Return to Table of Contents

Enterprise Risk Management

The drum beat quickens

SEC requires boards of directors to be part of corporate risk management

By Michael J. Moody, MBA, ARM


It has become obvious that one of the most visible results of the financial meltdown will be increased regulation. Apparently the laissez-faire approach to regulating the financial services sector that prevailed for the past 10 years just did not work. Left to their own devices, most financial institutions are much too interested in short-term gains, regardless of the long-term risks involved. As a result, new regulations have begun to show up throughout the business world, both internationally as well as U.S.-specific.

Many of these new regulations involve risk-related issues, either directly or indirectly. Rating agencies, for example, were one of the first groups to zero in on the importance of quality risk manage­ment programs and their effect on the overall performance of an organization. Most rating agencies began to consider the risk management programs as part of their rating methodology in 2009. Since that time, numbers of other entities have also begun to consider additional shareholder protections.

SEC sets the stage

Among the first organizations to finalize new regulations specifically in response to the recent financial crisis was the Securities and Exchange Commission (SEC). The SEC is one of the most powerful financial regulatory commissions, and its rules apply to any publicly held company. On December 16, 2009, the SEC approved Rule No. 33-9089. One of the most interesting aspects of this rule was the rapid implementation time frame—corporations had until February 27, 2010, to respond to this new regulation. Given the far-reaching scope of the regulation, many believed the implementation time to be very limited. Most experts believed that this time frame indicated the concern that the SEC had for the issue. In noting the importance of this new rule, the SEC stated that it was designed to “better enable shareholders to evaluate the leadership of public companies.”

For the most part, it is this leadership issue that is at the heart of 33-9089. The regulation deals with several key risk-related issues, but many believe that the most important portion of it has to do with what many agree was a major contributor to the financial meltdown: the impact of executive compensation. The SEC Rule states that it is important that investors be provided with “a better understanding of the company’s compensation policies and how such policies can create incentives that could affect the company’s risk profile and ability to manage that risk.” The commission goes on to note that as a result, corporations will need to assess and disclose:

• Any compensation policies and procedures that will likely have a material effect on risk taking both in the short-run and long-run

• How awarding and paying compensation are used in developing the company’s risk assessment

• What monitoring procedures are in place to determine if its risk management objectives are being supported by employee compensation or incentives

It is important to note that accord­ing to the Rule, the above noted items apply to all employees, including non-executive officers. Obviously, the SEC has duly noted the destructive effects the absence of risk management has caused with regard to compensation-related issues. Thus, the commission believes that increased disclosure and transparency will be beneficial to investors.

An additional risk management-related aspect of the new Release is stated in Section C—“New Disclos­ure About Board Leadership Structure and the Board’s Role in Risk.” This section of the Rule indicates that all public companies are required to fully disclose details about their board’s role in risk oversight.

A key aspect of this section is that companies need to describe how the function of risk oversight is administered in their organizations. Further, the Rule also requires the disclosure and an assessment of the board’s competence with regard to risk, as well as requiring specific information about each board member’s risk assessment skills. This is important because the board’s role in risk oversight will be considered a “key competence” of the board. Among other things, this would require knowledge of such things as “credit risks, liquidity risks and operational risks.”

An additional aspect of this requirement states, where relevant, that such disclosure should “address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole, or to a board committee, and how the board or committee otherwise receives information from such individual.” Companies are not required, but are encouraged to discuss policies related to risk identification, risk tolerances, and the management of risk/reward tradeoffs throughout their organizations. In summary, the SEC is most interested in improving risk management, governance, director qualifications, and compensations structure. Thus, the new rule is deeply rooted in three general, but critical areas: enhanced transparency, assessment and oversight of risks and, finally, boosting investor confidence.

One obvious side effect of this new rule is that there will need to be a significant increase in the education of the board with regard to its role in the risk management process. Public companies should provide specific training to the board members on their expected role in risk oversight. This would include, among other things, their responsibilities to ensure that the company’s corporate strategies behave consistently and do not exceed the organization’s risk appetite. This heightened scrutiny of the risk management function will require additional education on the board’s part.

Conclusion

The SEC’s new rule illustrates that it has determined that the absence of appropriate risk management was a root cause that led to the financial meltdown. In order to improve corporate accountability and increase transparency for investors, the SEC published Rule No. 33-9089. If directors had any doubt about their role in risk oversight, the SEC ruling should clarify that situation. In addition, most risk management professionals believe that the SEC ruling is just the start of a number of other new risk management-related mandates. Many industry observers realize the past failings of risk management and agree with the need for increased disclosures that the SEC is requiring.

The SEC does not suggest any specific methodology or guidelines for risk management. However, those organizations that have already moved to ERM are considered to have a state-of-the-art program. As such, they should have already incorporated most of these requirements. As for companies that have resisted moving to an ERM program, maybe it’s time to give serious consideration to such a move because most people believe that the SEC changes are just the first of many new regulations to come.

 
 
 

The rule also requires the disclosure and an assessment of the board’s competence with regard to risk, as well as requiring specific information about

each board member’s risk assessment skills.

 
 
 

 

 
 
 

 


Return to Table of Contents