risk intelligent proxy disclosures 2011
TRANSCRIPT
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
1/10
Risk Intelligent proxy disclosures 2011:Have risk-oversight practices improved?
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
2/10
Risk Intelligent Proxy Disclosures 2011 1
In 2010, Deloitte analyzed risk-related disclosures in proxy
statements issued by S&P 500 companies. Our goal was
to identiy risk governance and oversight practices in light
o the Security and Exchange Commission's (SEC) proxy
disclosure rules that went into eect on February 28,
2010. This year we conducted a similar analysis to assess
the state o disclosures and the extent o any progress, and
we ound evidence o steady and encouraging evolution.
In 2011, we made several modications to sharpen the
ocus o the analysis. We again ocused on risk governance
and oversight practices at the board level, as disclosed in
proxy statements led by S&P organizations. But this year
we limited our review to the proxy statements o the S&P
2001. Also, rather than 20 considerations, we ocused on
12 matters most oten indicated as areas o interest by
board members and executives in c lient interactions with
Deloitte (as we explain below).
This document reports the results o this years analysis and
identies trends we ound in risk-oversight practices at the
more than 150 companies whose proxy statements wereviewed in each o the two years.
The signifcance o risk-related disclosures
Deloitte initiated this analysis to gauge companies
responses to the 2009 SEC requirements regarding
risk disclosures in proxy statements. Those requirements
aimed to enhance disclosure by companies to investors
and other stakeholders regarding board-level, risk-
oversight practices.
Analyzing risk-related disclosures in proxy statementsprovides a window into risk oversight and, perhaps, risk
management practices, at least as disclosed. Deloittes
analysis views the proxy statements as an investor or
other stakeholder would, to evaluate each companys risk
governance and oversight practices.
As in 2010, the considerations or which we analyzed
the proxy statements refected the intent o the SECs
amended rules and the tenets o the Risk Intelligent
EnterpriseTM (see Exhibit 1). The latterDeloittes
philosophy o and approach to riskembodies sound
principles and practices o risk management, governance,
and oversight at the board and executive levels andthroughout the organization. Deloitte developed the
concept o the Risk Intelligent Enterprise to promulgate
excellence in risk governance by boards and in risk
management by executives.
The considerations we used in our review o proxy
statements (see Exhibit 2) enabled us to ascertain to a
reasonable extent whether the organization employs
certain Risk Intelligent practices. For instance, designating
individuals and committees as being responsible or
risk, aligning risk management with corporate strategy,
and having the board oversee the corporate culture are
practices associated with the Risk Intelligent Enterprise.
Practices covered in considerations also came rom
the SECs amended rules, which, or example, require
companies to describe the boards role in the oversight
o risk.2
Tone at
the top
Board o Directors
Responsible or risk oversight
Executive Management
Responsible or riskinrastructure
Business Units and
Supporting Functions
Responsible or specic risk
ownership and
management
Exhibit 1. The Risk Intelligent Enterprise
People
Process
Technology
Risk management activities
Risk classes
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
3/10
2
What we did
To ocus on the ways in which boards and
management structure and execute their risk oversight
and management roles and responsibilities, Deloitte
identied specic considerations to be used in its analysis.
These considerations can be phrased as questions
and answered yes or no based on the presence
or absence o specic wording and acts in the risk
oversight disclosures. I, upon inspection o a companysdisclosure, the reviewer can answer a question yes,
that consideration has been satised, or i the answer is
no, it has not been. This approach employs objective
criteria which can be readily ascertained in the disclosures.
In this second year o this review, we can also compare
year-to-year trends or those S&P 200 companies that
were included in both the 2010 and 2011 analysis (see
Methodology sidebar).
Deloitte accepts the disclosures at ace value. Thus, a
company may indeed have aligned its risk oversight
with its business strategy, or its board may somehow be
involved in discussing and approving the risk appetite,
Methodology
As ollow-up to its 2010 review o risk-related disclosures in corporate proxy statements, in 2011 Deloitte analyzed the
risk disclosures o 170 proxy statements led by S&P 200 companies between January 1, 2011 and May 31, 2011.
The SEC website, specically the EDGAR3 platorm, was our primary source o proxy statements. We limited the
analysis to the inormation included within the boards role in risk oversight (or similar) section or paragraphs o
the proxy statement. I the statement did not include such a section, we used the board leadership or board
structure paragraphs within the proxy statement or our analysis. I we could not identiy the risk disclosure within
these two sections, we assigned no classication to the considerations even though a consideration may have
been included elsewhere in the proxy statement. (See Exhibits 2 and 3 or the 12 considerations Deloitte used.) Thegoal o our analysis was to determine whether specic aspects o board-level risk oversight and senior executive-level
risk management (considerations) were covered in the organizations proxy disclosure.
O the 170 companies whose proxy statements were reviewed in 2011, 154 were also reviewed in 2010. That sample
o 154 companies orms the basis o the year-to-year trend comparisons. (The 2010 review o the S&P 500 included
companies that issued proxy statements rom February 28, 2010 through July 1, 2010.)
but it may have omitted those acts in its proxy disclosures.
By the same token, a company may have indicated that it
has aligned risk oversight with its business strategy or that
it involved the board in discussing and approving the risk
appetite o the organization, but may actually have ailed
to do so.
Key fndings
Given that 2010 was the rst year o this analysis, last yearwe reported the results without comparative data. This
year, we can compare disclosures rom year-to-year. To
make this comparison as precise as possible, we compare
the results o the 154 S&P 200 companies that appeared
in both years sample.
First, in Exhibit 2, we present the ndings o the 170
companies o the S&P 200 that issued proxy disclosures
between January 1, 2011 and May 31, 2011. In Exhibit
3, we show key trends in practices as evidenced in the
considerations among the 154 companies in both the
2010 and 2011 samples.
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
4/10
Risk Intelligent Proxy Disclosures 2011 3
In presenting the data or 2011 (Exhibit 2), we show the
nancial services industry (FSI) companies separately rom
those in the other our industry groupsTechnology,
Media & Telecommunications; Consumer & Industrial
Products; Healthcare Services & Government; and Energy
& Resourceswhich we aggregate into the All Others
category. We do this because FSI companies risk oversight
and management practices tend to be more developed
in certain areas, due to the nature o their business andthe risks they ace. In addition, FSI risk management
practices are changing rapidly as the regulatory climate
evolves in light o the Dodd-Frank Wall Street Reorm and
Consumer Protection Act (Dodd-Frank), the Basel Accords,
and other regulatory developments.
Exhibit 2: Benchmark fnding: Deloittes risk proxy disclosure considerations (entire sample, 2011)
Consideration S&P 200
(170)
FSI
(27)
S&P All
Others4
(143)
% receiving a yes response
1. Does the disclosure note that the ull board is responsible or risk? 90% 89% 90%
2. Is the audit committee noted as the primary committee responsible or risk? 64 48 66
3. Are other board committees noted as being involved in risk oversight? 89 78 91
4. Is the compensation committee disclosed as being responsible or overseeing risk in the
compensation plans?
62 52 64
5. Does the company have a separate board risk committee? 6 33 1
6. Does the company disclose whether risk oversight/management are aligned with the
companys strategy?
47 41 48
7. Does the disclosure note whether the chie executive ocer (CEO) is responsible or risk
management or how the CEO is involved?
35 44 34
8. Does the company have a chie risk ocer (CRO)? 21 63 13
9. Does the company have a risk management committee (at the management level)? 23 33 21
10. Does the d isclosure note how the board is involved with regard to the companys riskappetite?
11 26 8
11. Does the disclosure note the board's oversight with regard to corporate culture? 7 19 5
12. Does the disclosure separately address reputational risk? 25 37 22
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
5/10
4
In the entire sample, more than 50 percent o thecompanies disclose using the rst our practices, which
ocus on the board governance structure and the
allocation o oversight responsibilities among the board
and its committees. Also, almost hal (47 percent) disclose
whether risk oversight/management are aligned with the
companys strategyan important but oten overlooked
practice.
Certain dierences between companies in the FSI sample
and other industries are noteworthy:
A smaller percentage o FSI companies (versus non-FSI
companies) disclose that the audit committee is primarily
responsible or risk, that the compensation committeeis responsible or overseeing risk in compensation plans,
and that risk oversight/management are aligned with the
companys strategy (considerations #2, #4, #6).
However, compared with their non-FSI counterparts,
a much larger percentage o FSI companies have a
separate board risk committee and a chie risk ocer.
This may in part explain, or example, the lower
percentage o audit committees and compensation
committees being responsible or risk, as noted in the
above bullet (considerations #5, #8).
A much larger percentage o FSI companies disclosehow the board is involved with regard to the companys
risk appetite (consideration #10).
A greater percentage o FSI companies disclose how
the board is involved with regard to corporate culture
(consideration #11).
On the latter two points, FSI companies may be harbingers
o uture developments at non-FSI companies. Board
involvement in risk appetitein guiding management
to develop parameters around the amount o risk that
is appropriate or the organization and periodically
reviewing itand the boards role with regard to osteringa corporate culture in which risk thinking is embedded in
decision-making, are key considerations.
Such involvement indicates a board exercising oversight
rather than simply approving managements chosen
courses o action. Boards benet their organizations and
stakeholders by being involved in the risk appetite and
corporate culture and in otherwise setting the tone at
the top.
Again, to make the year-to-year comparison as meaningul
as possible, we present the data or the 154 S&P 200
companies that were in the sample in both years.
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
6/10
Risk Intelligent Proxy Disclosures 2011 5
Exhibit 3: S&P 200 trend analysis: 2011 vs. 2010
Consideration S&P 200
(2010)
S&P 200
(2011)
S&P +/ in 2011
(percentage
points)
% receiving a yes response
1. Does the disclosure note that the ull board is responsible or risk? 88% 89% +1
2. Is the audit committee noted as the primary committee responsible or risk? 65 64 -1
3. Are other board committees noted as being involved in risk oversight? 82 88 +6
4. Is the compensation committee disclosed as being responsible or overseeing risk in the
compensation plans?
52 58 +6
5. Does the company have a separate board risk committee? 5 6 +1
6. Does the company disclose whether risk oversight/management are aligned with the
companys strategy?
39 45 +6
7. Does the disclosure note whether the chie executive ocer (CEO) is responsible or risk
management or how the CEO is involved?
28 34 +6
8. Does the company have a chie risk ocer (CRO)? 20 22 +2
9. Does the company have a risk management committee (at the management level)? 23 25 +2
10. Does the disc losure note how the board is involved with regard to the companys
risk appetite?
8 11 +3
11. Does the disclosure note the board's oversight with regard to corporate culture? 6 8 +2
12. Does the disclosure separately address reputational risk? 24 27 +3
The overall year-to-year trend is positive on every
consideration except one (consideration #2). The slight
decrease in companies disclosing the audit committee
as being primarily responsible or risk oversight could be
due to a shit rom the audit committee being primarily
responsible or risk, to the redenition o how the other
board committees may assume responsibility or oversight
o certain risks. This practice results in additional board
members and/or other board-level committees engaging
in risk oversightwith the ull board ultimately remaining
accountable or risk oversight.
The overall positive trend indicates that companies are
either maintaining or increasing their attention to practices
regarding risk oversight or maintaining or increasing their
disclosure o those practices (or both). We expect that ew,
i any, companies are reducing their attention or disclosure
in these areas.
To cite specics:
More companies (an increase o 6 percent) disclosed
that board committees other than the audit committee
are involved in risk oversight (consideration #3).
More companies (an increase o 6 percent) disclosed
that the compensation committee is responsible
or overseeing risk in compensation plans
(consideration #4).
More companies (an increase o 6 percent) disclosedwhether risk oversight/management are aligned with the
companys strategy (consideration #6).
More companies (an increase o 3 percent) disclosed
how the board is involved with regard to the companys
risk appetite (consideration #10).
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
7/10
6
These ndings indicate a steady evolution o board
risk-oversight practices in major corporations over the past
year. Its natural that change in large organizations would
occur in a steady ashion. Boards and executives are eeling
their way orward in the new landscapeas are regulators.
This evolution should lead not only to increased disclosure
but to improved practices. In the Risk Intelligent Enterprise,
the two go hand-in-hand. Increased disclosure increasesboard and management attention to the practices being
disclosed. Some leadership teams will respond aster
than others. Yet most will eventually respond positively to
stakeholders increasing awareness o risk oversight and
management practices and, by extension, stakeholders
awareness o leaders ability to manage risk.
Case in point
To take one example, its heartening to see that more
companies are disclosing whether risk oversight and
management are aligned with the companys strategy. This
is a oundational element in the Risk Intelligent Enterprise.
When corporate leaders consider the alignment betweenrisk-related practices and their strategies or value-creation,
they are practicing Risk Intelligence.
Specic language in the proxy statements we reviewed
speaks to board members and executives awareness o
the need to consider risk when considering strategy, as the
ollowing quotes demonstrate:
"At least annually, the board of directors discusses with
management the appropriate level of risk relative to our
corporate strategy and business objectives and reviews
with management our existing risk management processes
and their effectiveness."
"The involvement of the board in setting our business
strategy is critical to the determination of the types and
appropriate levels of risk undertaken by the company."
"[The Company] engages in numerous activities seeking
to align its voluntary risk-taking with company strategy,
and understands that its projects and processes may
enhance the companys business interests by encouraging
innovation and appropriate levels of risk-taking."
When companies consider the alignment between risk
oversight/management and strategy, they oten nd
that a Risk Intelligent approach calls or examining not
only the risks to the strategy but the risks ofthe strategy.
Most leadership teams consider the ormer but neglect
the latter. The risks ofa strategy can be more dicult
to discern without the objectivity that a board engaged
in risk oversight can bring to the table. In that way Risk
Intelligence and board risk oversight open up new ways othinking about risk.
What can you do?
While its essential that board members and executives be
seriously engaged in risk oversight and risk management,
it is also important to tell the story o that engagement.
Risk-related disclosures in proxy statements are one
important vehicle or doing this.
When it comes to these disclosures and other regulatory
developments, Deloitte recommends that leaders go
beyond minimum requirements imposed by regulation
and truly embrace risk governance and oversight. Thisincludes management welcoming external viewpoints and
challenging established approaches. Management should
view risk oversight and risk management as integral to
planning and implementing strategies that create value,
grow the business, and benet stakeholders.
It also means that board members should continually
educate themselves and senior executives about risk
management and risk oversight, ensure that a strong risk
governance inrastructure is in place (with appropriate
committees, expertise, systems, and metrics), and
understand that risk management involves more
than enterprise risk management (ERM) as it is
commonly understood.
In addition, board members and senior executives might
consider the ollowing steps:
Revisit your risk governance and oversight practices
periodically to ensure they not only keep pace with,
but actually anticipate, the risks your enterprise and
industry ace, and with disclosure and other regulatory
requirements.
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
8/10
Risk Intelligent Proxy Disclosures 2011 7
Keep development o the risk governance and
management inrastructure on the leadership agenda
and be sure that its development is unded and
continually progressing.
Monitor risk-related disclosures in the proxy statements
o peers, competitors, and market leadersand o
customers and suppliersand use their practices as
benchmarks, goals, or starting points.
Ensure that your disclosures and other communications
to stakeholders tell the ull story o your risk oversight
and management eorts, perhaps using Deloittes
considerations as one guide.
Embrace transparency or the reality that it is. I you have
rst-rate risk governance and management practices,
disclose them to your stakeholders. I you do not, it is
only a matter o time beore it becomes apparent to
them. Given this, the preerred course is to improve those
practices to the point where the board and management
are conducting risk oversight and risk management in waysthat the enterprise is proud to disclose.
Finally, companies should consider monitoring regulatory
developments so that the board and management remain
aware o risk-related requirements; a leader to manage this
eort would need to be selected. For example, Dodd-Frank
includes a provision that will require FSI companies with
over $10 billion in assets to have a ormal, board-level risk
committee and that the committee include at least one
risk management expert having experience in identiying,
assessing, and managing risk exposures o large, complex
rms.5 I you lead an FSI company that will meet this
requirement and the company currently does not have
such a committee, it may take time and eort to dene the
structure and unction o the committee and to locate and
recruit an appropriately qualied risk expert.
In sum, the work o improving risk oversight and
management is an on-going and ever-evolving process.
As the enterprise and its leaders continue this work, it is
imperative to inorm investors and other stakeholders
about it.
Endnotes1 The S&P 200 listing was obtained rom the top 200 companies, in
terms o revenue, rom the S&P 500 index, as o March 1, 2011, rom
www.standardandpoors.com.
2 Securities and Exchange Commission, 17 CFR PARTS 229, 239, 240,
249 and 274, Proxy Disclosure Enhancements (http://www.sec.gov/rules/nal/2009/33-9089.pd)
3 The SECs Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
system perorms automated handling o lings submitted by
companies to the SEC.
4 Percentages in this column are weighted averages o those or the
our non-FSI industry groups, with counts as ollows: Technology,
Media & Telecommunications = 25; Consumer & Industrial Products =
69; Healthcare Services & Government = 18; Energy & Resources = 31.
5 Dodd-Frank Wall Street Reorm and Consumer Protection Act; July 21,
2010; Section 165 Enhanced supervision and prudential standards
or nonbank nancial companies supervised by the Board o Governors
and certain bank holding companies.
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
9/10
8
Contacts
Donna Epps
U.S. Co-Leader
Governance and Risk Management
Deloitte Financial Advisory Services LLP
+1 214 840 7363
Henry RistucciaU.S. Co-Leader
Governance and Risk Management
Deloitte & Touche LLP
+1 212 436 4244
Maureen Errity
Director
Center or Corporate Governance
Deloitte LLP
+1 212 492 3997
Michael RossenSenior Manager
Center or Corporate Governance
Deloitte LLP
+ 1 212 492 4531
-
8/3/2019 Risk Intelligent Proxy Disclosures 2011
10/10
This publication contains general inormation only and is based on the experiences and research o Deloitte practitioners. Deloitte is not, bymeans o this publication, rendering business, nancial, investment, or other proessional advice or services. This publication is not a substitute
or such proessional advice or services, nor should it be used as a basis or any decision or action that may aect your business. Beore making
any decision or taking any action that may aect your business, you should consult a qualied proessional advisor. Deloitte, its aliates, and
related entities shall not be responsible or any loss sustained by any person who relies on this publication.
About Deloitte
Deloitte reers to one or more o Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network o member
rms, each o which is a legally separate and independent entity. Please see www.deloitte.com/about or a detailed description o the legal
structure o Deloitte Touche Tohmatsu Limited and its member rms. Please see www.deloitte.com/us/about or a detailed description o the
legal structure o Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations o
public accounting.
Copyright 2011 Deloitte Development LLC. All rights reserved.
Member o Deloitte Touche Tohmatsu Limited