Small Public Company Forum

Borne of the recent recession and post-recession obsession with risk, risk oversight and risk abatement, one of the more befuddling SEC disclosure requirements for public companies, and smaller reporting companies in particular, is the new SEC rule requiring that proxy statements contain the “risk oversight” disclosure described under Regulation S-K, Item 407(h) as follows:

Briefly describe the leadership structure of the registrant’s board, such as whether the same person serves as both principal executive officer and chairman of the board, or whether two individuals serve in those positions . . . .  This disclosure should indicate why the registrant has determined that its leadership structure is appropriate given the specific characteristics or circumstances of the registrant.  In addition, disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure. (italics added)

It is easy for officers and directors, busy with running a business operation, to react negatively or carelessly to this requirement.  For example, it is easy for companies to respond to the first part of the disclosure requirement regarding the separation of board and CEO functions, and then summarily ignore the last sentence (italicized above).  On the other end of the spectrum, some companies reactively form a “risk oversight committee,” or schedule inordinate time or entire meetings, for the purpose of reviewing risks facing the company.

Below are some simple bullet points designed to give smaller reporting companies in particular some sense of direction when considering how to respond to these requirements through policy/practice changes and preparing the actual narrative disclosures in their public filings:

• Don’t overreact.  A public company board of directors and its committees cannot, and should not, be involved in day-to-day risk management, and similarly should not concern themselves with risks that are not material to the business.  Analysts have pointed out that the Board’s function should be risk “oversight” rather than risk “management”.  Case law relating to the fiduciary duty of care directors owe to their companies consistently supports this approach.  Enterprise risk management should focus on those risks that are likely, if they should come to pass, to adversely and materially affect key elements of success in your business.
• The “Whos” and the “Whens”.  Think carefully about who on the board should be providing risk oversight function.  For the risk oversight structure, it would rarely be desirable to have a chairman/CEO leading this effort (although involvement will be important).  For many companies, no new committee will be necessary – the entire board or the audit committee, whose functions already include the oversight of financial and disclosure related risk, will be an appropriate choice.  Depending on the number, nature and magnitude of risks, and the stage of development in which your company is in, you may reasonably decide to review risk-related matters at a board level anywhere from once per year to quarterly.
• What are they doing?  Meetings or discussions designed to oversee risks should involve, at least in part, management personnel whose job it is to actively monitor and manage those risks.  The board should determine what management is doing about identified risks, how it may be attempting to identify additional risks, and whether actions are consistent with prior directives of the board.  In those conversations, the board should speak with a clear voice so as to effectively communicate to management its wishes, directives and concerns. The minutes of Board meetings should reflect that the Board did its job in examining the risk management process, including asking questions of management, without focusing on the details of specific questions and answers.
• Other Resources.  Your management and board personnel may not have the experience or skills to effectively identify all material risks.  Other risks may be legal or regulatory, scientific, or accounting-based.  It is entirely appropriate to solicit from these types of professionals (most likely outside of the boardroom meeting) updates and ideas on new or developing potential risks and what, if anything, might be done.
• Culture.  To the extent the board of directors may wish to exert influence over day-to-day risks, it would ordinarily be advisable to accomplish this through discussions with executive management designed to satisfy the board that day-to-day practices and policies, and overall messages and corporate culture, are consistent with the company’s overall risk tolerance as agreed upon by the board.
• Don’t forget compensation.  The “compensation risk assessment” disclosure technically does not apply to smaller reporting companies.  See Regulation S-K Item 402(s).  Nevertheless, when crafting agenda for the board or committee that oversees or will oversee enterprise risk management, compensation risk should not be ignored.  This is one area where the board itself does make direct decisions that may impact risk taking by executives and the company.

The National Association of Corporate Directors publishes reports containing suggested best practices for board oversight of risk management.  Public companies and their boards of directors may wish to refer to this resource and others, as well as their legal advisers, accountants and internal controls professionals, as they periodically revisit and re-craft the manner in which they oversee risk management.  Legal advisers should definitely be consulted in preparing proxy statement disclosures designed to comply with Regulation S-K Item 407(h).