Enterprise Risk Management (Preview)

22 Part 1 – Concepts and Methods • Compensation recovery – Companies must have policies in place to recover incentive- based compensation awarded erroneously to executive officers in the past three years. For example, if a bonus would not have been awarded after removing the effects of fraud or financial reporting errors, the bonus is recoverable. The policies need to apply to all types of incentive-based compensation, including stock options. • Proxy access – Relatively large shareholders, as defined by regulations, must have the ability to include nominees for board membership as part of the proxy statements (shareholder vote solicitation materials) sent by the company to its shareholders. • Board leadership – Companies must disclose in their proxy statements sent to shareholders, the reasons why the same person is chosen to act as chair of the board and chief executive officer, or why two separate persons are proposed. • Whistleblower rewards – A program is created to reward the reporting of violations of securities law directly to the SEC. Individuals reporting violations are referred to as whistleblowers. Rewards may reach up to 30 percent of the sanctions imposed. 25 Risk Management Regulations The financial crisis and requirements of the Dodd-Frank Act caused securities commis- sions and stock exchanges to reexamine their regulations and rules related to the risk management practices of organizations, and the disclosure of risk and risk management information. Although these rules and regulations mostly apply to financial services, many also apply to publicly-traded companies at large. These rules and regulations create expectations and influence the leading practices that every organization wants to follow, including government entities and not-for-profit organizations. Since 2005, the Securities and Exchange Commission requires that companies publicly- traded in the United States report risk information in a separate section titled “risk factors” in their quarterly and annual reports. The information provides investors with an overview of the significant risks facing the organization. 26 The significant risks may be external or internal to the organization, and may be strategic, operational or financial in nature. The reports must also include distinct information on market risks. These market risks relate to interest rates, foreign currency exchange, commodity prices, equity prices and other market sensitive instruments such as derivatives. 27 The annual and quarterly reports filed with the SEC are available to investors and the public. The SEC also introduced regulations for the disclosure of risk management practices to address requirements of the Dodd-Frank Act. In 2010, Rule 33-9089 became effective, requiring that companies explain the involvement of their board in the oversight of risk management activities. Companies must indicate whether the full board assumes the oversight responsibility, or whether it is assigned to a committee of the board (which must be a risk committee in the case of large financial services organizations). Companies also need to describe the relationship between their board and senior management regarding the management of risks, in particular how risk management professionals are supervised, whether they report to the board, and how the board otherwise receives information from these professionals. 28 These explanations are disclosed in the proxy statements sent to shareholders for soliciting their vote to elect board members. Proxy statements filed with the SEC are accessible to the public.