Risk: To gamble on; do at one’s peril; hang by a thread; play with fire; carry too much sail; go out of one’s depth; bell the cat; make an investment; sit on a barrel of gun powder. — Webster’s New World Thesaurus Revised.
What do we mean by “risk?” What does the Securities and Exchange Commission mean?
Perception of risk is colored by our recent financial meltdown: Companies did not see it coming, and many really smart people weren’t looking in the right direction. This article traces changing perceptions of risk, including an analysis of SEC-related proposals that reflect our emerging understanding.
Risk abounds in everything we do in life. To the extent business risk historically was discretely analyzed, that analysis had limited band-width: compliance with law, avoiding disaster, identifying operational risks. Companies typically monitored such risk through audit committees.
However, the greatest risk is none of these; it is strategic business direction. At one level, the SEC fully understood this: In an IPO, how many of us have struggled to satisfy the SEC that our “risk factors” actually do identify all business risks? Periodic reporting under the ’34 Act has come to include “risk factors.”
But at the board level, when management and directors hammered out strategy, products and market definition, these were “strategic” discussions. Risk was a factor, but not the focus; it was something to consider and balance against “reward.”
Thus, major systemic risk was not considered separately in a formal sense. And under the “business judgment rule,” directors enjoyed freedom from liability, even when exercising faulty strategic judgment, almost without regard to the magnitude of business risk that such a strategy might contain.
New York Stock Exchange rules reflect this older approach. Rule 303A.07 states that management must assess risk, but requires audit committees to discuss guidelines and policies to govern that assessment and says they should discuss “major financial risk exposures.” While other committees may be designated to assess risk, the audit committee retains a general supervisory role.
Placing risk analysis in the audit committee reflects a focus on the prevention of operational risk, financial fraud, and “numbers” risks. Practices of the vast majority of companies that today handle risk analysis, through audit committees, reflect this focus: We have reporting mechanisms, disaster control, compliance, and financial controls per SOX 404. Few of us expect the audit committee to quantify risks inherent in business strategy.
Law firms, publishing guides to risk management for boards, continue to identify risk through this lens. Here is a list of all risks in one such publication: financial risk, fraud, bribery and foreign corruption, disasters’ product liability, health and safety, environmental, insurance, information technology (reliability), intellectual property (safeguards), anti-trust compliance, employment practices (focus on claims), social responsibility and human rights. It is an admirable list, but it is just a start.
Our regulatory impetus is the financial meltdown. Our perception of its causes informs our understanding of how risk should be analyzed.
First, the crisis is systemic, transcends a particular company or industry, and is not caused by things traditionally monitored as “risk.”
Second, in studying financial institution failure as an analytical bellwether, one analysis indicates that: 49 percent resulted from inadequate board supervision; 37 percent were due to the domination of a CEO (which presumably limited true controls); 32 percent stemmed from volatile funding; and 26 percent were the result of excessive growth targets. While such specific findings are simplistic, development of a broader perception of risk leads to a conclusion that we don’t monitor risk broadly enough.
The most palpable action taken by the SEC so far has been in the volatile area of employee compensation. My last two columns (September and November, 2009) discussed pending SEC disclosure rules. The commission had suggested that the “compensation discussion and analysis” must address any incentive scheme that materially affects company risk, the philosophy of compensating higher risk employees, and the manner in which compensation policies have been adjusted to address changes in risk tolerance.
The commission is not speaking just about financial fraud or regulatory non-compliance. It is talking about enterprise risk in the broadest sense. In our November article, we also noted that few companies had formal risk assessment mechanisms that approached this level of sophistication.
In October 2009, the SEC in Staff Legal Bulletin No. 14E took another step to heighten corporate focus on risk. Historically, shareholder proxy proposals related to ordinary course business were excluded. The commission now will look at whether shareholder proposals relating to environmental or public health risks truly involve only ordinary business. Although the SEC’s analysis is logically circular, the commission is trying to open a broader discussion of strategic risk at the proxy level.
Finally, legislation was introduced in the House in 2009 amending the Securities Exchange Act of 1934 to require a separate, independent risk management committee for reporting companies charged with review of risk management policies. A registrant also would be required to designate a chief risk officer reporting directly to such a committee. If a company fails to designate a committee, then the entire board is charged with risk analysis. A more stringent Senate version also was filed by Sen. Charles Schumer.
Beyond understanding risk related to compensation, what elements will go into the expanding definition of risk? The big change will be including strategic risk, the “risk factors” with which SEC disclosure attorneys are so familiar. Risk factors will be elevated (from something drafted by counsel subject to review by C-level executives) to formal, separate board consideration.
Richard M. Steinberg, columnist with Compliance Week and an experienced risk consultant, suggests that boards will not only attempt to determine whether a strategy makes sense in economic and competitive terms, “they want to know that the strategy has a good chance of actually working. They focus on such matters as whether the company’s organizational structure will support effective implementation and whether the necessary resources — financial, human — are in place.”
The National Association of Corporate Directors, in its white paper on risk, observed that boards during boom times fail to ask “is this too good to be true?” After discussing “tone at the top” and maintenance of risk evaluation infrastructure, the white paper discusses how to address the risks inherent in strategy, suggesting selection of directors with both broad experience and specific industry expertise, and heightened outreach to internal auditors, consultants and D&O agents.
In the most telling detail, marking the shift to a broader risk definition, the white paper warns that statistical risk models, relying on probabilities based on history, cannot do the entire job. Where present economies do not conform to historical norms, statistical probability will fail to identify risk.
A recent panel discussion, sponsored by Directorship magazine and Deloitte, discussed new parameters of risk management. Noting that strategic risk sometimes can be culled from reports of security analysts and industry journalists, the panel agreed that part of risk evaluation is to answer the trite question: “what are the top five risks that keep you up at night?” Certainly, management and directors are not kept up at night by the risk of financial fraud or regulatory non-compliance; those risks are monitored within every company. What really keeps you up at night is broad strategic risk, or societal risk, or world trends, the kinds of things that statistically based models don’t capture.
We are beginning to redefine “risk” based on our recent traumatic experiences. Should we believe that heightened management and board sensitivity to risk, as redefined, will provide a sufficient level of analysis so that further SEC regulation will be avoided? The SEC is beginning to struggle with this issue. It seems likely over time that the SEC will generate specific standards of risk disclosure, perhaps based upon a “risk factors” mentality.
Further, Congress will drive much regulatory oversight into the hands of the commission. As we go to press, the House is considering massive legislation to reform economic regulation. Loath to specifically enact governance standards, the bill focuses on limiting systemic risk through two devices, both of which are proposed to be delegated to the SEC for implementation: broader proxy access in election of directors and greater advisory shareholder input in fixing executive compensation, two areas already the subject of pending SEC Rules revisions.
The current legislative calendar indicates that as you are reading this article, the Senate likely is considering the House legislation voted before the first of the year. Will the SEC be charged, ultimately, with the delicate use of governance reform as a tool to control risk, as the House bill envisions? Great legislative care must be taken in the current risk-adverse business environment. As James Segel, special counsel to Rep.
Barney Frank, the powerful head of the House Committee on Financial Services, observed wistfully on Dec. 8 in Boston: “Congress understands that risk made this country.”
Stephen M. Honig is a partner in the Boston office of Duane Morris.