NDI. NDI Executive Exchange. Boardroom Risk Assessments Roundtable Thursday, January 13, :00 a.m. 10:30 a.m. National

Transcription

1 National Directors Institute NDI Executive Exchange NDI Boardroom Risk Assessments Roundtable Thursday, January 13, :00 a.m. 10:30 a.m. Co-Sponsors In-Kind Sponsors

2 Boardroom Risk Assessments Moderator: Michael Kirwan Partner, Foley & Lardner, LLP Panelists: Pete Carpenter Former Vice Chairman of CSX Corporation and President and CEO of CSX Transportation Currently a director on the Boards of Regency Centers Corporation, PSS World Medical, Stein Mart, Inc. and Lender Processing Services, Inc. Laurie Champion Director and Practice Leader for Risk Governance/Enterprise Risk Management at Aon Global Risk Consulting Timothy Hanley Vice Chairman of Deloitte & Touche Brian Kennedy Senior Managing Director of the Public Affairs Practice at FD Americas 1

3 3 Overview of Today s Discussion Is Risk Assessment a function of only the Audit Committee? What is meant by Risk? How should Boards oversee Risk? How do Boards help to embed Risk Management into the Corporate Culture? 4 SEC Rule on Risk Oversight Pursuant to Item 407(h) of Reg. S-K, companies must disclose in their proxy statements: the extent of the board's role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board's leadership structure. 2

4 5 Sample Proxy Disclosures on Risk Oversight Excerpt from Microsoft s proxy statement dated September 30, 2010: Risk Oversight Risk Oversight The Board of Directors exercises direct oversight of strategic risks to the Company. The Audit Committee reviews and assesses the Company s processes to manage business and financial risk and financial reporting risk. It also reviews the Company s policies for risk assessment and assesses steps management has taken to control significant risks. The Finance Committee oversees investment, tax, foreign exchange, and other financial risks. The Compensation Committee oversees risks relating compensation programs and policies. The Antitrust Compliance Committee oversees competition law-related risks. In each case management periodically reports to our Board or relevant committee, which provides guidance on risk appetite, assessment, and mitigation. Each committee charged with risk oversight reports to our Board on those matters. 6 Sample Proxy Disclosures on Risk Oversight March 5, 2010: The Board s Role in Risk Management The Board oversees that the assets of the Company are properly safeguarded, that the appropriate financial and other controls are maintained, and that the Company s business is conducted wisely and in compliance with applicable laws and regulations and proper governance. Included in these responsibilities is the Board of Directors oversight of the various risks facing the Company. In this regard, the Board seeks to understand and oversee critical business risks. The Board does not view risk in isolation. Risks are considered in virtually every business decision and as part of the Company s business strategy. The Board recognizes that it is neither possible nor prudent to eliminate all risk. Indeed, purposeful and appropriate risk-taking is essential for the Company to be competitive on a global basis and to achieve the objectives set forth in its 2020 Vision. 3

5 7 Sample Proxy Disclosures on Risk Oversight March 5, 2010: Effective risk oversight is an important priority of the Board. The Board has implemented a risk governance framework to: understand critical risks in the Company s business and strategy; allocate responsibilities for risk oversight among the full Board and its Committees; evaluate the Company s risk management processes and see they are functioning adequately; facilitate open communication between management and Directors; and foster an appropriate culture of integrity and risk awareness. 8 Sample Proxy Disclosures on Risk Oversight March 5, 2010: While the Board oversees risk management, Company management is charged with managing risk. The Company has robust internal processes and a strong internal control environment to identify and manage risks and to communicate with the Board. These include an enterprise risk management program, a risk management committee co-chaired by the Chief Financial Officer and the General Counsel, regular internal management disclosure committee meetings, Codes of Business Conduct, robust product quality standards and processes, a strong ethics and compliance office, and a comprehensive internal and external audit process. The Board and the Audit Committee monitor and evaluate the effectiveness of the internal controls and the risk management program at least annually. Management communicates routinely with the Board, Board Committees and individual Directors on the significant risks identified and how they are being managed. Directors are free to, and indeed often do, communicate directly with senior management. 4

6 9 Sample Proxy Disclosures on Risk Oversight March 5, 2010: The Board implements its risk oversight function both as a whole and through Committees. Much of the work is delegated to various Committees, which meet regularly and report back to the full Board. All Committees play significant roles in carrying out the risk oversight function. In particular: The Audit Committee oversees risks related to the Company s financial statements, the financial reporting process, accounting and legal matters. The Audit Committee oversees the internal audit function and the Company s ethics programs, including the Codes of Business Conduct. The Audit Committee members meet separately with the Company s General Counsel, Chief of Internal Audit and representatives of the independent auditing firm. The Compensation Committee evaluates the risks and rewards associated with the Company s compensation philosophy and programs. As discussed in more detail in the Compensation Discussion & Analysis beginning on page 45, the Compensation Committee reviews and approves compensation programs with features that mitigate risk without diminishing the incentive nature of the compensation. Management discusses with the Compensation Committee the procedures that have been put in place to identify and mitigate potential risks in compensation. 10 Sample Proxy Disclosures on Risk Oversight March 5, 2010: The Finance Committee oversees certain financial matters and risks relating to pension plan investments, currency risk and hedging programs, mergers and acquisitions, and capital projects. The Public Issues and Diversity Review Committee oversees issues that could pose significant reputational risk to the Company. The Management Development Committee oversees management development and succession planning across senior management positions. 5

7 11 Sample Proxy Disclosures on Risk Oversight March 5, 2010: In addition, annually, one meeting of the full Board of Directors is dedicated primarily to evaluating and discussing risk, risk mitigation strategies, and the Company s internal control environment. Topics examined at this meeting include, but are not limited to, financial risks, political and regulatory risks, legal risks, supply chain and quality risks, information technology risks, economic risks, and risks related to the Company s transformation efforts. Because overseeing risk is an ongoing process and inherent in the Company s strategic decisions, the Board also discusses risk throughout the year at other meetings in relation to specific proposed actions. The Company believes that its leadership structure, discussed in detail beginning on page 21, supports the risk oversight function of the Board. While the Company has a combined Chairman of the Board and Chief Executive Officer, strong Directors chair the various committees involved with risk oversight, there is open communication between management and Directors, and all Directors are actively involved in the risk oversight function. 12 Sample Proxy Disclosures on Risk Oversight Excerpt from Pfizer s proxy statement dated March 16, 2010: The Board s Role in Risk Oversight The Board executes its oversight responsibility for risk management directly and through its Committees, as follows: The Audit Committee has primary responsibility for overseeing the Company s Enterprise Risk Management, or ERM, program. The Company s Chief Internal Auditor, who reports independently to the Committee, facilitates the ERM program as part of the Company s strategic planning process under the executive sponsorship of our Senior Vice President and Chief Financial Officer and our Senior Vice President and General Counsel. The Committee s meeting agendas include discussions of individual risk areas throughout the year, as well as an annual summary of the ERM process. In addition, the Committee has certain responsibilities with respect to our compliance program. For additional information, see Board and Committee Membership The Audit Committee and Item 2 Ratification of Independent Registered Public Accounting Firm Audit Committee Report later in this Proxy Statement. 6

8 13 Sample Proxy Disclosures on Risk Oversight Excerpt from Pfizer s proxy statement dated March 16, 2010: The Board s other Committees Compensation, Corporate Governance and Science and Technology oversee risks associated with their respective areas of responsibility. For example, the Compensation Committee considers the risks associated with our compensation policies and practices, with respect to both executive compensation and compensation generally. The Board of Directors is kept abreast of its Committees' risk oversight and other activities via reports of the Committee Chairmen to the full Board. These reports are presented at every regular Board meeting and include discussions of Committee agenda topics, including matters involving risk oversight. 14 Sample Proxy Disclosures on Risk Oversight Excerpt from Pfizer s proxy statement dated March 16, 2010: The Board considers specific risk topics, including risks associated with our strategic plan, our capital structure and our development activities. In addition, the Board receives detailed regular reports from the members of our Executive Leadership Team, or ELT the heads of our principal business and corporate functions that include discussions of the risks and exposures involved in their respective areas of responsibility. These reports are provided in connection with every regular Board meeting and are discussed, as necessary, at Board meetings. Further, the Board is routinely informed of developments that could affect our risk profile or other aspects of our business. 7

9 15 SEC Rules on Compensation Policies Related to Risk Management Pursuant to Item 402(s) of Reg. S-K, companies must provide in their proxy statements: Narrative disclosure of the registrant's compensation policies and practices as they relate to the registrant's risk management. To the extent that risks arising from the registrant's compensation policies and practices for its employees are reasonably likely to have a material adverse effect on the registrant, discuss the registrant's policies and practices of compensating its employees, including non-executive officers, as they relate to risk management practices and risk-taking incentives The purpose of this paragraph(s) is to provide investors material information concerning how the registrant compensates and incentivizes its employees that may create risks that are reasonably likely to have a material adverse effect on the registrant the following are examples of the issues that the registrant may need to address for the business units or employees discussed: 16 SEC Rules on Compensation Policies Related to Risk Management 1. The general design philosophy of the registrant's compensation policies and practices for employees whose behavior would be most affected by the incentives established by the policies and practices, as such policies and practices relate to or affect risk taking by employees on behalf of the registrant, and the manner of their implementation; 2. The registrant's risk assessment or incentive considerations, if any, in structuring its compensation policies and practices or in awarding and paying compensation; 3. How the registrant's compensation policies and practices relate to the realization of risks resulting from the actions of employees in both the short term and the long term, such as through policies requiring claw backs or imposing holding periods; 4. The registrant's policies regarding adjustments to its compensation policies and practices to address changes in its risk profile; 5. Material adjustments the registrant has made to its compensation policies and practices as a result of changes in its risk profile; and 6. The extent to which the registrant monitors its compensation policies and practices to determine whether its risk management objectives are being met with respect to incentivizing its employees. 8

10 17 Sample Proxy Disclosures on Compensation Practices related to Risk Management Excerpt from Microsoft s proxy statement dated September 30, 2010: Assessment of Risk In fiscal year 2010, we performed a comprehensive assessment for the Compensation and Audit Committees of our Board of Directors to determine whether the risks arising from any of our compensation policies or practices are reasonably likely to have a material adverse effect on the Company. Our assessment covered each material element of executive and non-executive employee compensation. We concluded that these policies and practices do not create risk that is reasonably likely to have a material adverse effect on the Company. In addition, the structure of our compensation program for executive officers does not incentivize unnecessary or excessive risk taking. The base salary component of compensation does not encourage risktaking because it is a fixed amount. The current Incentive Plan awards have the following risk-limiting characteristics: 18 Sample Proxy Disclosures on Compensation Practices related to Risk Management Excerpt from Microsoft s proxy statement dated September 30, 2010: Awards to each executive officer are limited to the least of (a) a fixed maximum specified in the Incentive Plan, (b) a fixed percentage of an incentive pool, or (c) 150% of a target award (200% of base salary for Mr. Ballmer). Awards are made based on a review of a variety of indicators of performance, thus diversifying the risk associated with any single indicator of performance. Awards are not made in the form of stock options, which may provide an asymmetrical incentive to take unnecessary or excessive risks to increase Company stock price. Incentive Plan awards are not tied to formulas that could focus executives on specific short-term outcomes. Members of the Compensation Committee, or in the case of Mr. Ballmer, the independent members of our Board of Directors, approve the final Incentive Plan awards in their discretion, after reviewing executive and corporate performance. Incentive Plan awards are subject to our Executive Compensation Recovery Policy, described on pages 30 and 31. For executive officers other than Mr. Ballmer, the majority of the award value is delivered in the form of shares of common stock with a multi-year vesting schedule, which aligns the interests of our executive officers to long- term shareholder interests; for Mr. Ballmer this alignment exists by virtue of his being one of Microsoft s largest shareholders. Executive officers are subject to our executive stock ownership requirements described on page 31. 9

11 19 Sample Proxy Disclosures on Compensation Practices related to Risk Management March 5, 2010: Risk Considerations The Compensation Committee reviews the risks and rewards associated with the Company s compensation programs. The Compensation Committee designs compensation programs with features that mitigate risk without diminishing the incentive nature of the compensation. We believe our programs encourage and reward prudent business judgment and appropriate risk-taking over the long term. With respect to specific elements of compensation: Base salary does not encourage risk-taking as it is a fixed amount. Base salary is a relatively small percentage of total direct compensation for executives. We have not increased the relative weighting of base salary because we believe there is also risk to the Company if executives are too conservative. 20 Sample Proxy Disclosures on Compensation Practices related to Risk Management March 5, 2010: The annual Performance Incentive Plan is designed to reward achievement of short-term results when measured against performance metrics. Plan design together with Board and management processes mitigate undue risk-taking. Specifically:» Multiple Performance Factors. The Performance Incentive Plan uses multiple performance factors that encourage executives to focus on the overall health of the business rather than a single financial measure.» Award Cap. The plan caps the maximum award payable to any individual as described on page 50.» Clawback Provision. The Performance Incentive Plan allows the Company to recapture awards from current and former employees in certain situations, including restatement of financial results, as described on page

12 21 Sample Proxy Disclosures on Compensation Practices related to Risk Management March 5, 2010: The annual Performance Incentive Plan» Management Processes. Board and management processes are in place to oversee risk associated with the Performance Incentive Plan, including, but not limited to: monthly and quarterly business performance reviews by management and regular business performance review by the Audit Committee and the Company s internal disclosure committee. 22 Sample Proxy Disclosures on Compensation Practices related to Risk Management March 5, 2010: A number of factors mitigate risks inherent in long-term equity compensation, specifically:» Stock Ownership Guidelines. The Company has substantial stock ownership requirements for senior executives, as described on page 63.» Retention of Shares. Stock option grants in 2009 and 2010 contain a provision requiring any senior executive who has not met his or her ownership guidelines within the required period to retain all shares necessary to satisfy the guidelines after paying the exercise price and taxes.» Permission to Sell Shares. Executive Officers also must obtain permission from the Company s General Counsel before the sale of any shares, even during an open trading period.» Hold until Separation. In some circumstances, the Compensation Committee also may require that senior executives retain net shares obtained upon exercise of stock options until separation from the Company, as it did with the special grants made to Mr. Kent in

13 23 Sample Proxy Disclosures on Compensation Practices related to Risk Management March 5, 2010: A number of factors mitigate risks inherent in long-term equity compensation, specifically:» Additional Holding Period After Performance. The performance share unit program requires an additional holding period of one or two years after the performance period has ended.» Clawback Provision. In the event an equity plan participant engages in a Prohibited Activity (as defined under our equity plan agreements) at any time during the term of the award or the later of (i) within one year after termination of the participant s employment or (ii) within one year after exercise of all or any portion of the award, the award may be rescinded and, if applicable, any gain associated with any exercise of an award may be forfeited and repaid to the Company. Management and the Compensation Committee evaluate regularly the risks involved with all compensation programs globally and do not believe any of the Company s compensation programs create risks that are reasonably likely to pose a material adverse impact to the Company. 24 NYSE Rules Regarding Audit Committees Pursuant to Rule 303A.07(b) of the NYSE s Listed Company Manual, the NYSE requires each of its listed companies to have an audit committee that discuss policies with respect to risk assessment and risk management. 12

14 25 NYSE Rules Regarding Audit Committees The Manual s commentary provides: While it is the job of the CEO and senior management to assess and manage the listed company's exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee. 26 NYSE Rules Regarding Audit Committees Pursuant to Rule 303A.07(c) of the NYSE s Listed Company Manual, each listed company must have an internal audit function. The Manual s commentary provides: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company's risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. 13

15 27 How Should Boards Oversee Risk? COSO Recommendations The Committee of Sponsoring Organizations of the Treadway Commission (COSO), recommends that Boards do four things: 1. Work with management to develop a mutual understanding of the company s risk philosophy and appetite for risk 2. Analyze the company s risk portfolio against the backdrop of the company s appetite for risk 3. Understand the effectiveness of the company s enterprise risk management systems put in place by management 4. Be aware of the company s most significant risks and management s capacity to respond to and manage those risks 28 How Should Boards Oversee Risk? NACD Ten Principles In it s Blue Ribbon Commission Report on Risk Governance: Balancing Risk and Reward, the National Association of Corporate Directors (NACD) issued the following ten principles of effective risk oversight: 1. Understand the business and the key drivers of success 2. Assess the risk appetite inherent in the company s strategy 3. Define the role of the full Board and its standing committees with regard to risk oversight 4. Consider whether the company s risk management system including people and processes is appropriate and has sufficient resources 5. Work with management to understand and agree on the types (and format) of risk information the Board requires 14

16 29 How Should Boards Oversee Risk? NACD Ten Principles 6. Make sure the Board encourages dynamic interaction and probing, constructive dialogue between management and the Board 7. Closely monitor the organization s tone at the top, culture, and incentive structure 8. Monitor critical alignments of strategy, risk, controls, compliance, incentives, and people 9. Consider emerging and collateral risks: What s around the next corner? What might be off to the side? 10. Periodically Assess the Board s risk oversight processes: Do they enable the Board to achieve its risk oversight objectives? Full Blue Ribbon Commission Report on Risk Governance available at: 30 How Should Boards Oversee Risk? Critical Questions for Boards to Address Examples of questions a Boards should explore: What are the risks to the company s tangible assets? Casualty loss, for example. How can this be mitigated? E.g., insurance, safety practices, training Obsolescence, for example. How can this be mitigated? E.g., prospective engineering, monetary reserves for upgrades What are the risks to the company s intangible assets? Information, trade secrets, IP, and customer and employee privacy, for example. How can this be mitigated? E.g., IT security, disaster recovery plan, contractual safeguards, patents, and education What are the risks to the company s human capital? Ethical dilemmas, voluntary departures, mortality and lack of adequate supply, for example. How can this be mitigated? E.g., in-bound reference checks, diligence, training and education, compensation design, non-competes, succession planning, insurance and wellness, pipeline programs and multi-sourcing 15

17 31 Critical Questions for Boards to Address What are the risks to the company s finances? Illiquidity, counterparties, fraud, financial reporting, and commodity, FX and other price swings. How can this be mitigated? E.g., cash management (reserves, leverage, cash-flow planning), stress testing, proper reliance on metrics and external rankings, diligence, security, control systems, personnel quality and quantity, whistle-blowers, disclosure committees, hedging, and diversification What are the company s operational risks? Competitive risks, product use and contents, adequacy of suppliers and customers, and risks imposed by global reach. How can this be mitigated? E.g., strategic planning, QC/QA, multiple-sourcing, diligence, building relationships, utilizing OPIC, assessing trade policy, education and geodiversification What are the company s regulatory risks? In general, compliance and regulatory change. How can this be mitigated? E.g., education, tone at the top, codes of ethics and compliance, personnel quantity and quality, governmental relations program 32 Critical Questions for Boards to Address What are the risks to the company s reputation? How can this be mitigated? E.g., manage risk in general, build a reservoir of goodwill, stand by reputational crisis management team How should the company organize its risk management efforts? Special committee? What should be the risk management roles and responsibilities? What role should management play? What should the reporting, analytical, and evaluation structures be? How does the company s understanding of risk square with the company s public disclosures? 16

18 33 Court Decisions Regarding Risk Management In re Caremark Int l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) imposes affirmative duty upon Boards directors: Boards directors have an obligation to be reasonably informed of the risk to the company and cannot satisfy this obligation without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments... [I]t is important that the board exercise a good faith judgment that the corporation s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility. (emphasis added) 34 Court Decisions Regarding Risk Management In re Caremark Int l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996) imposes affirmative duty upon Boards directors: [A] director s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards. 17

19 35 Court Decisions Regarding Risk Management Stone v. Ritter, 911 A.2d 362 (Del. 2006) articulates basis for liability against directors who fail to discharge such duties: [T]he necessary conditions predicate for director oversight liability [are]: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention... [w]here directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith. 36 Court Decisions Regarding Risk Management However, In re Citigroup, Inc. S holder Derivative Litig., 964 A.2d 106 (Del. Ch. 2009) limits liability to directors who in bad faith knowingly or consciously disregard such duties: [T]o establish oversight liability a plaintiff must show that the directors knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act. The test is rooted in concepts of bad faith; indeed, a showing of bad faith is a necessary condition to director oversight liability. 18

20 37 Court Decisions Regarding Risk Management In re American Int l Group, Inc. Derivative Litig., 700 F.Supp.2d 419 (S.D.N.Y. 2010) further circumscribes the liability of directors: A plaintiff may not support a claim for liability based on the duty of oversight merely by identifying signs of general difficulty in the market in which the company participates and asserting that the defendants should be held liable for exercising their business judgment in a manner that appears to have been inconsistent with those indications.... Rather, a plaintiff must plead particularized facts showing that the directors knew they were not discharging their fiduciary obligations or demonstrated a conscious disregard for their responsibilities such as by failing to act in the face of a known duty to act. Furthermore, the duty to act in good faith to be informed cannot be thought to require directors to possess detailed information about all aspects of the operation of the enterprise. Such a requirement would simply be inconsistent with the scale and scope of efficient organization size in this technological age, and, accordingly, directors are entitled to rely on management to make managerial decisions. 19