Overview
In response to the global economic crisis, several legislative and regulatory reform initiatives have been proposed in the U.S. Congress and by the Securities and Exchange Commission "SEC" to strengthen boards of directors' oversight and management of corporate risk. Senators Charles Schumer (D-NY) and Maria Cantwell (D-WA) have proposed legislation that would require all public companies to institute independent, stand-alone, board-level risk committees. In addition, Senator Christopher Dodd (D-CT) has drafted legislation that would require certain financial institutions, but not all public companies, to create stand-alone risk committees. The House Financial Services Committee has completed work on legislation that would require financial institutions with more than $1 billion in assets to provide disclosure about risk incentives created by executive compensation policies and would give federal regulators authority to proscribe risky compensation policies. In addition, the SEC has proposed rules which would require additional disclosure about the board of directors' role in the issuer's risk management process and the issuer's compensation plan in relation to encouraging risk taking.
Existing Standards
Most companies do not utilize independent risk committees, relying on audit committees to assess and manage risk. However, according to a 2008 National Association of Corporate Directors' Public Company Governance Survey, 79 percent of boards with an independent risk committee rated themselves as highly effective at assessing and managing risk, while boards that delegated risk oversight to the audit committees rated themselves as less effective. Most companies that utilize stand-alone risk committees operate in highly regulated segments of the economy such as financial services, insurance and health care.
The New York Stock Exchange Listed Company Manual Section 303A.07 requires companies to discuss risk assessment and risk management. In addition, it allows for the creation of separate risk committees, as long as the audit committee maintains review of the risk committee. The NASDAQ corporate governance standards are silent on board-level oversight and management of risk. Companies that participated in the Troubled Asset Relief Capital Purchase Program, as part of the Emergency Economic Stabilization Act of 2008, are required to review and certify in the CD&A section of the company's proxy statement that its executive compensation programs do not encourage excessive risk taking.
Proposed Reforms
Legislative Reforms
In May 2009, Senators Schumer and Cantwell proposed the Shareholder Bill of Rights (S. 1074), which includes a requirement that public companies create stand-alone risk committees. Under Section 5 of the bill, every public company would be required to "establish a risk committee, comprised of entirely independent directors," which would be responsible for the establishment and evaluation of risk management practices of the company. The SEC has one year from the enactment of the legislation to issue final rules for risk committees. The legislation has been referred to the Committee on Banking, Housing, and Urban Affairs.
In November 2009, Senator Dodd proposed the Restoring American Financial Stability Act of 2009, which is largely consistent with the Shareholder Bill of Rights. However, Senator Dodd's proposal would require only systemically important financial companies to create separate risk committees. In addition, the risk committee would be required to have one risk management expert with experience in "identifying, assessing, and managing risk exposures of large, complex firms." The proposal must be approved by the Senate Committee on Banking, Housing, and Urban Affairs before moving to a full vote in the Senate.
The Wall Street Reform and Consumer Protection Act of 2009 (H.R. 4173) would require financial institutions with more than $1 billion in assets to disclose compensation structures so that federal regulators can determine whether the institution's policies encourage excessive risk taking. Additionally, federal regulators would be able to prohibit any compensation arrangement or feature that encourages inappropriate risks. The House Financial Services Committee approved the legislation on December 2, 2009 and it will be moving to the House floor for debate.
Regulatory Reforms
In July 2009, the SEC proposed new disclosure requirements to Item 407 of Regulation S-K and a corresponding amendment to Item 7 of Schedule 14A. These amendments would require public companies to disclose how the company's board or board committee assesses and manages risk. Additionally, the SEC has proposed amendments to the CD&A requirements, which would require additional disclosure in the proxy statement. Companies would be required to provide information about the company's compensation policies and how these policies affect the company's risk. The proposed rules contain a non-exhaustive list of situations where a company's compensation policies have the potential to raise material risks. It also provides guidance on the types of issues a company would be required to address.
The enhanced disclosure requirements are designed to provide investors with a better understanding of the board's or board committee's role in assessing and managing risk and how a company's overall compensation policy affects employees' incentives to take risks. The comment period for these proposed rules ended in September 2009.
Issues to Consider
In light of the increased focus on risk management, companies should consider this a key issue for 2010. Establishing a stand-alone risk committee has several advantages including relief for the overburdened audit committee, a more comprehensive approach to risk and cross committee cooperation. However, it may be difficult for a company to find enough independent and qualified directors to serve on the risk committee. Additionally, it is important that risk oversight remain a core function of the entire board, and the creation of a separate risk committee should not be seen as a complete delegation of this responsibility.
Whether a company decides to institute a stand-alone risk committee or just reassess and strengthen its current risk management structure, all companies should be critically evaluating risk protocols.