We are discussing Exchange Act Release No. 60280 (July 10, 2009), the SEC's recent set of rule proposals designed to improve disclosure in connection with the corporate governance process.

A significant portion of the release addresses the need to enhance disclosure of practices that relate to corporate risk taking. The current financial crisis arose in large part from excessive risk taking.  Excessive risk taking arose, at least in part, because of the executive compensation scheme (which encouraged short term profits) and the lack of affirmative obligations on the board of directors.

The latter was reaffirmed by the Delaware Chancery Court in In re Citigroup.  The case essentially exonerated directors from having any role in the oversight of systemic risk undertaken by a public company. The Chancery Court took the position that it would be a mistake to impose on directors the possibility of liability for failing to adequately assess risks within the company.

• To the extent the Court allows shareholder plaintiffs to succeed on a theory that a director is liable for a failure to monitor business risk, the Court risks undermining the well settled policy of Delaware law by inviting Courts to perform a hindsight evaluation of the reasonableness or prudence of directors’ business decisions. Risk has been defined as the chance that a return on an investment will be different that expected. The essence of the business judgment of managers and directors is deciding how the company will evaluate the trade-off between risk and return. Businesses—and particularly financial institutions—make returns by taking on risk; a company or investor that is willing to take on more risk can earn a higher return. Thus, in almost any business transaction, the parties go into the deal with the knowledge that, even if they have evaluated the situation correctly, the return could be different than they expected.

The amendments also, in a comply or explain fashion, effectively require constant monitoring of the relationship between risk and compensation.  Companies will be required to disclose the extent to which a company "monitors its compensation policies to determine whether its risk management objectives are being met with respect to incentivizing its employees."  This will effectively force companies to maintain a constant system of monitoring that presumably will result in notification if risk profiles in a large unit change.

In addition, however, the Commission has proposed additional disclosure requirements that related directly to the board's role in risk management. As the release noted:

• disclosure about the board’s involvement in the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. Given the role that risk and the adequacy of risk oversight have played in the recent market crisis, we believe it is important for investors to understand the board’s, or board committee’s role in this area. For example, how does the board implement and manage its risk management function, through the board as a whole or through a committee, such as the audit committee? Such disclosure might address questions such as whether the persons who oversee risk management report directly to the board as whole, to a committee, such as the audit committee, or to one of the other standing committees of the board; and whether and how the board, or board committee, monitors risk. We believe that this disclosure will provide key insights into how a company’s board perceives and manages a company's risks.

In exactly what the court in In re Citigroup refused to do, this will essentially force companies to define the role of the board in risk management.

The value of the disclosure will depend upon whether it is meaningful or evolves into boilerplate.  The boilerplate has long plagued the periodic reporting system.  The problem emanates from the lack of  a private right of action for violations.  Enforcement is, as a result, only as good as the effort the SEC is willing to devote.  Back in the 1990s, the Commission aggressively tried to improve disclosure in the MD&A, devoting considerable resources to the goal.  The approach met with limited success.  There have been no pure MD&A cases (those that do not otherwise involve fraud) in recent years, something that has not gone unnoticed to companies and practitioners in the area.  Without rigorous attention, the same will happen to disclosure of risk analysis in the CD&A and with respect to the role of the board of directors.