Board Relations: Have Risk Disclosure Practices Improved?
CFO Insights: A newsletter from Deloitte’s CFO Program
Since February 28, 2010, companies have been required by the Securities and Exchange Committee (SEC) to disclose the role of their board in risk oversight. The move may have been a response to what was seen as excessive risk taking that led to the financial crisis of 2007-2009.
But since the rules apply not just to financial institutions, CFOs have increasingly been called upon to lead the efforts around formalizing their company’s risk management program and setting a tone that encourages all in the organization to play a part. Further, CFOs are working to better educate their boards on the nuances of enterprise risk management and push for greater distribution of risk responsibility among their board members.
Risk oversight practices
To see just how proficient companies have become in their risk oversight practices, Deloitte undertook a study of risk disclosures of the S&P 500 in 2010 as detailed in their proxy statements. That analysis, which was outlined in Risk intelligent proxy disclosure: Transparency into board level risk oversight 1, examined 398 companies out of the S&P 500 and focused on 20 considerations, including whether or not the full board was responsible for risk and whether or not the disclosures noted the significance of tone at the top.
The analysis was repeated this year on a more targeted basis. While the focus was again on risk governance and oversight practices at the board level, the universe was limited to the S&P 2002 and focused on 12 of the 20 considerations included in the 2010 analysis.
Ultimately, there were 154 companies that can be compared over the two years, and their practices illustrate a steady and encouraging evolution in risk disclosure.
In this issue of CFO Insights, we summarize the findings of the most recent study, Risk intelligent proxy disclosures – 2011: Have risk-oversight practices Improved?, and recommend ways CFOs can continue to improve risk disclosures.
Full article is also available for download, in PDF, at top of page.
Board relations: Have risk disclosure practices improved?
The current state of risk disclosure
The SEC requirements, which were issued in December 2009 and effective as of February 28, 2010, aimed to enhance disclosure to investors and other stakeholders regarding board-level risk oversight.
By analyzing risk-related disclosures in proxy statements, the Deloitte study offers insights into that oversight and, perhaps, risk management practices, at least as disclosed. In addition, the study documents the extent to which companies embrace the tenets of the Risk Intelligent EnterpriseTM—Deloitte’s philosophy of and approach to risk—that was developed to promulgate excellence in risk governance by boards and in risk management by executives, including CFOs.
For example, designating individuals and committees as being responsible for risk, aligning risk management with corporate strategy, and having the board oversee the corporate culture are practices associated with the Risk Intelligent Enterprise™. Other practices covered in the study came from the SEC’s amended rules, which, for example, “require companies to describe the board’s role in the oversight of risk.”
Review the 12 considerations studied and how disclosure practices have changed over the past year as part of Exhibit 1 in the PDF attachment below.
Trends toward better practices
As the statistics indicate, the year-to-year trend is positive on almost every consideration. And this overall trend indicates that companies are either maintaining or increasing their attention to risk oversight practices or maintaining or increasing their disclosure of those practices (or both).
Even the slight decrease in companies disclosing that their audit committee is primarily responsible for risk oversight can be viewed positively: It could be due to a redefinition of how the other board committees are assuming oversight responsibility.
Other findings indicate a steady evolution of board risk oversight practices—an evolution that hopefully will not only lead to increased disclosure but to improved practices. For example,
- More companies (an increase of 6 percent) disclosed that board committees other than the audit committee are involved in risk oversight.
- More companies (an increase of 6 percent) disclosed that the compensation committee is responsible for overseeing risk in the compensation plans.
- More companies (an increase of 6 percent) disclosed whether risk oversight/management is aligned with the company’s strategy.
- More companies (an increase of 3 percent) disclosed how the board is involved with regard to the company’s risk appetite.
For CFOs in their capacity as stewards, these results can only be encouraging.
As risk management has climbed to the forefront of many CFO agendas, such indications that it is being embraced by the board and translated effectively to stakeholders is a testament to finance’s efforts toward improving risk management. Moreover, in a continuing volatile environment, such increased transparency is also the first line of defense against an array of unseen and constantly changing risks.
Should you increase your risk disclosures?
The Deloitte analysis broke out results for financial services (FSI) companies separately. Due to the nature of FSI businesses and the risks they face, risk management practices tend to be more developed in that industry.
In addition, FSI risk management practices are changing rapidly as the regulatory climate evolves in light of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), the Basel Accords, and other regulatory developments.
Whether other companies should emulate FSI firms in risk oversight is open to debate.
The research undertaken by Deloitte came to the conclusion that no one size fits all when it comes to risk management. Still, when it comes to such disclosures, the study recommends that leaders, including CFOs and the board, go beyond minimum requirements and truly embrace risk governance and oversight.
That means welcoming external viewpoints, challenging established approaches, and viewing risk management as integral to planning and implementing strategies that create value. And since CFOs are instrumental in developing those strategies, identifying risks both of and to those strategies can open up a dialogue with the board that could result in new value-added objectives.
In addition, the study makes several key recommendations that CFOs should consider:
- Revisit risk governance and oversight practices periodically to ensure they not only keep pace with, but actually anticipate, the risks your organization and your industry face.
- Keep development of the risk governance and management infrastructure on the leadership agenda and be sure that its development is funded appropriately.
- Monitor risk-related disclosures in the proxy statements of peers, competitors, and market leaders—and of customers and suppliers—and use their practices as benchmarks or goals.
- Ensure that your disclosures and other stakeholder communications tell the full story of your risk oversight and management efforts.
Of course, increased board attention to risk management may prove to be a double-edged sword for CFOs. After all, they will be the ones charged with documenting, delivering, and disclosing all the requisite information. But done well, risk disclosures can identify how CFOs are fulfilling their obligations to the board in their roles as stewards. Moreover, as the Deloitte study indicates, there is still room for improvement despite the steady evolution of risk practices. That means plenty of opportunity for CFOs to champion better risk management throughout their organizations.
1Risk intelligent proxy disclosure: Transparency into board level risk oversight; September 2010. Analysis focused on 2010 proxy disclosures covering the board’s role in risk oversight.
2The S&P 200 listing was obtained from the first 200 companies listed on the S&P 500 index, as of March 1, 2011, from www.standardandpoors.com.
4Universe of companies studied in 2010 Risk intelligent proxy disclosure: Transparency into board level risk oversight equaled 398 of the S&P 500; Universe studied in Risk intelligent proxy disclosures – 2011:Have risk-oversight practices improved? was 170 of the S&P 200; 154 companies were reviewed in both studies and form the basis of the trend analysis.
Receive CFO center updates
As used in this document, 'Deloitte' means Deloitte LLP. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.Certain services may not be available to attest clients under the rules and regulations of public accounting.