August 11, 2010
Corporate Responsibility Alert
Author(s): John C. Partigan
Our most recent alert explores the legal framework for risk oversight by the board of directors, the pros and cons of establishing stand-alone risk committees, and how a risk committee can be best configured to avoid duplication of efforts and ensure its maximum effectiveness.
An emerging trend among public companies and some private companies has been the formation of stand-alone risk committees of the board of directors. While most of these are in the financial services or insurance industry, an increasing number of public companies in other industries have been instituting risk committees. In addition, the recently enacted Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), requires banks with greater than $10 billion of consolidated assets, as well as certain nonbank financial companies supervised by the Board of Governors of the Federal Reserve Bank, to establish stand-alone risk committees of the board of directors.
The purpose of this article is to explore the general legal framework for risk oversight by the board of directors, the pros and cons of establishing a stand-alone risk committee, and to suggest how a risk committee can be configured to ensure its maximum effectiveness.
Legal framework for risk oversight by boards of directors
One of the duties of the board of directors of a Delaware corporation is to provide oversight of the company’s risk management. Additional risk oversight and related disclosure obligations arise under the federal securities laws and applicable stock exchange listing standards.
The Delaware courts have held that the board’s fiduciary duties include a duty to attempt in good faith to oversee and monitor the operation of the company’s reporting or information systems designed to identify risks, including violations of laws or regulations. The board is subject to liability for a failure in such oversight and monitoring where there is “a sustained or systematic failure to exercise oversight” or “[a]n utter failure to attempt to ensure a reporting and information system [has been implemented].” The Delaware courts have recently reiterated that while this duty exists, there is an extremely high burden for a plaintiff to bring a claim for director liability for failing to monitor the company’s risks. Companies should implement appropriate risk reporting and monitoring systems, and review these systems on a regular basis, to avoid the possibility of director liability under this line of cases.
Additional risk management responsibilities were imposed on boards with the passage of the Sarbanes-Oxley Act of 2002. These responsibilities relate, in part, to the establishment and monitoring of policies and procedures for the preparation of the company’s financial statements and the reports that it files with the SEC. One major change that related directly to risk management was the requirement that the company disclose any material weakness in the company’s internal control over financial reporting. Another important change was the requirement that the principal executive officer and principal financial officer of each public company certify as to the effectiveness of the company’s internal controls. A commonly used framework for establishing and monitoring these internal controls is the “Enterprise Risk Management–Integrated Framework,” a framework released by the Committee of Sponsoring Organizations of the Treadway Commission. Under the COSO Integrated Framework, the company’s goal is to develop policies and procedures that will not only allow the company to make the required internal control disclosures and its officers to make the required certifications, but also that will strengthen the company’s overall enterprise risk management.
The SEC has long required public companies to disclose the most significant risks relating to the ownership of the company’s securities. In addition, most public companies are required to disclose a qualitative and quantitative analysis of exposures to market risk. The SEC recently added a number of required proxy disclosures that touch upon risk, and thus require a company to evaluate those risks. First, many public companies now include a narrative disclosure of the company’s compensation policies and practices as they relate to the company’s risk management practices. This requires a disclosure of the company’s policies and practices of compensating its employees and management as they relate to risk, to the extent that risks arising from these compensation policies are reasonably likely to have a material adverse effect on the company. While not required, many companies disclose risk-related compensation policies even where those policies would not likely result in a material adverse effect. Second, most public companies are required to disclose the extent of the board’s role in risk oversight, such as how the board administers that oversight function and the effect that this has on the board’s leadership structure. This disclosure is intended to provide investors with information on how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks of the company.
In addition, the New York Stock Exchange (“NYSE”) corporate governance rules require audit committees of listed companies to perform certain risk oversight duties. A listed company’s audit committee is required to discuss policies with respect to risk assessment and risk management. The commentary to the rules provides that while it is management’s responsibility to assess and manage risks, the audit committee must discuss the guidelines and policies to govern the process by which that assessment and management is handled. Furthermore, the audit committee is not required to be the sole body responsible for oversight of risk management and assessment, but the audit committee must discuss guidelines and policies to govern the process by which risk assessment and risk management are taken. These rules do not preclude the formation of a separate risk committee as long as the risk committee’s oversight process is reviewed by the audit committee and the audit committee continues to perform the duties required by the NYSE rules.
While a number of public and some private companies have already formed risk committees, the Dodd-Frank Act has created the first U.S. statutory requirement to form a risk committee. Under the Dodd-Frank Act, the Board of Governors of the Federal Reserve Board has been directed to issue regulations requiring each bank holding company with consolidated assets of greater than $10 billion, as well as each nonbank financial company supervised by the Board of Governors, to establish a risk committee. In addition, the Dodd-Frank Act gives the Board of Governors latitude to create regulations that would require smaller bank holding companies to institute risk committees. The risk committee will be responsible for oversight of the enterprise-wide risk management practices of the company. Similar to the concept of an “audit committee financial expert” for audit committees, such a risk committee must have at least one risk management expert with experience identifying, assessing, and managing risk exposures of large, complex firms. Furthermore, the Board of Governors was directed to enact independence requirements for the members of the risk committee.
In addition to the Dodd-Frank Act, at least two other bills have been introduced in Congress that would impose even stricter risk management requirements upon boards of directors, including one that would require all public companies to establish a risk committee comprised entirely of independent directors. In addition, it is likely that public companies will see more frequent shareholder action in the future pertaining to risk management. Until recently, a company could exclude shareholder proposals relating to the subject of risk under the theory that it was an ordinary business matter. In late 2009, the SEC staff released a legal bulletin clarifying that the staff may not routinely grant exclusions for shareholder proposals relating to risk if the proposal raises significant policy issues and there is a sufficient nexus between the nature of the proposal and the company. The staff also stated in the legal bulletin that “we note that there is widespread recognition that the board’s role in the oversight of a company’s management of risk is a significant policy matter regarding the governance of the corporation.”
The role of risk committees
As noted above, it is the responsibility of the board of directors to provide oversight of the company’s risk management systems. A risk committee would not supplant the oversight role of the board of directors; rather, the creation of a risk committee is a means of assisting the board in exercising those duties.
Risk management can mean different things to different companies. For some companies, risk management means taking only measured and informed risks in order to avoid loss. For others, it means creating policies that encourage the company to take enough risks to create additional value, but not so much risk that the company loses value. The goals of the company’s risk management may color its risk management policies, whether it forms a risk committee, and the duties of that risk committee.
Certain possible duties of a stand-alone risk committee, especially for non-financial services companies, may include:
Potential benefits and drawbacks of risk committees
When a board is evaluating risk management issues, one point to consider is whether the board should form a separate committee devoted to risk. There is no ‘one size fits all’ approach to risk management, and the methods by which a company may choose to assess, manage, and provide oversight of its risks can differ from company to company. If a change is not mandated by the Dodd-Frank Act or other laws or listing standards that may be adopted in the future, a company may make this decision based on numerous considerations, including the level of overall operational risk and the complexity of managing those risks, the company’s appetite for risk and its ability to tolerate losses, whether the company is engaging in riskier and more aggressive strategies to increase shareholder value, the company’s growth strategy, and whether the company is seeking to improve its credit rating.
A number of considerations could lead the board to conclude that a separate risk committee should be established. While the list below is not exhaustive, some important benefits of having a stand-alone risk committee may include the following:
On the other hand, there may be drawbacks to having a stand-alone risk committee:
Interplay between risk committees, the board, and management
If the board of directors determines to establish a separate risk committee, one of the key considerations for counsel establishing the committee structure and charter will be ensuring that the risk committee functions properly within the context of the rest of the board and management, and to ensure that there is not significant overlapping of duties between the risk committee and the other board committees. The following are certain considerations to make in the construction of a risk committee:
What is best for your company?
As a result of the increased focus on risk in many public companies, and the likelihood that this trend will continue in the future as a result of recent legislative changes and administrative actions, directors and their counsel should consider the need for and potential benefits of establishing a stand-alone risk committee. They should review both the potential benefits and concerns before making a decision to create a risk committee. If they decide that a risk committee may be beneficial, the structure, role, and activities of the committee should be carefully considered, in view of the legal framework for risk oversight by the board of directors and the potentially overlapping responsibilities of the audit and compensation committees, in order to maximize its effectiveness.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.