On February 28, 2010, the SEC Rule 33-9089 went into affect. Section C of the rule requires that Board of Directors to disclose details about the board’s roles in risk oversight. The SEC calls for organizations to describe how the function of risk oversight is administered in their organization, but doesn’t promote a particular ERM framework or structure. The SEC explains that the disclosure must include a description of risk oversight at the board level, whether it occurs through the entire board, the audit committee, or as a separate risk committee.
Even though the new rule only requires disclosure about current practices and does not mandate a specific course of action, it indirectly promotes the adoption of best practices in risk management. Companies may also want to discuss policies related to risk identification, risk tolerance and management of risk vs. reward tradeoffs throughout their organization.
Companies need to understand the compensation, risk and governance policies and structures they have in place and determine if any best practice gaps exist. While the new rule offers some flexibility in the specifics to be discussed, companies should quickly plan how they intend to prepare new disclosure as there is little precedent in previous filings.