SEC Pushes Companies for More Risk Information

The regulator pushes back on companies' risk disclosures and considers changing its related rules.

Sarah Johnson - CFO.com | US

August 2, 2010

The Securities and Exchange Commission has been prodding companies in recent reviews of regulatory filings to provide more information about the risks they face.

In annual and quarterly financial statements, as well as proxies, the regulator wants companies to give more details about potential problems, including risks tied to credit and liquidity, goodwill impairments, and compensation. These topics became hot-button issues during the financial crisis, so it makes sense that the SEC has focused on them in the comment letters that are just now trickling into the commission's electronic filing system.

Christine Davine, national director of SEC services at Deloitte & Touche, reports seeing pushback from the SEC in recent months on these topics, as well as a demand for more-specific information. The commission doesn't want companies to "present risks that apply to any issuer," she says. "It's really about making them specific to a company and its operations." Davine has reviewed SEC comment letters received by Deloitte's clients that have not yet been made public (the correspondence is publicly available within 45 days of when the SEC ends its review).

In one letter dated earlier this year that has been publicly released, the SEC questioned a risk factor in Eagle Materials's 10-K for fiscal year 2009. The reviewer, SEC accounting branch chief Rufus Decker, said the building-materials provider's brief note about the possibility of economic and market conditions affecting the fair value of its pension assets was "too broad and generic." Decker further wrote: "It is not readily apparent why such risk would be unique to you and your business."

In response, CFO D. Craig Kensler told the SEC in a letter that the company would disclose in future filings "in a direct and more specific manner how this risk affects our business." Kensler did not respond to CFO's request for further comment.

Most often, says Davine, companies promise to do better next time and don't have to revise their already submitted filings to address the SEC's concerns. For Eagle Materials (which is not a Deloitte client), that meant explaining in its FY2010 10-K that economic conditions could affect the assumptions the company uses to calculate its obligations for its employee benefit plans, which in turn could affect the cost of running the programs and the results of its operations.

For its part, the SEC has warned companies about its renewed attention to risk disclosures. At a conference for certified public accountants in December, Meredith Cross, director of the SEC's Division of Corporation Finance, said that while the commission was in the process of reviewing all of its disclosure rules as part of a larger project, risk disclosure was a particular area that "needs fixing."

She expressed a desire to get companies away from "mind-numbing risk factors discourse to a more-targeted discussion of the principal risk facing the company." She theorized such a change could entail combining the risks disclosed in the management discussion and analysis portion of companies' financial reports with the discussions about risk factors and market risks.

And in July, SEC chairman Mary Schapiro said the commission's staff is working on making a recommendation for changing the regulator's risk-disclosure requirements. Schapiro did not give a time line or provide specifics, but the project will likely sit on the back burner as the commission tackles its mandates from the recently passed financial-reform bill, which has several deadlines for new regulations and studies.

Beyond the Ks and Qs, the SEC has also been questioning companies' talk of risk in their proxy statements, based on rules passed just before the most recent proxy season began, says Davine. These inquiries concern whether companies have considered how incentives in their compensation programs are tied to risk, and explanations of the board's role in overseeing risk.

As the SEC works on possibly issuing new guidelines for risk disclosures while also providing companies with feedback, observers say companies should avoid "copying and pasting" their risk disclosures every quarter. Katharine Martin, a partner at law firm Wilson Sonsini Goodrich & Rosati, suggests representatives from the legal, finance, and investor-relations departments meet once a quarter to specifically discuss the various risks affecting their company, their potential impact, and whether that impact warrants disclosure. (The SEC's Regulation S-K requires companies to disclose "the most significant factors" that make a securities offering speculative or risky.)

However, it's hard to kick the habit that the SEC has been trying to break through its comment process. Risk disclosures have become more generic, lengthy, and repetitive as companies have attempted to fend off potential scrutiny from securities plaintiffs. "When the SEC makes suggestions for preparing the 10-K, they are explicit in saying, don't just take last year's report and adjust it," says Karen Nelson, an accounting professor at Rice University. "They want companies to start from scratch, but that's not the way people think."

Nelson's research has shown that the risk-factor sections of companies' filings tend to have more boilerplate language, or repeated phrases year after year, than the discussion of risk in MD&As.

There is a saying that history doesn't repeat itself, but it rhymes. And that is the dilemma for risk managers. It's very unlikely a new crisis will look exactly like a predecessor since banks build those scenarios into their risk models. But new crises are inevitable, and they will always share similarities with previous disruptions.

Given how quickly new risks are piling up there is an urgency to respond to this dilemma by implementing risk management platforms that can sense risk as well as see it clearly. Speaking at SIFMA's Systemic Risk Regulation Summit in June, the evp and head of enterprise-wide market risk at Bank of NY Mellon, Robert Rupp, said the uncertainty around global banks' exposure to Greek debt and other European government bonds reminded him of the early days of the financial crisis when banks and markets were uncertain how they were exposed to each other and the mortgage market. He warned: "You need to see the unseeable."

Seeing the unseeable may be impossible, but risk experts contend it is possible to install technology that can sense when risks are getting out of kilter and empower managers to back away from those risks quickly. This sensing mechanism requires a comprehensive view of risk, linking risk management to long-term strategic business objectives, deploying new risk tools without undue cost and delay, and reacting quickly to the first inklings that risks threaten those business objectives.

There is general agreement on the broad outlines of an effective risk management system and the need to spend on it. A recent survey by OpenPages, an ERM vendor, found that 88 percent of managers across industries say that enterprise risk management spending will increase or remain the same this year. "When you're looking at risk in four or five or six different ways, you have a fractured view of risk to pass along to the board of directors, and that's just not flying anymore," says Todd Cooper, vp and general manager of Wolters Kluwer Financial Services' Enterprise Risk Compliance business, which recently released a new ERM offering called ARC Logics for Financial Services.

Banks' ERM solutions must incorporate different types of risk-such as market, credit, and operational-from throughout the enterprise. These systems should look across silos and show how different risks impact each other, keep tabs on the risk profile of the institution as a whole, and they must allow managers to make refinements on a frequent basis. "Data has to be aggregated across the enterprise," says Dana Wiklund, a research director for IDC Financial Insights. "In the future the challenge is defining and understanding risk interdependencies."

John Whittaker, the group head of operational risk at Barclays, explained that with an ERM solution from OpenPages the bank now has a single database that holds its operational risk and Sarbanes-Oxley reporting mechanisms. "This is a single database that holds all elements of our operational risk framework; whether that be internal events, risk and control assessments, key risk scenarios or metrics. It allows us, through the workflow that is included within the system, to link all elements of our framework together and ensure that it is an integrated framework." He made his comments during a recent Web seminar sponsored by OpRisk & Compliance Magazine.

Stephen Davey, svp of risk management at Valley National Bank, a $14 billion institution in Wayne, NJ that recently began to implement the Wolters Kluwer platform says: "We need to be able to benchmark ourselves against peer groups over time, and benchmark ourselves against our own policy limits. We need to remind ourselves where we are and see the overall trends versus a point in time."

While banks generally agree on the need for converged risk management and the broad outlines of what that should look like, analysts say banks need to spend more time altering cultural attitudes toward risk by linking risk management to long-term strategic business objectives, considering new ways to deploy technology faster and more cheaply, and empowering managers to react quickly to the first signals that risks could be mounting and threatening those business objectives.

French Caldwell, vp of research for Gartner, says executives must tighten the relationship between risk management and the bank's key strategic business objectives. He argues a bank should define the top five or six key strategic business objectives, describe the underlying business processes, and identify the risks to those processes. Since not all banks' strategic business objectives will be the same, their approach to risk will be slightly different. This itself will help alleviate systemic risk since not all banks will react the same way to events.

Neglecting to consider the risk inherent in the execution of business strategy can cost a bank dearly. Caldwell knows of one bank that articulated growth through M&A as a key strategic business objective, but was set back when it unexpectedly found the IT systems of a Latin American acquisition difficult to integrate, a delay that quickly ate away at anticipated savings. Another bank that depended heavily on its leasing and finance business was caught off guard when the vendor of a critical piece of software went bankrupt. Says Caldwell, "Suddenly the software was not going to be supported anymore and yet it was absolutely critical to the ongoing organization,"

A recent survey indicates this shift in mindset toward linking risk to business goals may be occurring. A survey of more than 1,100 finance executives across industries worldwide conducted this spring by leading researchers at the Wharton School, Johns Hopkins University, and Duke University ranked the top four goals of corporate risk management programs: avoid a large loss, fulfill shareholder expectations, increase future cash flows, and increase the firm's value. (As of late June, the survey had not yet been published in full.)

The first of those goals is no surprise, but Caldwell says the other three could represent a significant cultural shift in attitude toward risk management's role in attaining business objectives. "They're seeing the upside potential of risk management and are focused on the business objectives. They see risk management as a profit center and are focused on improving business performance."

Buttressing Caldwell's argument are comments from Barclays' Whittaker: "Our system is not only used by operational risk staff. It is also used extensively by the business....As op risk professionals, we should make sure that we are not seen as purely a compliance function and that we can actually, at the end of the year, answer the question of 'What are we doing to help the bank run better?'."

To meet business objectives banks should keep risk platforms cutting edge, analysts say, which means avoiding technologies that are difficult and costly to upgrade. IDC's Wiklund, says: "One of the issues is how do you effectively take advantage of new solutions without dealing with complicated products and without long implementation times." The answer, he predicts, is cloud computing. By leveraging the cloud to deploy risk management technologies quickly as they emerge, banks can avoid solutions that require complicated, time-consuming, costly installations.

In particular, Wiklund sites the kind of solutions offered by Riskonnect as the way of the future. Riskonnect's suite of risk management applications are built on the Force.com platform by Salesforce.com. The company layers the platform with business intelligence technology and reporting capabilities delivering the complete range of business intelligence capabilities powered by IBM Cognos solutions: reporting, analysis, dashboarding and scorecards so companies can integrate risk management and corporate performance management. "Deploying our solution takes [about] a day," says CEO and co-founder Bob Morrell. "We do stuff so fast compared to the old-school installation of software; that's like a distant memory for me. I almost can't relate. This is like signing up for Facebook."

Although Riskonnect's clientele is confidential, Morrell says the company is strong in retail and energy; it currently has no financial services clients, but that may change. "When we started (in 2007) we assumed financial services companies had figured it out." Now, however, he sees an opportunity. "We're thinking about starting to edge into that space this year or next."

Still, even after an ERM solution is in place, after risks are linked to strategy, and even if a bank can upgrade technology easily, all will be for naught if managers can't react quickly. Given that the most extreme threats will be ones that haven't occurred before, risk managers need to read the tea leaves and judge when too many risks seem to be piling up or are intersecting in ways that might threaten business objectives, and then ratchet back that risk quickly. In other words, good risk management can be as much an art as a science.

Nurturing a corporate culture that empowers and encourages managers to dial back risk on what can amount to an educated hunch is no easy matter. Banks are in a competitive business and the need to outperform their peers requires risk taking. The net effect of this competition is that banks often mimic each other's most successful and profitable business practices and drive each other in the same direction-the kind of classic herd mentality that creates and worsens systemic risk.

This tendency makes finding the power to step back from the cliff all the more vital. "If we're running with the pack and the pack is in danger, how do you get out?" asks Gartner's Caldwell. "One way is deciding that we're not going to follow the pack, but I don't know if that's viable given the competitive environment. So what do you do WHEN the next crash happens, not if?" Prior to the past financial crisis "banks weren't looking at or considering the overall picture, and everyone was following the same risk strategies-such as VAR [value at risk]-so they were all subject to the same unknown risks."

Since competition is fact of life, it will take courage among leaders to break away from the pack, especially when others don't see the dangers signs flashing and are charging ahead, Caldwell says. "Banks need to break the peer pressure mentality. It takes leadership to say 'Look this is going too far, and then ratchet things down. If everyone did that, that would alleviate systemic risk."

IDC's Wiklund agrees that technology and leadership should go hand in hand. "One way to respond to this type of systematic risk is to make an institution's decision support technologies more flexible. The ability to implement credit policy changes quickly, along with the alignment of data and analytics to evaluate the risk trends of new and existing customers, enables institutions to rapidly fuel a decision process," according to Wiklund. "Many times human capital is the "X" factor in responding to systematic risk events. All the data and analytical systems can be in place, but if an organization cannot effectively move through risk process cycles of knowing its business objectives, identifying the risks to them, putting mitigations in place and then monitoring those risks effectively, it will be treading water in a rip tide. The message is that systems and people are equally important."

While the imperative to pursue these ERM solutions is clear, risk managers at the SIFMA conference said there is an immediate, significant distraction: the shape of financial reform and the worry that once passed regulators will spend two to three years interpreting the new law. Conference attendees said uncertainty around what type of data regulators will want and in what form makes implementing risk management all the tougher. "There are two levels of unknowables," says Rupp of Bank of NY Mellon. "Will they want the same data or new data, and will they want a small amount or a gigantic amount? We just don't know. Unfortunately, simplicity and streamlining were not a priority" in designing the regulation, he says.

View the original source article from American Banker