managing risk while managing your stock plan what should and shouldn’t be keeping you up at night...
TRANSCRIPT
Managing Risk While Managing your Stock PlanWhat should and shouldn’t
be keeping you up at night
Managing Risk While Managing Your Stock Plan
Introductions
• Carine Schneider, CEO, Equity Administration Solutions, Inc.
Agenda
• Data Privacy• Software Model• Outsourcing• Plan Interpretation• Plan Set-up• SAS 70s
Data Privacy
• Understanding the EU Data Privacy Directive– Company obtain consent from participants before
data can be shared with a third party.– Consent must cover what data is being shared and
for what purpose.– Consent to share data should be part of the
communication of grants to participants, but be careful about how consent is requested in order not to violate the Directive with the request.
– Safe Harbor exception for processing in the United States
Data Privacy
• Data Privacy in the United States– No overarching rules.– Massachusetts is currently the most stringent
standard, and thus serves as a good guide to follow.– Need to assign an individual or a group to be
responsible for risk mitigation.– Encryption is required for sensitive data.– Comprehensive training on security standards and
procedures is required.– Review where data is housed and secured.
Software Models-The ‘pros’
• SaaS– Less demand from
internal IT– May be more globally
accessible for a mobile or remote administration team
– Scaling to future growth is easier (you’ve outsourced the problem)
• Server– Control over which
version of the software you are on
– Vendor Risk Assessment is limited to the development process, as hosting is your own environment
– May reduce issues related to data privacy
Software Models-The ‘cons’
• SaaS– Less control over
software version and changing browser compatibility
– Increases Vendor Risk Assessment requirements
– May increase data privacy requirements
• Server– May be difficult to
predict the cost of running the program into the future
– Transition to new versions of software poses a burden to the stock admin team as well as IT
To Outsource…
• What audit controls are in place?• What is the knowledge base of the people
administering your plan?• What technology is being leveraged to
administer your plan?• Is your entire participant base being cared for?• Who can you call?• Are your procedures written out? Do all parties
understand their part in the process?
Or Not to Outsource?
• How is access to data controlled?• How will the plan be supported on a day-to-
day basis? What cross-training exists?• How is ongoing education being handled? Are
all disciplines of share plan functionality being addressed?
• How well understood is the technology being used? (reference the earlier discussion on technology models)
Plan Interpretation
• Discrepancies between plan documents and grant agreements– Termination type definitions– Changes to definitions, how are they phased in?
• Ramifications of modifications– Be sure to discuss any proposed grant
modifications with accounting, tax, and legal– Document your process for modifications so
that they can be handled the same way each time
Plan Set-up
• Share Reserve– Be sure to track changes over time– Limits on award types– Fungible shares
• Rounding rules– Vesting– Share withholding
• FMV definitions
SAS 70, What does it really mean?
• SAS 70 is an audit style that gained popularity in the US with the passage of Sarbanes Oxley (SOX)
• This audit report should be available from most US based vendors of share plan administration, related software, or transaction processing services
• Audit does NOT confirm that your financial reporting is correct, only that it is performed in an environment with the proper controls in place
• As the issuing company, be aware that some of the controls are your responsibility