SEC Rules Prompt Greater Board Focus on Risk

Against the backdrop of the recent market turmoil, and with a stated goal of enhancing transparency regarding activities that contribute to a company's risk profile, on December 16, 2009 the Securities and Exchange Commission adopted new rules that will require reporting companies to make new disclosures with respect to their risk management policies and practices, effective for the 2010 proxy season. The new rules will require the following:

• To the extent that risks arising from a company's compensation policies and practices for employees are reasonably likely to have a material adverse effect on the company, discussion of the company's compensation policies or practices as they relate to risk management and risk-taking incentives that can affect the company's risk and management of that risk; and
• New disclosure about the board's role in the oversight of risk.

This article provides a brief summary of the new rules as they pertain to risk and proposes practices that will help a company to manage its risk and satisfy its disclosure obligations with respect to those rules.

Compensation and Risk

Under the new rules, a reporting company's proxy statement will need to include a discussion of its compensation policies and practices with respect to its employees generally (not just the Named Executive Officers) to the extent that risks arising from such policies and practices are reasonably likely to have a material adverse effect on the company. The SEC's stated purpose of the new disclosure requirement is to help investors identify whether a company has "established a system of incentives that can lead to excessive or inappropriate risk taking by employees."

While the compensation risk discussion was originally proposed to be a component of Compensation Discussion and Analysis (CD&A), under the final rules these new disclosure requirements will now appear as a separate section of the proxy statement. Disclosure of compensation risk is therefore outside the required compensation committee review that applies to CD&A, as to which the compensation committee report must state whether the committee recommended to the board of directors that the CD&A be included in the 10-K and proxy statement. Nevertheless, this new SEC disclosure requirement applicable to company-wide compensation practices, coupled with the new requirement, discussed below, as to the board's role in risk oversight, will likely mean that compensation committees, as a practical matter, will expand the scope of their attention beyond executive compensation.

The proposed rules would have required a discussion to the extent that risks arising from compensation policies and practices "may have a material effect on the company." The final rules require a discussion if the policies and practices create risks that "are reasonably likely to have a material adverse effect on the company." The "reasonably likely" standard is a more concrete disclosure threshold and aligns this compensation disclosure with the reasonably likely test that is already familiar from Management's Discussion and Analysis (MD&A).

As modified in the final rules, the requirement to disclose risks arising from compensation policies and practices allows companies to consider factors, such as internal controls, that may serve to offset or mitigate risks otherwise arising from compensation policies and practices. In our view, the ability to net internal controls and other factors against risks otherwise arising from compensation policies and practices is one of the most significant changes from the proposed rules and, as a practical matter, should result in very few companies concluding that they need to make any disclosure under this new requirement.

In keeping with recent SEC practice, the new rule on disclosure of compensation risk is principles-based and not prescriptive. However, the SEC did offer the following non-exclusive list of situations that could trigger a duty to discuss compensation risk:

• Policies and practices at a business unit of the company that carries a significant portion of the company's risk profile;
• Policies and practices at a business unit with compensation that is structured significantly differently than other units within the company; 
• Policies and practices at a business unit that is significantly more profitable than others within the company;
• Policies and practices at a business unit where the compensation expense is a significant percentage of the unit's revenues; and
• Policies and practices that vary significantly from the overall risk and reward structure of the company, such as when bonuses are awarded upon accomplishment of a task, while the income and risk to the company from the task extend over a significantly longer period of time.

If a compensation policy or practice requires disclosure in accordance with the foregoing analysis, the SEC has provided a suggested list of issues that may be appropriate to address, such as any changes the company has made to its compensation policies and practices as a result of changes in its risk profile.

It should be noted that the final rule does not require a company to make an affirmative statement that it has determined that the risks arising from its compensation policies and practices are not reasonably likely to have a material adverse effect on the company.

Finally, the new compensation-based risk disclosure is not a requirement for "smaller reporting companies" as defined by SEC rules.

Distinguishing Compensation Risk to the Company and to the Executive

While it is true that the new rules do not impose additional disclosure requirements for the CD&A, the SEC's proposing release made it clear that, to the extent that such risk considerations are a material aspect of the company's compensation policies or decisions for Named Executive Officers, it is the SEC's view that a company is already required to discuss them as part of its CD&A under the rules as they existed before the recent amendments. In this regard it is important to distinguish compensation risk to the company, which is addressed by the new rules, and compensation risk to the executive, which is not covered by the new rules. Compensation risk to the executive, in the sense of having compensation elements that are "at risk" because they are contingent on performance or other contingencies, will continue to be an appropriate subject for the CD&A, which contemplates the possible analysis and discussion of compensation structured and implemented to reflect elements of the company's performance.

The Role of the Board in Risk Oversight

The new rules also require reporting companies to disclose the role of their boards in monitoring operational and financial risks. While the original proposal called for a discussion of the board's risk management, the final rules address the board's risk oversight. Disclosure as to the board's role in overseeing the company's risk will be a new element of the proxy statement. Companies will be obligated to discuss the board's risk oversight function, such as whether the board as a whole or a board committee is responsible for the board's risk oversight function, whether the company personnel responsible for risk management report directly to the board or committee, and whether and how the board or committee monitors risk.

What You Should Do

Now that the reporting season is upon us, the first item of business is to conduct a thorough fact-gathering examination of company-wide compensation practices and any circumstances that could give rise to a disclosure obligation, including specifically, those situations described by the SEC and noted above. In addition, the examination should take into account any internal controls and other risk-mitigating factors. The process should be conducted under the direction, or at least the oversight, of the compensation committee. This process is the foundation for an analysis, as a threshold matter, as to whether any disclosure is required under the following standard:

To the extent that risks arising from the registrant's compensation policies and practices for its employees are reasonably likely to have a material adverse effect on the registrant, discuss the registrant's policies and practices of compensating its employees, including non-executive officers, as they relate to risk management practices and risk-taking incentives.

Beyond the matter of disclosure in the proxy statement, compensation committees should take a fresh look at risk and compensation. To state the obvious, risk is inherent in business. Indeed, it is the foundation of and reason for the business judgment rule. As business schools teach early on, it is axiomatic that an unwillingness to take risk is itself a risky strategy. A company's compensation structure should be designed to reward risk-taking behavior while at the same time mitigating risks that could result in disproportionately adverse effects on the company. Analysis of risk should be included as part of the decision-making process and incorporated as an element of compensation plan design. This analysis could include developing targets that work together to diversify risk. Compensation practices should be developed with a view to having variable compensation programs with multiple balanced elements, thereby diluting the risk associated with a program that over-emphasizes one element.

In order to better align risk and reward, companies should consider mechanisms such as clawbacks for payments based on misstated results or other objectively determinable misconduct, holding periods or payment deferrals of incentive awards, and minimum stock ownership requirements, so that executive officers and directors have skin in the game – risk-sharing for the long haul. Another possible tool is providing for negative discretion so that compensation committees can adjust compensation downward if the targets are hit but unreasonable risks were incurred in doing so. Ultimately, a company's compensation policy (and practice) should be integrated with the company's business strategy.

There is no one right answer for the right governance structure. Some companies will keep general oversight at the board level, with subsets of risk primarily in the hands of committees (e.g., financial and accounting risk in the audit committee, compensation risk with the compensation committee). For certain companies, it may make sense to establish a risk management committee to focus exclusively on and coordinate oversight of all facets of a company's risk profile, as many companies in the financial services sector have already done. However the oversight function is accomplished, risk will be an important and continuing agenda item. Depending upon the board's decision as to how it will oversee risk, charters of board committees should be reviewed to make sure that they reflect the allocations of responsibility for risk oversight.

While the new rules provide enhanced disclosure regarding the background and qualifications of directors, as we have discussed in a separate publication, the final rules dropped a proposal that would have required information about a director or director nominee's "risk assessment skills." While disclosure of risk assessment skills is no longer specifically required, those skills will nonetheless be important to have in the boardroom given the heightened focus on risk. Consequently, a board will want to be mindful of the presence or absence of this skill set among its members when conducting its self-assessment process and prioritizing the attributes of new board candidates.

In considering compensation disclosures, it will be important to coordinate with the risk factors, as well as MD&A, which the SEC also expects to address material risk. To the extent that risks arising from compensation policies and practices are reasonably likely to have a materially adverse effect on a company, the company should disclose such risks in the risk factors section of Form 10-K.

More to Come?

The SEC's recent actions discussed above are consistent with the disclosure-centric regulatory regime of the federal securities laws. This may well not be the last word on the subject.

President Obama set the tone of things to come in his February 4, 2009 remarks introducing executive compensation reform applicable to TARP recipients:

These guidelines we're putting in place are only the beginning of a long-term effort. We're going to examine the ways in which the means and manner of executive compensation have contributed to a reckless culture and quarter-by-quarter mentality that in turn helped to wreak havoc in our financial system. We're going to be taking a look at broader reforms so that executives are compensated for sound risk management and rewarded for growth measured over years, not just days or weeks.

While beyond the scope of this article, readers should be mindful of other legislative initiatives that may impact how companies should address risk in compensation design and governance practices that are working their way through Congress. Some of the proposals would go well beyond disclosure and mandate substantive change in corporate practices and governance. For example, certain proposals would require clawbacks of unearned incentive compensation, require disclosure of whether employees can hedge their investments in company stock and require risk committees for certain financial institutions and "systemically important" companies.