Quick Links


Home > Trends & Insights > Top 8 Best Practices for New SEC Regulation Surrounding Risk Oversight



Wednesday, October 6, 2010

Top 8 Best Practices for New SEC Regulation Surrounding Risk Oversight

There has been increasing discussion in the past few years around the Board of Directors involvement in risk management.

New regulations by the SEC require registrant companies to publicly disclose substantial new information about a wide range of governance activities. Starting February 28, 2010 the SEC will require future proxy and information statements to provide analysts and investors with additional information about:

  • The Board's leadership structure and role in risk oversight.
  • The relationship of the organization's overall compensation policies and practices to enterprise risk and risk management.

Based on our extensive experience helping companies understand and improve their risk management activities, below is a list of Top 8 best practices to help Board Members and CFOs comply with the new SEC regulation.

  • Oversight starts with the Board of Directors. The board is ultimately responsible for overseeing the company's risks. Create a new risk oversight committee or assign specific board members with the task of monitoring the various risks a company faces.
  • The company should conduct an appropriate enterprise risk assessment and present a report to the Board on an annual basis. The assessment should be a complete list of risks the company is exposed to, from natural disasters, political risk, product quality, financial misstatement, legal risks, succession planning risks, sourcing risks, etc.
  • The company should specifically define what risk means to them. What amount of estimated financial risk is the company willing to accept? What amount of residual risk will lead to an action plan? Understanding the companies risk tolerance is an important start to risk oversight.
  • On a quarterly basis, understand the top five external and internal risks affecting the company. Ask management to present to the Board the top five external risk [risks the company does not have control over (i.e. - economic downturn, natural disaster, etc.)] and top five internal risks [risk the company has direct control over (i.e. - produce quality, accurate financial statements, etc.)]. In addition management should discuss the plans to mitigate the risk.
  • Understand senior management's plan for each risk identified. What are management's plans to prevent, reduce and address the identified risk. Will management accept the risk (do nothing because the risk is not considered material and significant), mitigate the risk (proactively or reactively put controls in place to reduce risk exposure) or share risk (e.g., via insurance, partnerships, etc.).
  • Understand the gaps the company is facing between the company's current risk profile and the ideal risk profile. Ensure there is a formal plan and timeline to create processes and controls to reduce the gaps in residual risk.
  • Quiz management to obtain comfort on the company's approach to risk management. Ask probing questions like - What is the plan for a product recall? Is there a formal plan? What is the operational, financial and public relations plan for product recalls? How does the company obtain comfort that the product sold meet strict guidelines?
  • Understand how the different departments and business units collaborate when responding to risks. Is there a main department or business unit responsible for creating an action plan or are four different departments fixing the issue at the same time?


comments powered by Disqus