A Convergence of Risk Disclosure
Like many other people, last week I read the SEC’s new requirements for disclosure of climate change risks with a sense of trepidation. The more I studied them, however, the more I felt something else: a sense of déjà vu.
Like, has anybody else noticed how similar these disclosure requirements are to those that the SEC enacted last year for cybersecurity risks? Yes, the risks themselves are radically different; but what you need to disclose about how your company goes about assessing and managing the risks — that isn’t.
For example, here’s an excerpt from a fact sheet the SEC published last year for its cybersecurity disclosure rule:
[Companies must] describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant.
Now here’s an excerpt from another fact sheet the SEC published last week for its climate change rule. Companies will need to disclose…
Any processes the registrant has for identifying, assessing, and managing material climate-related risks and, if the registrant is managing those risks, whether and how any such processes are integrated into the registrant’s overall risk management system or processes… [and] the actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook.
Those two excerpts demand essentially the same thing from companies. They demand that you disclose how you assess a certain risk, and the material impacts that the risk might have on your business operations.
That’s not the only similarity. Here’s what each rule has to say about discussing board oversight:
Climate rule: [Describe] any oversight by the board of directors of climate-related risks and any role by management in assessing and managing the registrant’s material climate-related risks;
Cyber rule: Describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
Different risks, same disclosure requirements — because the goal here is more to discuss how the organization manages risks, rather than what the specific risks are.
Implications for Board Governance
This convergence delights me because it points to a fundamental tension in corporate governance. Namely, how much should the board worry about specific problems the company experiences, and how much should it worry about systems to address problems in a disciplined way as those individual problems arise?
The easy answer is to say a board must worry about both, but figuring that out in practice is a lot harder. For example, if your business has a weak financial control somewhere, the board’s audit committee could end up spending two hours debating a solution with the external auditor, internal auditor, CFO, and chief accounting officer.
I don’t dismiss the importance of resolving weak internal control, but given all the other issues that an audit committee is supposed to oversee — including systems for effective risk management, and potentially others such as corporate compliance or cybersecurity — is this really the best way for the board to organize its oversight duties?
That’s my point in noting these similarities between the climate change and cybersecurity disclosure obligations. They bring into sharp relief the need for boards to think carefully about how they are fulfilling their two duties: investigating specific troublesome incidents, and overseeing systems to assure that risks are managed properly.
Let’s go back to our overburdened audit committee. The whole board needs to bring some relief to those audit committee members. That could take the form of a risk committee, charged with overseeing issues such as climate change, supply chain, cybersecurity, adoption of artificial intelligence, and the like; issues that transcend the boundary between regulatory compliance and corporate strategy.
What I fear, however, is that boards will stuff that risk committee with the wrong sort of people, focusing on issues rather than oversight. That is, the risk committee will end up consisting of a climate expert, a cybersecurity expert, a technology expert, a corporate culture expert — but not enough people who are experts on risk assessment and risk management.
Yet, go back and look at those converging requirements for climate and cybersecurity risk: expertise in risk management is what boards will need. They will need an ability to ask sophisticated questions of management. They will need to push management for more clarity about what it has done to identify risks facing the business, and whether the systems to manage those risks are sufficient.
Risk on the Corporate Side
I also wonder what these increased disclosure burdens mean for in-house executives as well. How are you going to develop systems that assess such a diverse range of risks, and how will you assure that the information those systems generate is collected and boiled down into something that passes muster with the SEC?
For example, I’m sure the CISO already has at least some capability to assess cybersecurity threats — but who defines the threshold for materiality of those threats? Does the CFO define them in dollar terms? Does the compliance officer define them in some sort of qualitative way, since a financially immaterial incident could still suggest qualitative weaknesses that might lead to regulatory enforcement?
Now let’s pivot to climate change risks. Does anyone have a good sense of how to assess those within your organization? Does your company even have someone assigned to assess those risks at all? (As one chief compliance officer at a multi-billion dollar company told me last week, “I don’t know who does this. Crap. That means it’s me, doesn’t it?”) Does the chief sustainability officer tackle this, or does that person stick mostly with reducing carbon footprints and fostering strong ESG awareness in business practices? And we still have all those questions about what the materiality threshold would look like here.
So I’m starting to wonder whether internal auditors or chief risk officers might soon find themselves tasked with building better, more universal systems to collect information about risk — a grand unified theory of risk assessment, so to speak. Those executives, in turn, will need to work closely with legal and the corporate secretary to be sure that whatever you’re collecting, it’s accurate and useful enough to go into the 10-K.
If we don’t start thinking in those terms, companies could end up with corporate disclosure contraptions that do nobody any favors: heavily siloed systems, duplicative processes, and too much information conveying too little insight to investors. Worse, you might end up disclosing misleading information, and four years later you’re in a press release from the SEC Enforcement Division.
Filed under: convergence confusion.