risk intelligent proxy disclosures 2011

8/3/2019 Risk Intelligent Proxy Disclosures 2011

1/10

Risk Intelligent proxy disclosures 2011:Have risk-oversight practices improved?


2/10

Risk Intelligent Proxy Disclosures 2011 1

In 2010, Deloitte analyzed risk-related disclosures in proxy

statements issued by S&P 500 companies. Our goal was

to identiy risk governance and oversight practices in light

o the Security and Exchange Commission's (SEC) proxy

disclosure rules that went into eect on February 28,

2010. This year we conducted a similar analysis to assess

the state o disclosures and the extent o any progress, and

we ound evidence o steady and encouraging evolution.

In 2011, we made several modications to sharpen the

ocus o the analysis. We again ocused on risk governance

and oversight practices at the board level, as disclosed in

proxy statements led by S&P organizations. But this year

we limited our review to the proxy statements o the S&P

2001. Also, rather than 20 considerations, we ocused on

12 matters most oten indicated as areas o interest by

board members and executives in c lient interactions with

Deloitte (as we explain below).

This document reports the results o this years analysis and

identies trends we ound in risk-oversight practices at the

more than 150 companies whose proxy statements wereviewed in each o the two years.

The signifcance o risk-related disclosures

Deloitte initiated this analysis to gauge companies

responses to the 2009 SEC requirements regarding

risk disclosures in proxy statements. Those requirements

aimed to enhance disclosure by companies to investors

and other stakeholders regarding board-level, risk-

oversight practices.

Analyzing risk-related disclosures in proxy statementsprovides a window into risk oversight and, perhaps, risk

management practices, at least as disclosed. Deloittes

analysis views the proxy statements as an investor or

other stakeholder would, to evaluate each companys risk

governance and oversight practices.

As in 2010, the considerations or which we analyzed

the proxy statements refected the intent o the SECs

amended rules and the tenets o the Risk Intelligent

EnterpriseTM (see Exhibit 1). The latterDeloittes

philosophy o and approach to riskembodies sound

principles and practices o risk management, governance,

and oversight at the board and executive levels andthroughout the organization. Deloitte developed the

concept o the Risk Intelligent Enterprise to promulgate

excellence in risk governance by boards and in risk

management by executives.

The considerations we used in our review o proxy

statements (see Exhibit 2) enabled us to ascertain to a

reasonable extent whether the organization employs

certain Risk Intelligent practices. For instance, designating

individuals and committees as being responsible or

risk, aligning risk management with corporate strategy,

and having the board oversee the corporate culture are

practices associated with the Risk Intelligent Enterprise.

Practices covered in considerations also came rom

the SECs amended rules, which, or example, require

companies to describe the boards role in the oversight

o risk.2

Tone at

the top

Board o Directors

Responsible or risk oversight

Executive Management

Responsible or riskinrastructure

Business Units and

Supporting Functions

Responsible or specic risk

ownership and

management

Exhibit 1. The Risk Intelligent Enterprise

People

Process

Technology

Risk management activities

Risk classes


3/10

2

What we did

To ocus on the ways in which boards and

management structure and execute their risk oversight

and management roles and responsibilities, Deloitte

identied specic considerations to be used in its analysis.

These considerations can be phrased as questions

and answered yes or no based on the presence

or absence o specic wording and acts in the risk

oversight disclosures. I, upon inspection o a companysdisclosure, the reviewer can answer a question yes,

that consideration has been satised, or i the answer is

no, it has not been. This approach employs objective

criteria which can be readily ascertained in the disclosures.

In this second year o this review, we can also compare

year-to-year trends or those S&P 200 companies that

were included in both the 2010 and 2011 analysis (see

Methodology sidebar).

Deloitte accepts the disclosures at ace value. Thus, a

company may indeed have aligned its risk oversight

with its business strategy, or its board may somehow be

involved in discussing and approving the risk appetite,

Methodology

As ollow-up to its 2010 review o risk-related disclosures in corporate proxy statements, in 2011 Deloitte analyzed the

risk disclosures o 170 proxy statements led by S&P 200 companies between January 1, 2011 and May 31, 2011.

The SEC website, specically the EDGAR3 platorm, was our primary source o proxy statements. We limited the

analysis to the inormation included within the boards role in risk oversight (or similar) section or paragraphs o

the proxy statement. I the statement did not include such a section, we used the board leadership or board

structure paragraphs within the proxy statement or our analysis. I we could not identiy the risk disclosure within

these two sections, we assigned no classication to the considerations even though a consideration may have

been included elsewhere in the proxy statement. (See Exhibits 2 and 3 or the 12 considerations Deloitte used.) Thegoal o our analysis was to determine whether specic aspects o board-level risk oversight and senior executive-level

risk management (considerations) were covered in the organizations proxy disclosure.

O the 170 companies whose proxy statements were reviewed in 2011, 154 were also reviewed in 2010. That sample

o 154 companies orms the basis o the year-to-year trend comparisons. (The 2010 review o the S&P 500 included

companies that issued proxy statements rom February 28, 2010 through July 1, 2010.)

but it may have omitted those acts in its proxy disclosures.

By the same token, a company may have indicated that it

has aligned risk oversight with its business strategy or that

it involved the board in discussing and approving the risk

appetite o the organization, but may actually have ailed

to do so.

Key fndings

Given that 2010 was the rst year o this analysis, last yearwe reported the results without comparative data. This

year, we can compare disclosures rom year-to-year. To

make this comparison as precise as possible, we compare

the results o the 154 S&P 200 companies that appeared

in both years sample.

First, in Exhibit 2, we present the ndings o the 170

companies o the S&P 200 that issued proxy disclosures

between January 1, 2011 and May 31, 2011. In Exhibit

3, we show key trends in practices as evidenced in the

considerations among the 154 companies in both the

2010 and 2011 samples.


4/10


In presenting the data or 2011 (Exhibit 2), we show the

nancial services industry (FSI) companies separately rom

those in the other our industry groupsTechnology,

Media & Telecommunications; Consumer & Industrial

Products; Healthcare Services & Government; and Energy

& Resourceswhich we aggregate into the All Others

category. We do this because FSI companies risk oversight

and management practices tend to be more developed

in certain areas, due to the nature o their business andthe risks they ace. In addition, FSI risk management

practices are changing rapidly as the regulatory climate

evolves in light o the Dodd-Frank Wall Street Reorm and

Consumer Protection Act (Dodd-Frank), the Basel Accords,

and other regulatory developments.

Exhibit 2: Benchmark fnding: Deloittes risk proxy disclosure considerations (entire sample, 2011)

Consideration S&P 200

(170)

FSI

(27)

S&P All

Others4

(143)

% receiving a yes response

1. Does the disclosure note that the ull board is responsible or risk? 90% 89% 90%

2. Is the audit committee noted as the primary committee responsible or risk? 64 48 66

3. Are other board committees noted as being involved in risk oversight? 89 78 91

4. Is the compensation committee disclosed as being responsible or overseeing risk in the

compensation plans?

62 52 64

5. Does the company have a separate board risk committee? 6 33 1

6. Does the company disclose whether risk oversight/management are aligned with the

companys strategy?

47 41 48

7. Does the disclosure note whether the chie executive ocer (CEO) is responsible or risk

management or how the CEO is involved?

35 44 34

8. Does the company have a chie risk ocer (CRO)? 21 63 13

9. Does the company have a risk management committee (at the management level)? 23 33 21

10. Does the d isclosure note how the board is involved with regard to the companys riskappetite?

11 26 8

11. Does the disclosure note the board's oversight with regard to corporate culture? 7 19 5

12. Does the disclosure separately address reputational risk? 25 37 22


5/10

4

In the entire sample, more than 50 percent o thecompanies disclose using the rst our practices, which

ocus on the board governance structure and the

allocation o oversight responsibilities among the board

and its committees. Also, almost hal (47 percent) disclose

whether risk oversight/management are aligned with the

companys strategyan important but oten overlooked

practice.

Certain dierences between companies in the FSI sample

and other industries are noteworthy:

A smaller percentage o FSI companies (versus non-FSI

companies) disclose that the audit committee is primarily

responsible or risk, that the compensation committeeis responsible or overseeing risk in compensation plans,

and that risk oversight/management are aligned with the

companys strategy (considerations #2, #4, #6).

However, compared with their non-FSI counterparts,

a much larger percentage o FSI companies have a

separate board risk committee and a chie risk ocer.

This may in part explain, or example, the lower

percentage o audit committees and compensation

committees being responsible or risk, as noted in the

above bullet (considerations #5, #8).

A much larger percentage o FSI companies disclosehow the board is involved with regard to the companys

risk appetite (consideration #10).

A greater percentage o FSI companies disclose how

the board is involved with regard to corporate culture

(consideration #11).

On the latter two points, FSI companies may be harbingers

o uture developments at non-FSI companies. Board

involvement in risk appetitein guiding management

to develop parameters around the amount o risk that

is appropriate or the organization and periodically

reviewing itand the boards role with regard to osteringa corporate culture in which risk thinking is embedded in

decision-making, are key considerations.

Such involvement indicates a board exercising oversight

rather than simply approving managements chosen

courses o action. Boards benet their organizations and

stakeholders by being involved in the risk appetite and

corporate culture and in otherwise setting the tone at

the top.

Again, to make the year-to-year comparison as meaningul

as possible, we present the data or the 154 S&P 200

companies that were in the sample in both years.


6/10


Exhibit 3: S&P 200 trend analysis: 2011 vs. 2010

Consideration S&P 200

(2010)

S&P 200

(2011)

S&P +/ in 2011

(percentage

points)

% receiving a yes response

1. Does the disclosure note that the ull board is responsible or risk? 88% 89% +1

2. Is the audit committee noted as the primary committee responsible or risk? 65 64 -1

3. Are other board committees noted as being involved in risk oversight? 82 88 +6

4. Is the compensation committee disclosed as being responsible or overseeing risk in the

compensation plans?

52 58 +6

5. Does the company have a separate board risk committee? 5 6 +1

6. Does the company disclose whether risk oversight/management are aligned with the

companys strategy?

39 45 +6

7. Does the disclosure note whether the chie executive ocer (CEO) is responsible or risk

management or how the CEO is involved?

28 34 +6

8. Does the company have a chie risk ocer (CRO)? 20 22 +2

9. Does the company have a risk management committee (at the management level)? 23 25 +2

10. Does the disc losure note how the board is involved with regard to the companys

risk appetite?

8 11 +3

11. Does the disclosure note the board's oversight with regard to corporate culture? 6 8 +2

12. Does the disclosure separately address reputational risk? 24 27 +3

The overall year-to-year trend is positive on every

consideration except one (consideration #2). The slight

decrease in companies disclosing the audit committee

as being primarily responsible or risk oversight could be

due to a shit rom the audit committee being primarily

responsible or risk, to the redenition o how the other

board committees may assume responsibility or oversight

o certain risks. This practice results in additional board

members and/or other board-level committees engaging

in risk oversightwith the ull board ultimately remaining

accountable or risk oversight.

The overall positive trend indicates that companies are

either maintaining or increasing their attention to practices

regarding risk oversight or maintaining or increasing their

disclosure o those practices (or both). We expect that ew,

i any, companies are reducing their attention or disclosure

in these areas.

To cite specics:

More companies (an increase o 6 percent) disclosed

that board committees other than the audit committee

are involved in risk oversight (consideration #3).


that the compensation committee is responsible

or overseeing risk in compensation plans

(consideration #4).

More companies (an increase o 6 percent) disclosedwhether risk oversight/management are aligned with the

companys strategy (consideration #6).


how the board is involved with regard to the companys

risk appetite (consideration #10).


7/10

6

These ndings indicate a steady evolution o board

risk-oversight practices in major corporations over the past

year. Its natural that change in large organizations would

occur in a steady ashion. Boards and executives are eeling

their way orward in the new landscapeas are regulators.

This evolution should lead not only to increased disclosure

but to improved practices. In the Risk Intelligent Enterprise,

the two go hand-in-hand. Increased disclosure increasesboard and management attention to the practices being

disclosed. Some leadership teams will respond aster

than others. Yet most will eventually respond positively to

stakeholders increasing awareness o risk oversight and

management practices and, by extension, stakeholders

awareness o leaders ability to manage risk.

Case in point

To take one example, its heartening to see that more

companies are disclosing whether risk oversight and

management are aligned with the companys strategy. This

is a oundational element in the Risk Intelligent Enterprise.

When corporate leaders consider the alignment betweenrisk-related practices and their strategies or value-creation,

they are practicing Risk Intelligence.

Specic language in the proxy statements we reviewed

speaks to board members and executives awareness o

the need to consider risk when considering strategy, as the

ollowing quotes demonstrate:

"At least annually, the board of directors discusses with

management the appropriate level of risk relative to our

corporate strategy and business objectives and reviews

with management our existing risk management processes

and their effectiveness."

"The involvement of the board in setting our business

strategy is critical to the determination of the types and

appropriate levels of risk undertaken by the company."

"[The Company] engages in numerous activities seeking

to align its voluntary risk-taking with company strategy,

and understands that its projects and processes may

enhance the companys business interests by encouraging

innovation and appropriate levels of risk-taking."

When companies consider the alignment between risk

oversight/management and strategy, they oten nd

that a Risk Intelligent approach calls or examining not

only the risks to the strategy but the risks ofthe strategy.

Most leadership teams consider the ormer but neglect

the latter. The risks ofa strategy can be more dicult

to discern without the objectivity that a board engaged

in risk oversight can bring to the table. In that way Risk

Intelligence and board risk oversight open up new ways othinking about risk.

What can you do?

While its essential that board members and executives be

seriously engaged in risk oversight and risk management,

it is also important to tell the story o that engagement.

Risk-related disclosures in proxy statements are one

important vehicle or doing this.

When it comes to these disclosures and other regulatory

developments, Deloitte recommends that leaders go

beyond minimum requirements imposed by regulation

and truly embrace risk governance and oversight. Thisincludes management welcoming external viewpoints and

challenging established approaches. Management should

view risk oversight and risk management as integral to

planning and implementing strategies that create value,

grow the business, and benet stakeholders.

It also means that board members should continually

educate themselves and senior executives about risk

management and risk oversight, ensure that a strong risk

governance inrastructure is in place (with appropriate

committees, expertise, systems, and metrics), and

understand that risk management involves more

than enterprise risk management (ERM) as it is

commonly understood.

In addition, board members and senior executives might

consider the ollowing steps:

Revisit your risk governance and oversight practices

periodically to ensure they not only keep pace with,

but actually anticipate, the risks your enterprise and

industry ace, and with disclosure and other regulatory

requirements.


8/10


Keep development o the risk governance and

management inrastructure on the leadership agenda

and be sure that its development is unded and

continually progressing.

Monitor risk-related disclosures in the proxy statements

o peers, competitors, and market leadersand o

customers and suppliersand use their practices as

benchmarks, goals, or starting points.

Ensure that your disclosures and other communications

to stakeholders tell the ull story o your risk oversight

and management eorts, perhaps using Deloittes

considerations as one guide.

Embrace transparency or the reality that it is. I you have

rst-rate risk governance and management practices,

disclose them to your stakeholders. I you do not, it is

only a matter o time beore it becomes apparent to

them. Given this, the preerred course is to improve those

practices to the point where the board and management

are conducting risk oversight and risk management in waysthat the enterprise is proud to disclose.

Finally, companies should consider monitoring regulatory

developments so that the board and management remain

aware o risk-related requirements; a leader to manage this

eort would need to be selected. For example, Dodd-Frank

includes a provision that will require FSI companies with

over $10 billion in assets to have a ormal, board-level risk

committee and that the committee include at least one

risk management expert having experience in identiying,

assessing, and managing risk exposures o large, complex

rms.5 I you lead an FSI company that will meet this

requirement and the company currently does not have

such a committee, it may take time and eort to dene the

structure and unction o the committee and to locate and

recruit an appropriately qualied risk expert.

In sum, the work o improving risk oversight and

management is an on-going and ever-evolving process.

As the enterprise and its leaders continue this work, it is

imperative to inorm investors and other stakeholders

about it.

Endnotes1 The S&P 200 listing was obtained rom the top 200 companies, in

terms o revenue, rom the S&P 500 index, as o March 1, 2011, rom

www.standardandpoors.com.

2 Securities and Exchange Commission, 17 CFR PARTS 229, 239, 240,

249 and 274, Proxy Disclosure Enhancements (http://www.sec.gov/rules/nal/2009/33-9089.pd)

3 The SECs Electronic Data Gathering, Analysis, and Retrieval (EDGAR)

system perorms automated handling o lings submitted by

companies to the SEC.

4 Percentages in this column are weighted averages o those or the

our non-FSI industry groups, with counts as ollows: Technology,

Media & Telecommunications = 25; Consumer & Industrial Products =

69; Healthcare Services & Government = 18; Energy & Resources = 31.

5 Dodd-Frank Wall Street Reorm and Consumer Protection Act; July 21,

2010; Section 165 Enhanced supervision and prudential standards

or nonbank nancial companies supervised by the Board o Governors

and certain bank holding companies.


9/10

8

Contacts

Donna Epps

U.S. Co-Leader

Governance and Risk Management

Deloitte Financial Advisory Services LLP

+1 214 840 7363

[email protected]

Henry RistucciaU.S. Co-Leader

Governance and Risk Management

Deloitte & Touche LLP

+1 212 436 4244

[email protected]

Maureen Errity

Director

Center or Corporate Governance

Deloitte LLP

+1 212 492 3997

[email protected]

Michael RossenSenior Manager

Center or Corporate Governance

Deloitte LLP

+ 1 212 492 4531

[email protected]


10/10

This publication contains general inormation only and is based on the experiences and research o Deloitte practitioners. Deloitte is not, bymeans o this publication, rendering business, nancial, investment, or other proessional advice or services. This publication is not a substitute

or such proessional advice or services, nor should it be used as a basis or any decision or action that may aect your business. Beore making

any decision or taking any action that may aect your business, you should consult a qualied proessional advisor. Deloitte, its aliates, and

related entities shall not be responsible or any loss sustained by any person who relies on this publication.

About Deloitte

Deloitte reers to one or more o Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network o member

rms, each o which is a legally separate and independent entity. Please see www.deloitte.com/about or a detailed description o the legal

structure o Deloitte Touche Tohmatsu Limited and its member rms. Please see www.deloitte.com/us/about or a detailed description o the

legal structure o Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations o

public accounting.

Copyright 2011 Deloitte Development LLC. All rights reserved.

Member o Deloitte Touche Tohmatsu Limited

risk intelligent proxy disclosures 2011

Documents