How a New SEC Rule Changed the Way Companies Look at Risk Management

John Bugalla , Carol Fox , Janice Hackett , Kenneth McGuinness


February 1, 2011


In mid-2009, in the wake of the financial crisis, the SEC began considering new rules regarding proxy disclosure and solicitation enhancements. Among these rules was a proposal to require additional disclosure in proxy and information statements (data that the SEC requires a company to send to its shareholders before they vote on company matters at annual meetings) about the board's role in the company's risk management process. In their request for comments, the SEC outlined its renewed approach to risk oversight:

"Similar to disclosure about the leadership structure of a board, disclosure about the board's involvement in the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. Given the role that risk and the adequacy of risk oversight have played in the recent market crisis, we believe it is important for investors to understand the board's or board committee's role in this area. For example, how does the board implement and manage its risk management function, through the board as a whole or through a committee, such as the audit committee?...We believe that this disclosure will provide key insights into how a company's board perceives and manages a company's risk." 

After some deliberation, SEC Rule 33-9089 came into effect requiring that proxy statements issued after February 28, 2010, disclose risk-based compensation policies, the role of the board of directors in risk oversight, and the nature of communications between executives and the board on risk management issues.

Compliance with the rule has been widespread. Recently, ermINSIGHTS, an enterprise risk management consulting firm (founded in part by two of the authors of this article), conducted a review of available corporate proxy statements for the 30 companies comprising the Dow Jones Industrial Average. The review's focus was three-fold: (1) examine how the board's role in risk oversight was being presented to stakeholders as reported to the SEC; (2) measure the extent to which enterprise risk management was specifically mentioned; and (3) document how often an organization noted whether a chief risk officer function was in place.

The survey found that 76% of the proxy statements contained a section dealing with the board's role in risk oversight, 64% specifically mentioned enterprise risk management, and 20% said that a chief risk officer was in place. These findings provide an early indication that-not surprisingly-many firms have chosen to abide by the SEC rule and highlight the risk management oversight practices in a separate section of the proxy statements.

These rates correspond with the findings in a joint Marsh and Risk and Insurance Management Society (RIMS, the publisher of this magazine) study released in April 2010. In that study, more than 70% of 418 responding organizations reported that they have either partially or fully implemented enterprise risk management programs. Therefore, since many companies have been implementing enterprise risk management practices over the past decade, it comes as little surprise that discussion of the risk management process itself is relatively common in proxy filings.

What is unexpected, however, particularly for risk practitioners, is the extent to which the SEC is driving the focus on board oversight and integration with strategic decisionmaking. Prior to the new SEC rule, the growing practice of ERM within corporations was being driven by the major credit rating agencies, who found value in a critical review of strategic risk management practices in assessing an organization's credit worthiness.

"These evaluations [of senior executives' strategies, effectiveness and credibility] help us develop forward-looking opinions on credit strength by supplementing our fundamental analysis of the company's business and financial risk profile," wrote primary credit analyst Steven J. Dreyer in "Standard & Poor's Looks Further into How Nonfinancial Companies Manage Risk." "We widened the scope of our analysis of some nonfinancial companies' management to enhance our review of managers' ability to identify, monitor and manage key risks-those endemic to its industry and those that managers elect to take when running their businesses. Specifically, we started to look at how a firm's culture (communications, structures, incentives and risk appetite) affects the quality of its decisions and at the role risk considerations play when making strategic decisions."
This more critical focus on the risk management practices of investment grade companies soon became a catalyst for a higher adoption rate of a more disciplined enterprise risk management approach within all organizations.

But now the SEC seems to have taken the lead, and in some companies, its influence is already being felt. For instance, Kevin Willis, vice president and treasurer of Ashland, Inc., a Fortune 500 provider of specialty chemical products, services and solutions, has already seen a greater emphasis placed on risk management in his company as a direct result of the SEC requirements. "Risk management has always been a high priority for our management and directors," he said, "but we are applying even more rigor to our risk management processes today."

In fact, some anticipate that the SEC, more so than the rating agencies, will accelerate the future growth and practice of ERM, especially with respect to the integration of ERM into the strategic planning process. For example, Bristol Meyers Squibb's March 2010 proxy statement combines the discussion of its board's oversight of risk management with strategy. It states, in part:

"Each year, typically during the second quarter, the Board holds an extensive meeting with senior management dedicated to discussing and reviewing our long-term operating plans and overall corporate strategy. A discussion of key risks to the plans and strategy as well as risk mitigation plans and activities is led by the Chairman and Chief Executive Officer as part of the meeting. The involvement of the Board in setting our business strategy is critical to the determination of the types and appropriate levels of risk undertaken by the company."

Having inserted itself into the broader and strategic levels of risk management, the SEC action may also portend a shift in risk management's perceived value to the company. Risk managers typically report through the chief financial officer's chain of command, focusing primarily on risk mitigation and transfer. As risk management becomes a higher priority for regulators, coupled with the National Association of Corporate Directors' Blue Ribbon Report on Risk Governance urging boards to assess risk in strategy, more closely monitor risks in the companies' culture and incentives given, and consider emerging risks to the organization's operations, will there be a shift in risk management's relationship with the CEO, general counsel and strategy development? Only time will tell. One thing is certain: with new regulations come increased visibility and opportunity for risk management.

Risk Managers at a Crossroads
Industry leaders have been campaigning for years for risk management to play a more active role in addressing strategic risks. With the SEC's actions, their efforts have paid off. Attention is now focused squarely on risk management. For some risk managers this is a great opportunity to advance both the discipline and their individual careers.

Leading a collaborative, cross-functional team that identifies and manages the material risks across the enterprise, while working with senior management to assure that the board has the proper information to carry out its role in risk oversight, is a critical responsibility. Embracing this responsibility should be on risk practitioners' game plans. For some risk managers, the old adage, "be careful what you wish for, because it might come true" could backfire if they are not prepared to expand their skill sets beyond their traditional comfort zones. Risk managers who still view ERM as a passing fad, for instance, should reconsider their position. Otherwise, they could very well find themselves marginalized.

On the other hand, risk managers who seize the opportunity will be able to affect a critical item on the board agenda: value creation and protection. The risk process (identify, analyze, evaluate, implement and monitor) works well with strategic risks. Partnering to embed these practices into strategic planning with those responsible at the corporate level-where growth strategies are developed-will not only meet stakeholder expectations, but will engage the board in a more meaningful way in its oversight responsibilities.

While the SEC rule applies only to publicly traded companies, it is likely that privately held companies will follow suit as major customers begin to conduct more vigorous risk assessments of their suppliers. Board members who serve in executive roles at publicly traded companies or sit on other boards are likely to influence the drive for more robust risk management practices in privately held firms as well.

The action taken by the SEC will change the game for risk managers and ERM practitioners alike. The adoption and acceleration rate of ERM will increase on a much steeper trajectory. If properly implemented and practiced, ERM provides board directors with the kind and quality of information necessary to execute their risk oversight responsibilities and enhance organizational capabilities to create and protect the organization's value. The question remains whether risk managers are poised to take advantage of this new opportunity.
John Bugalla is a principal of ermINSIGHTS, an enterprise risk management consulting firm.
Carol Fox, ARM, is the former vice president of strategic initiatives at RIMS.
Janice Hackett is principal of ermINSIGHTS, an ERM consulting firm.
Kenneth McGuinness is the senior compliance and risk specialist at New York Independent System Operator.