Are required SEC proxy disclosures about the board’s role in risk oversight substantive?

https://doi.org/10.1016/j.jaccpubpol.2020.106816Get rights and content

Highlights

  • Required proxy disclosures about the board’s role in risk oversight provide substantive information about the quality of an entity’s management and governance.

  • Boards of entities with higher quality management and governance engage in more specific activities related to board risk oversight than other boards.

  • Boards more engaged in risk oversight are able to use the discretion provided by the SEC’s disclosure rule to provide substantive and potentially value-relevant information for stakeholders about the entity’s risk management processes and board risk oversight activities.

  • Boards more engaged in risk oversight as more likely to receive regular reports from management about the top risks facing the entity than other boards.

Abstract

The U.S. Securities and Exchange Commission (SEC) requires companies it regulates to include disclosures about the board’s role in risk oversight in the annual proxy statement to shareholders. The SEC does not mandate specific content or actions that boards should perform as part of their risk oversight responsibilities, leaving the nature of activities and extent of those disclosures to the discretion of the reporting entity. This study examines whether these disclosures contain substantive information reflective of the effectiveness of the organization’s risk oversight. We find that organizations disclosing more specific information (but not simply more information) about board risk oversight practices are associated with firms independently assessed as having the strongest management and governance processes. These findings suggest that these firms use the discretion provided by the SEC’s disclosure rule to provide substantive and potentially value-relevant information for stakeholders about the entity’s risk management processes and board risk oversight activities.

Introduction

One of the primary responsibilities of an entity’s board of directors is to oversee strategic decisions made by management to ensure that risks associated with those decisions and related management actions do not exceed the appetite for risk taking among the entity’s key stakeholders. Many principles-based governance frameworks emphasize the important role of the board of directors in risk oversight (COSO, 2004, COSO, 2010, COSO, 2013, COSO, 2017, International Organization for Standardization (ISO), 2018). And, over the past decade or so, a number of governance organizations have strengthened requirements and best-practice recommendations about processes used by boards to oversee organizational risk-taking (NYSE, 2019, U.S. Securities and Exchange Commission (SEC), 2009, Dodd-Frank, 2010, Standard and Poor’s, 2012).

One of the most visible changes in governance requirements related to board risk oversight was instituted by the U.S. Securities and Exchange Commission (SEC) in December 2009 when the SEC introduced rules requiring proxy disclosures describing the board’s role in risk oversight for all public companies whose securities are registered with the SEC (SEC, 2009). Those rules became effective for annual proxy statements issued after February 28, 2010. While the rule change required public companies to include new disclosures describing the board’s role in risk oversight, the SEC allowed each entity to determine what would be disclosed. The SEC did not mandate the nature of activities or extent of information that must be disclosed, and they did not mandate any specific measures that boards must perform as part of their risk oversight responsibility.

While there is an implied assumption by the SEC’s decision that stakeholders may benefit from these new disclosures about the board’s role in risk oversight, we are not aware of any empirical evidence as to whether there is any information relevance in the disclosures now being provided. Because the SEC’s rules do not mandate any specific guidelines for what must be disclosed or how the board should engage in risk oversight, there is opportunity for sizable variation in the type of information disclosed by entities. Thus, despite the fact that the SEC apparently believed additional disclosures about the board’s role in risk oversight warranted its mandate, it remains uncertain from a public policy perspective as to whether the discretion allowed has led to the disclosure of information about board risk oversight that sheds substantive insights about the effectiveness of the board’s risk oversight practices. It is possible that the nature of activities and extent of information provided includes little, if any, useful information about the entity’s risk governance.

Separate from this new proxy disclosure rule, some of the credit rating agencies have expanded their consideration of processes used by management and boards of directors in the oversight of strategy and risks for the organization as an input to their credit rating evaluations (Standard & Poor’s, 2008). Based on the belief that the strategic competence, operational effectiveness, and the ability to shape an enterprise’s competitiveness is important to capital markets participants and the entity’s ultimate success, Standard and Poor’s (S&P) announced in November 2012 that they would start including evaluations of an organization’s “management and governance” as one of the factors they use internally to assess the enterprise’s overall creditworthiness (S&P, 2012).

The S&P evaluation is based on consideration of 15 specific factors they believe are related to management and governance, with eight of those factors focused on management’s engagement in risk management and strategy development and oversight and with seven additional factors focused on the board, including emphasis on the engagement of the board in risk oversight.1 Ultimately, the assessment of all the information they separately obtain directly from the organization is used by S&P to arrive at an overall score for the entity’s combined management and governance that is summarized by S&P into one of four possible management and governance capabilities: strong, satisfactory, fair, or weak.

S&P’s evaluation of management and governance effectiveness represents a unique, independent assessment of the overall state of strategy and risk governance for the firm given that S&P has direct access to information not publicly available. While S&P would have access to the proxy disclosures, the information sources they use to make these evaluations are much more expansive and detailed. The importance of the ratings process gives S&P the ability to make a number of direct, targeted inquiries about specific management and board processes and they have access to documentation such as meeting agendas and minutes, which are typically obtained during onsite visits by S&P to the entity to observe management and boards first-hand. They also can subsequently request updates and follow-up on unresolved concerns with management after their visits. This access provides S&P a unique lens to observe and evaluate overall management and governance effectiveness using information most key stakeholders cannot obtain themselves.

It is important to note that this evaluation by S&P is not publicly available; instead, it is developed for S&P’s internal consideration as part of the credit rating process.2 We believe these independent evaluations made by S&P of an entity’s management and governance effectiveness provide us a unique opportunity to examine whether the public disclosures in the proxy statement convey information about the effectiveness of the organization’s risk management process, and the board’s oversight of that process. The lack of an observable positive association between a higher S&P score and the information conveyed in the proxy disclosure might suggest that the disclosure policy is not providing substantive information useful to key stakeholders.

S&P management and governance scores for non-regulated entities are not publicly available to stakeholders. We were able to obtain access to the scores for 2015.3 We use these scores to determine if boards that disclose more specific information (and also simply more information) about board risk oversight activities are positively associated with firms determined by S&P to have stronger overall management and governance activities. We rely on the S&P score to serve as a relevant benchmark against which we assess the information content of the proxy disclosures.

Based on a final sample of 243 public firms, we find that firms with higher S&P management and governance scores disclose more specific elements related to activities affecting the board’s risk oversight capabilities than do firms with lower scores. We refer to this as providing more specific information about their risk oversight processes. Further analysis reveals that firms with the highest S&P management and governance scores (i.e., strong) also provide more extensive disclosures (based on word count) and they provide more specific information about particular board risk oversight processes (based on the number and types of board risk activities) to highlight higher quality board risk oversight. When we include both disclosure measures together, we observe that only our measure for the specificity of the disclosure is significant, which implies that this is the driver of the observed positive association. Our findings suggest that firms with the strongest assessed level of management and governance use the flexibility provided by the SEC’s disclosure rules to provide more specific information about board risk oversight to distinguish themselves from firms with less effective management and governance. From a public policy perspective, our findings suggest that the SEC’s decision to not dictate the specific items about board risk oversight to be disclosed actually provides an opportunity for more effective management and governance firms to share relevant information to stakeholders in a way that is different from firms with less robust board risk oversight. Thus, stakeholders may find substantive information content in the specifics provided about board risk oversight in the annual proxy statements to shareholders.

Our research contributes to the risk management literature by examining required disclosures concerning the board’s oversight of risk by quantifying elements of the proxy disclosures and comparing them to contemporaneous independent, private rankings about management and governance, while controlling for the riskiness of the firm. This should provide evidence for stakeholders, including the SEC, to determine if the disclosure rules about board risk oversight are providing useful information.

Section snippets

Increasing focus on board risk oversight

To assist entity leaders – both management and boards – in determining what might constitute an effective enterprise risk management process, COSO issued in 2004 its Enterprise Risk Management–Integrated Framework to provide guidance about the key elements of an effective, top-down, enterprise-wide approach to risk management, which they revised in 2017 and retitled Enterprise Risk Management: Integrating with Strategy and Performance. In both editions of their framework, COSO emphasizes the

Evaluations of management and governance effectiveness

In 2008, credit rating agencies, such as S&P, began to announce expanded consideration of the processes used by management and the board in the oversight of risks for organizations as a component of their credit rating evaluations for those in non-regulated industries (S&P, 2008).5

Information relevance of proxy disclosures

Prior literature has identified certain characteristics of management and boards as being related to the implementation of more effective enterprise-wide risk management (hereinafter referred to as ERM). Liebenberg and Hoyt (2003) first attempted to identify the determinants of the ERM adoption finding the appointment of a Chief Risk Officer (CRO), charged with the responsibility of implementing and managing the ERM program, as a mechanism to reduce information asymmetry regarding the firm’s

Methodology

We use the privately determined S&P overall management and governance score to evaluate whether there is any substantive information content in the proxy disclosures about the board’s role in risk oversight. We examine whether there is a positive association between the nature of activities and extent of board risk oversight disclosures that are provided publicly by the entity in the proxy statement with S&P’s management and governance score.

We obtained access to the final S&P management and

Key findings

We provide in Table 3 descriptive statistics for the overall risk oversight measures (BdRiskActivities and BdRiskDisclosureVol), each of the 11 components of BdRiskActivities, and the control variables. Results are shown separately for the 81 firms within each of the three S&P management and governance categories: strong, satisfactory, and fair. On average, firms with strong management and governance scores disclose 4.62 of the 11 board risk oversight elements in their proxy statements as

Discussion and conclusions

We investigate whether the discretion provided by the SEC with respect to the nature of activities and extent of information firms may disclose about their board risk oversight processes differs for firms deemed to have more effective management and governance activities. Beginning in 2010, the U.S. Securities and Exchange Commission (SEC) has required enhanced disclosures regarding board risk oversight processes. However, this rule does not mandate any specific tasks to be performed by the

References (39)

  • M. Beasley et al.

    The State of Risk Oversight: An Overview of Enterprise Risk Management Practices

    (2019)
  • I. Brown et al.

    Risk management in corporate governance: a review and proposal

    Corp. Gov.: An Intern. Rev.

    (2009)
  • J.L. Campbell et al.

    The information content of mandatory risk factor disclosures in corporate filings

    Rev. Acc. Stud.

    (2014)
  • J. Cohen et al.

    Form versus substance: the implications for auditing practice and research of alternative perspectives on corporate governance

    Audit. J. Prac. Th.

    (2008)
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004. Enterprise Risk Management – Integrated...
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2010. Board Risk Oversight: A Progress Report....
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2013. Internal Control – Integrated Framework....
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2017. Enterprise Risk Management: Integrating...
  • Desender, K., 2007. On the Determinants of Enterprise Risk Management, 87–100....
  • View full text