Buried at the end of the SEC’s multi-page corporate governance disclosure rule (Regulation S-K, Item 407(h)), is the requirement to:
“disclose the extent of the board’s role in…risk oversight, such as how the board administers its oversight function….”
Many companies comply in the most cursory of fashions with a few boilerplate lines stating that the board admits to responsibility for risk oversight, has shrewdly delegated primary oversight to its standing committees according to subject matter and listens alertly to regular management reports on material risk developments if and when they occur. While this level of disclosure probably meets the minimum requirements of the rule, it misses a significant opportunity to advance enterprise risk management within the company and enhance public perception of the company’s strategic and governance prowess.
It is widely known that proxy statements have become a primary means by which progressive companies communicate with their shareholders and bolster their corporate image. (See this Doug’s Note.) It is also widely known that effective enterprise risk management is a crucial aspect of a well-run, profitable company. Savvy companies are now beginning to use their proxy statements to showcase their enterprise risk management programs. It’s also an effective tone-at-the-top way to communicate internally the company’s commitment to an enterprise-wide risk management culture.
Beef up the enterprise risk management section…
Here are some ways you can enhance your proxy statement to leverage the hard work you’ve already done to develop effective enterprise risk management:
- Rename the heading to draw attention. Try something like “Our Commitment to Effective Enterprise Risk Management.”
- Provide details about the nature and number of meetings at which the board considers risk issues. Note the types of topics that are discussed. (Be sure, however, to avoid disclosure of company-specific risks, prioritization of risks or inconsistencies with your Form 10-K risk factors.)
- Provide detail about your risk management organizational structure and processes.
- Describe any recent or pending risk assessment initiatives.
- Emphasize that enterprise risk management is a board and management priority.
- Describe how your processes ensure that all strategic decisions take risk management into account. (See Determining Risk Appetite.)
- If your proxy statement includes a summary section (a growing and advisable trend), consider adding an enterprise risk management subsection to it in order to attract even more attention and emphasize the company’s commitment.
- Add a cross-reference to the Risk Factor section in your latest Form 10-K.