example, generally the responsibility of the compensation committee, recognizing both that committee's area of focus and the need for particular attention to risk matters in light of new SEC-imposed proxy statement disclosure requirements concerning risk and compensation policies and practices. Although financial and insurance institutions often establish a separate risk committee, companies in other industries have generally not done so.
Practices of these committees involve various design elements. Like the board, the committee needs to decide the frequency and manner of including risk as an agenda item.
Committees often make it a practice to include the chief compliance officer or chief risk officer (or the functionally equivalent officer) in meetings, presumably at least for those agenda items that address risks. Also like the board, committees generally specify the frequency and type of presentations and information regarding risk to be received by the committee and the identity of the persons or groups responsible for providing reports on risk. Finally, committees may in some instances decide that they need the input or assistance of a third party consultant or adviser to supplement information and input from management.
Since the audit committee of a NYSE listed company retains risk related responsibilities, a number of companies provide for a regularly scheduled annual evaluation by that committee of the company's risk assessment and management processes.
The Role of Management
Companies generally view management of the company as having the responsibility for managing risk.
An important step taken by many companies to assist in that is the appointment of a chief risk officer or, alternatively, the designation of another officer (often the CFO) as the officer who oversees the performance by management of its role in assessing and managing risk. This individual often reports to the CEO and sometimes is given a reporting relationship with the board or the audit (or another) committee.
In addition, a number of companies have established a management risk committee composed of designated officers and employees (often including representatives of the law department and internal audit personnel) that coordinates management's ongoing risk-related responsibilities and that oversees overall enterprise risk management activities. This committee is typically chaired by the chief risk officer (or the functionally equivalent officer) and reports to a senior executive and to the board or, more typically, one of its committees (e.g. the audit or risk committee).
Among the tasks often expressly delegated to management is a periodic identification of risks facing the company (sometimes specifying the perceived magnitude and probability of the respective risks and sometimes reflecting the perceived speed at which the risks could develop into material problems) and a prioritization of those risks.
It appears that some companies use a process of gathering input from managers in business units and from managers performing various support functions regarding risks seen by them. Such a process would appear somewhat analogous to a "subcertification" process used to gather confirmations from managers to support the certifications required by Sections 302 and 906 of the Sarbanes-Oxley Act that are made by the CEO and CFO in a company's 10-Q and 10-K filings.
In identifying risk for the board and its committees, it is important that management consider risks that are identified by the company in other contexts (e.g. risk factors and market risks identified in SEC filings) to assure comprehensiveness and consistency. In addition, using information and resources from outside the company (e.g. consultants, reports of analysts and information regarding competitors, customers, suppliers and other key third parties) can be useful sources of information and insight.
Since the role of management involves the actual management of risk, many boards recognize that the managers assigned risk responsibilities should be ones who also have a meaningful role in the design and implementation of strategy. Since designing and implementing strategy essentially and inevitably involves decisions regarding rewards and risks and involves bottom line judgments as to how much risk is acceptable, risk managers should include business managers.
Finally, management often recognizes the need for ongoing education and training of employees regarding risk-related topics so that day-to-day activities are performed with an awareness of the company's approved level of risk appetite and so that new and changing risks are identified.
The procedures used by companies and their boards to address risk are evolving, and it is probable that over time some of these practices will change and that new practices will develop. It is clear however that as a result of the new transparency of these topics, much has already been done to establish ordered and disciplined processes regarding risks.
Fritz Thomas is a partner in the Corporate & Securities practice at Mayer Brown in Chicago and can be reached at firstname.lastname@example.org. In addition to representing clients in M&A and other transactions, Fritz advises boards of directors, committees of boards of directors and management regarding corporate governance, securities and other matters.
Jason Wagenmaker is an associate in the Corporate & Securities practice in Chicago and can be reached at email@example.com.