Many Struggling With Risk Disclosures

Two years after the Securities and Exchange Commission enacted new proxy disclosure rules requiring companies to reveal more about how their boards oversee risk, many companies are still struggling with how to effectively communicate aspects of their risk-management programs to investors.

The most vexing question companies are struggling with right now is what constitutes a “good” disclosure, says Brian Barnier, principal analyst at ValueBridge Advisors.

According to analysis by ValueBridge Advisors, a risk consulting firm, of 54 risk-related disclosures issued by Standard & Poor 500 companies during the 2011 proxy season, many companies provide information that is too simplistic and lacks details on the company's risk processes and overarching philosophy. The intent of the analysis was to assess how companies have been fairing since the SEC enacted revamped corporate governance disclosure requirements in February 2010. The short answer is: not so good.

The analysis benchmarked companies' disclosures around three best-practice frameworks: the International Corporate Governance Network's (ICGN) Risk Oversight Guidelines; the four functions of a governor described in The Operational Risk Handbook; and the corporate governance policies from the Council of Institutional Investors.

From those benchmarks, the analysis placed the disclosures into four distinct buckets:

Basic;

Basic plus audit;

Basic plus audit and process details; and

Basic plus audit, process, and philosophy details.

According to the analysis, more than 75 percent of the disclosures fell into the categories of “basic” (44 percent) and “basic plus audit” (32 percent). These disclosures provided little information to investors on the company's approach to risk, other than to state that the company had a perfunctory risk oversight process, including a few that added some boilerplate audit language.

One example of a basic disclosure stated: “The board's role in the company's risk-oversight process includes reviewing and discussing with members of management areas of material risk to the company, including strategic, operational, financial, and legal risks. The board as a whole primarily deals with matters related to strategic and operational risk.”

Basic disclosures such as these are “not really communicating any information, which is what the investor community is looking for,” Barnier says.

Only fifteen percent of companies fell into the third category of those that provide additional details about their risk processes. An example of such a disclosure is this one provided by Mastercard: “The ERM program leverages our business processes to, among other things, ensure: allocation of resources to appropriately address risk; establishment of clear accountability for risk management; and provision of transparency of risks to senior management, the board of directors, and appropriate board committees.”

Only nine percent of companies' disclosures fell into the fourth category of also providing information about the company's risk philosophy. These disclosures stood out from all the rest by including information about the board's approach, and objectives for risk oversight and management linked to future value—as opposed to a collection of mere legal, audit, and compliance tasks.

“Often, companies get too wrapped up in the legal jargon instead of trying to truly tell stories around what the true risks are for each company and thinking proactively about potential risks on the horizon.”

—Aeisha Mastagni,

Investment Officer,

CalSTRS

The study cited American Express for doing a good job of describing its risk oversight and management approach to risk. Its disclosure stated: “The key objective of risk management at the company is to maintain and continuously improve risk-management controls and processes in order to enable profitable growth and deliver outstanding customer service, while managing adverse developments. This objective is accomplished by investing in talent and global capabilities as well as by creating a company-wide culture focused on risk-return tradeoffs within established risk limits, and identifying excessive, unacceptable, and uneconomic risks.”

Effective Disclosures

Based upon examples of the good—and not so good—disclosures, ValueBridge recommends four ways companies can improve their disclosures:

Focus on strategy and value creation objectives.  This involves shifting away from a typical compliance-driven approach toward a more performance-driven approach.

“Companies get too wrapped up in the legal jargon instead of trying to truly tell stories around what the true risks are for each company and thinking proactively about potential risks on the horizon,” says Aeisha Mastagni, an investment officer at California pension giant CalSTRS.

Describe how it works. Investors want to understand that boards “get it,” when it comes to organizational structure, process, and leadership. The study cites two companies—Goldman Sachs and U.S. Bancorp—that have demonstrated their organizational structure especially well by providing diagrams of their risk oversight and management roles (committees and individuals), as well as statements regarding process and information flow. “These are starting points to which companies can add meaningful statements about process, communication, and leadership,” Barnier says.

Discuss the board's decision making on risk processes. In addition to providing oversight to management, boards also directly manage risks from their own processes and decision making. Such responsibilities, however, are not always spelled out in companies' disclosures.

How are board members being selected, trained, and kept informed? How is risk being built into those decisions? “That is a key point that almost everybody missed,” says Barnier.

Demonstrate continual improvement. Improvement can come in several forms: people, structure, processes, or communication. One particular area of disclosure many companies can improve upon is their board's assessments of skill gaps and the actions they took to close such gaps.

CalSTRS, for example, has had several conversations with companies that have directors who used to sit on the boards of now-defunct financial companies, but many don't bother to explain why that particular individual is an appropriate member for their particular board, says Mastagni. “That is definitely something people are going to be focusing on more,” she says. “We need to be assured that the company has actually considered and reevaluated the director's qualifications before reappointing them to the board.”

Some companies have achieved this by providing individual board biographies. Broadly speaking, good disclosures provide insight for investors on what the board learned from its leadership structure and risk oversight, and how the company has since improved its risk-management processes.

Looking Ahead

Disclosures on the company's political contributions and lobbying activity will be an especially “hot topic” for the 2012 proxy season, Mastagni says. Investors will want to see not only that there is a policy in place for political contributions, but also that the board is overseeing the process. “Our goal here is to make sure the board understands the process for how these contributions are being made,” she says.

IMPROVING DISCLOSURE

The following information from ValueBridge Advisors company disclosure errors and what they can do to improve:

Stepping back and looking at what was disclosed, the overall disclosures seemed to sort themselves into four categories:

Those that primarily echoed the wording of the rule

Those that primarily echoed the wording of the rule plus rather boilerplate audit language

Those that added details about how risk oversight and management processes operated

Those that added statements about philosophy/approach/objectives toward risk oversight and management

Going forward: A modest, four-point proposal is offered to increase disclosure effectiveness:

Focus on strategy and value creation objectives—not just audit and compliance

Describe more meaningfully “how it works”—not just committees that exist and talk

Discuss the board's own risk-return aware decision-making—not just what management does

Demonstrate continual improvement—not just static process mechanics

The current state of affairs conveys that the goals are ambitious, but they should not be dismissed to the realm of the unattainable. The ball is now in the court of investors, analysts, boards and key managers. The opportunity is clear; to not only improve the quality of insight, but also to substantively improve the quality of earnings and, ultimately, economic growth through a more performance-driven approach to risk oversight and management.

Source: ValueBridge Advisors.

Another area that still needs significant improvement is more disclosure on risks related to compensation. For example, companies will disclose what metrics they are using for compensation, but don't disclose their targets and why they chose them. And companies that do disclose their targets don't always do a good job explaining why they chose those particular numbers.

“They're now starting to realize that it's more important to disclose those numbers to their shareholders so that we can truly understand how people are paid,” says Mastagni.

Not all the news on risk disclosure is bad. A recent analysis by Deloitte, which compared the 2010 and 2011 proxy statements of S&P 200 companies, points to marked improvements, at least in the way companies think about their disclosure practices. “We certainly see trends to the positive,” says Henry Ristuccia, co-leader of U.S. governance and risk services for Deloitte.

For example, when asked whether companies align their risk oversight with their overall strategy, 45 percent or respondents said they did in 2011, compared to 39 percent in 2010. The Deloitte study also showed that 90 percent of companies acknowledged in their 2011 proxy statements that risk is the responsibility of the entire board—not just the risk committee or the audit committee. This figure marks a six percent increase from 2010 proxy statements. “So you're starting to see a healthier dynamic,” says Ristuccia, “at the overall board level when it comes to risk oversight and risk discussions.”