Are required SEC proxy disclosures about the board’s role in risk oversight substantive?
Introduction
One of the primary responsibilities of an entity’s board of directors is to oversee strategic decisions made by management to ensure that risks associated with those decisions and related management actions do not exceed the appetite for risk taking among the entity’s key stakeholders. Many principles-based governance frameworks emphasize the important role of the board of directors in risk oversight (COSO, 2004, COSO, 2010, COSO, 2013, COSO, 2017, International Organization for Standardization (ISO), 2018). And, over the past decade or so, a number of governance organizations have strengthened requirements and best-practice recommendations about processes used by boards to oversee organizational risk-taking (NYSE, 2019, U.S. Securities and Exchange Commission (SEC), 2009, Dodd-Frank, 2010, Standard and Poor’s, 2012).
One of the most visible changes in governance requirements related to board risk oversight was instituted by the U.S. Securities and Exchange Commission (SEC) in December 2009 when the SEC introduced rules requiring proxy disclosures describing the board’s role in risk oversight for all public companies whose securities are registered with the SEC (SEC, 2009). Those rules became effective for annual proxy statements issued after February 28, 2010. While the rule change required public companies to include new disclosures describing the board’s role in risk oversight, the SEC allowed each entity to determine what would be disclosed. The SEC did not mandate the nature of activities or extent of information that must be disclosed, and they did not mandate any specific measures that boards must perform as part of their risk oversight responsibility.
While there is an implied assumption by the SEC’s decision that stakeholders may benefit from these new disclosures about the board’s role in risk oversight, we are not aware of any empirical evidence as to whether there is any information relevance in the disclosures now being provided. Because the SEC’s rules do not mandate any specific guidelines for what must be disclosed or how the board should engage in risk oversight, there is opportunity for sizable variation in the type of information disclosed by entities. Thus, despite the fact that the SEC apparently believed additional disclosures about the board’s role in risk oversight warranted its mandate, it remains uncertain from a public policy perspective as to whether the discretion allowed has led to the disclosure of information about board risk oversight that sheds substantive insights about the effectiveness of the board’s risk oversight practices. It is possible that the nature of activities and extent of information provided includes little, if any, useful information about the entity’s risk governance.
Separate from this new proxy disclosure rule, some of the credit rating agencies have expanded their consideration of processes used by management and boards of directors in the oversight of strategy and risks for the organization as an input to their credit rating evaluations (Standard & Poor’s, 2008). Based on the belief that the strategic competence, operational effectiveness, and the ability to shape an enterprise’s competitiveness is important to capital markets participants and the entity’s ultimate success, Standard and Poor’s (S&P) announced in November 2012 that they would start including evaluations of an organization’s “management and governance” as one of the factors they use internally to assess the enterprise’s overall creditworthiness (S&P, 2012).
The S&P evaluation is based on consideration of 15 specific factors they believe are related to management and governance, with eight of those factors focused on management’s engagement in risk management and strategy development and oversight and with seven additional factors focused on the board, including emphasis on the engagement of the board in risk oversight.1 Ultimately, the assessment of all the information they separately obtain directly from the organization is used by S&P to arrive at an overall score for the entity’s combined management and governance that is summarized by S&P into one of four possible management and governance capabilities: strong, satisfactory, fair, or weak.
S&P’s evaluation of management and governance effectiveness represents a unique, independent assessment of the overall state of strategy and risk governance for the firm given that S&P has direct access to information not publicly available. While S&P would have access to the proxy disclosures, the information sources they use to make these evaluations are much more expansive and detailed. The importance of the ratings process gives S&P the ability to make a number of direct, targeted inquiries about specific management and board processes and they have access to documentation such as meeting agendas and minutes, which are typically obtained during onsite visits by S&P to the entity to observe management and boards first-hand. They also can subsequently request updates and follow-up on unresolved concerns with management after their visits. This access provides S&P a unique lens to observe and evaluate overall management and governance effectiveness using information most key stakeholders cannot obtain themselves.
It is important to note that this evaluation by S&P is not publicly available; instead, it is developed for S&P’s internal consideration as part of the credit rating process.2 We believe these independent evaluations made by S&P of an entity’s management and governance effectiveness provide us a unique opportunity to examine whether the public disclosures in the proxy statement convey information about the effectiveness of the organization’s risk management process, and the board’s oversight of that process. The lack of an observable positive association between a higher S&P score and the information conveyed in the proxy disclosure might suggest that the disclosure policy is not providing substantive information useful to key stakeholders.
S&P management and governance scores for non-regulated entities are not publicly available to stakeholders. We were able to obtain access to the scores for 2015.3 We use these scores to determine if boards that disclose more specific information (and also simply more information) about board risk oversight activities are positively associated with firms determined by S&P to have stronger overall management and governance activities. We rely on the S&P score to serve as a relevant benchmark against which we assess the information content of the proxy disclosures.
Based on a final sample of 243 public firms, we find that firms with higher S&P management and governance scores disclose more specific elements related to activities affecting the board’s risk oversight capabilities than do firms with lower scores. We refer to this as providing more specific information about their risk oversight processes. Further analysis reveals that firms with the highest S&P management and governance scores (i.e., strong) also provide more extensive disclosures (based on word count) and they provide more specific information about particular board risk oversight processes (based on the number and types of board risk activities) to highlight higher quality board risk oversight. When we include both disclosure measures together, we observe that only our measure for the specificity of the disclosure is significant, which implies that this is the driver of the observed positive association. Our findings suggest that firms with the strongest assessed level of management and governance use the flexibility provided by the SEC’s disclosure rules to provide more specific information about board risk oversight to distinguish themselves from firms with less effective management and governance. From a public policy perspective, our findings suggest that the SEC’s decision to not dictate the specific items about board risk oversight to be disclosed actually provides an opportunity for more effective management and governance firms to share relevant information to stakeholders in a way that is different from firms with less robust board risk oversight. Thus, stakeholders may find substantive information content in the specifics provided about board risk oversight in the annual proxy statements to shareholders.
Our research contributes to the risk management literature by examining required disclosures concerning the board’s oversight of risk by quantifying elements of the proxy disclosures and comparing them to contemporaneous independent, private rankings about management and governance, while controlling for the riskiness of the firm. This should provide evidence for stakeholders, including the SEC, to determine if the disclosure rules about board risk oversight are providing useful information.
Section snippets
Increasing focus on board risk oversight
To assist entity leaders – both management and boards – in determining what might constitute an effective enterprise risk management process, COSO issued in 2004 its Enterprise Risk Management–Integrated Framework to provide guidance about the key elements of an effective, top-down, enterprise-wide approach to risk management, which they revised in 2017 and retitled Enterprise Risk Management: Integrating with Strategy and Performance. In both editions of their framework, COSO emphasizes the
Evaluations of management and governance effectiveness
In 2008, credit rating agencies, such as S&P, began to announce expanded consideration of the processes used by management and the board in the oversight of risks for organizations as a component of their credit rating evaluations for those in non-regulated industries (S&P, 2008).5
Information relevance of proxy disclosures
Prior literature has identified certain characteristics of management and boards as being related to the implementation of more effective enterprise-wide risk management (hereinafter referred to as ERM). Liebenberg and Hoyt (2003) first attempted to identify the determinants of the ERM adoption finding the appointment of a Chief Risk Officer (CRO), charged with the responsibility of implementing and managing the ERM program, as a mechanism to reduce information asymmetry regarding the firm’s
Methodology
We use the privately determined S&P overall management and governance score to evaluate whether there is any substantive information content in the proxy disclosures about the board’s role in risk oversight. We examine whether there is a positive association between the nature of activities and extent of board risk oversight disclosures that are provided publicly by the entity in the proxy statement with S&P’s management and governance score.
We obtained access to the final S&P management and
Key findings
We provide in Table 3 descriptive statistics for the overall risk oversight measures (BdRiskActivities and BdRiskDisclosureVol), each of the 11 components of BdRiskActivities, and the control variables. Results are shown separately for the 81 firms within each of the three S&P management and governance categories: strong, satisfactory, and fair. On average, firms with strong management and governance scores disclose 4.62 of the 11 board risk oversight elements in their proxy statements as
Discussion and conclusions
We investigate whether the discretion provided by the SEC with respect to the nature of activities and extent of information firms may disclose about their board risk oversight processes differs for firms deemed to have more effective management and governance activities. Beginning in 2010, the U.S. Securities and Exchange Commission (SEC) has required enhanced disclosures regarding board risk oversight processes. However, this rule does not mandate any specific tasks to be performed by the
References (39)
- et al.
Enterprise risk management: an empirical analysis of factors associated with the extent of implementation
J. Acc. Pub. Pol.
(2005) - et al.
An analysis of the maturity and strategic impact of investments in ERM
J. Acc. Pub. Pol.
(2015) - et al.
Aggregated, voluntary, and mandatory risk disclosure incentives: evidence from UK FTSE all-share companies
Inter. Rev. Fin. Anal.
(2013) - et al.
Enterprise risk management and firm performance: the Italian case
Brit. Acc. Rev.
(2017) - et al.
Enterprise risk management and firm performance: a contingency perspective
J. Acc. Pub. Pol.
(2009) - et al.
Theory of the firm: managerial
J. Fin. Econ.
(1976) The impact of board composition and ownership on audit quality: evidence from large UK companies
Brit. Acc. Rev.
(2000)“New Trends” in Business Economics and Management Studies Rewriting the Relationship between Business and Society
- AS/NSZ ISO 31000, 2009. Risk Management – Principles and guidelines. International Organization for Standardization,...
- et al.
Enterprise risk management program quality: determinants, value relevance, and the financial crisis
Cont. Acc. Res.
(2013)
The State of Risk Oversight: An Overview of Enterprise Risk Management Practices
Risk management in corporate governance: a review and proposal
Corp. Gov.: An Intern. Rev.
The information content of mandatory risk factor disclosures in corporate filings
Rev. Acc. Stud.
Form versus substance: the implications for auditing practice and research of alternative perspectives on corporate governance
Audit. J. Prac. Th.
Cited by (7)
The Usefulness of Credit Ratings for Accounting Fraud Prediction
2023, Accounting ReviewUnderstanding the Ecosystem of Enterprise Risk Governance
2023, Accounting ReviewRisk governance as a line of defense: Systematic review of hotspots for future research
2023, Cogent Business and ManagementThe Role of ERM and Corporate Governance in Managing COVID-19 Impacts: SMEs Perspective
2022, Journal of Risk and Financial Management