Shareholder bill of rights

A slew of recent regulatory changes is giving corporate management much to consider as companies scramble to keep up with the new rules. If Senator Charles Schumer’s Shareholder Bill of Rights gets signed into law, however, this will be just the tip of the iceberg.

If passed, Schumer’s bill would provide for, among other things, proxy access, the end of staggered boards and widespread shareholder say-on-pay votes. While most executives, officers, directors and investors are well versed in the bill’s language and the headline governance issues it addresses, there is a growing focus on a more obscure aspect of the proposed legislation: the mandate that boards establish a separate risk committee.

In introducing the bill, Schumer explained that it is needed to help curb the types of ‘excessive risk taking’ and ‘runaway’ executive compensation that caused the financial crisis. ‘Today, the oversight of how companies manage their risk is most often a responsibility of the audit committee, which has enough responsibilities already without also having to focus on risk,’ he said. ‘The creation of separate risk committees means boards will never again be able to say they did not understand the risks the firms they oversee were taking.’

The best structure for a board has long been a matter of debate and this proposal will, no doubt, add fuel to the argument. Varying approaches to board oversight and different corporate structures have led to a wide variety of board structures. Many consider risk oversight as a whole-board responsibility; others place the burden on the audit committee. Now companies and those who advise them are faced with the potential of proscribed rules, and it is raising concern. ‘The most widespread reaction to Schumer’s proposal is that he is needlessly imposing a one-size-fits-all solution on a problem that doesn’t really exist,’ says John Healy, a corporate partner at Clifford Chance.

A fix in search of a problem
Healy can’t point to any empirical evidence – at least outside the financial services sector – that boards failed in their responsibility to monitor risk. Even within the financial services sector, it may be unfair to attribute failures to board governance issues. If financial services executives and their regulators didn’t see or couldn’t work out the magnitude of the risk they were taking with mortgages and derivatives, would a board committee spot it? ‘It’s a fix in search of a problem,’ Healy says.

Wachtell Lipton Rosen & Katz partners Martin Lipton and Theodore Mirvis, writing together with Harvard Business School professor Jay Lorsch on the Harvard Law School Forum on Corporate Governance and Financial Regulation, also say they oppose federal mandates proposed in the Schumer bill. ‘Getting corporate governance correct requires attention to all its aspects. It is ill served by hard and fast rules imposed on certain points (like ending all classified board structures, separating CEO-chairman positions at all public firms, mandating the creation of yet another committee at all public companies),’ they write in a May piece entitled ‘The proposed Shareholder Bill of Rights Act of 2009’.

Still, the Schumer bill has its supporters: the AFL-CIO, AFSCME, CalPERS, the Council of Institutional Investors, Nell Minow of the Corporate Library, the Service Employees International Union, and pension funds in Colorado, Connecticut, Massachusetts, New York and New Jersey have all acknowledged their backing. Maria Cantwell, a Democratic senator from Washington, is Schumer’s co-sponsor.

Who owns risk?
The National Association of Corporate Directors (NACD) reports that, typically, the role of risk oversight is placed within the audit committee. According to the NACD’s 2008 Public Company Governance Survey, 66.7 percent of companies assign the majority of risk-related tasks directly to the audit committee. Currently, one in four companies uses the full board for risk oversight, while 6 percent have appointed a risk committee, the survey says.

How the risk management function is discharged varies by sector and the resources companies have on their board. Some say specific direction would be superfluous and burdensome, particularly for small companies. Healy takes the case of a single-product biotech company focused on two main risks: that its product doesn’t work, or doesn’t get FDA approval. ‘It wouldn’t need a separate risk committee to stare at the problem,’ he explains. ‘Its whole existence is built around managing its way around those two risks.’

Larger companies with more complicated risk profiles would also need flexibility in managing oversight. The Schumer bill specifies that the risk committee should comprise independent directors, but Healy says these might not necessarily be the best people to oversee risk; he wouldn’t want to exclude people with current or former ties to the company. In any case, formalizing Kenneth Daly, president and CEO of the NACD, notes that requiring specialization may encourage the thinking that risk is only a risk-committee issue. In reality, the range of risks facing a company requires a mix of skills from across the board. Ideally, Daly would have a company run through its entire risk profile, and then have the nominating and governance committee parcel out responsibilities to smaller committees before bringing all issues back to the entire board. ‘Risk management is a team sport,’ he says.

At the NYSE’s risk summit in June, Xerium Technologies’ chairman, president and CEO Steven Light described how broad the risk conversation is at his company. When he took over as CEO in early 2008, Light said he started the conversation by asking each board member what keeps him or her up at night. He expanded the interviews to officers of the company, outside counsel, auditors and customers. They identified 19 chief risks and prioritized them by the impact they could have on the company, their estimation of the company’s actual vulnerability to them and the speed at which they could happen. Xerium’s seven-member board reviews risk together, studying one significant risk per board meeting, says Light.

Daly fears mandating the role will lead to qualified people missing out on risk discussion, thus increasing the chance the board will incorrectly manage risk. What is necessary is someone with a good business mind, who knows the company and its industry, sees how corporate strategy, personnel and incentive systems fit together, and ‘has a good feel for aberration,’ Daly says. ‘No one person will have it all.’

Shareholders getting the job done
Investors may be moving faster to rein in companies that don’t get the mix right. Their pressure forced Citigroup to nominate three new directors recently. Facing criticism that long-standing board members allowed Citigroup to move too deeply into high-risk businesses, the financial services company announced plans to add as directors Diana Taylor, the former superintendent of banks for the New York State Banking Department; Timothy Collins, CEO of Ripplewood Holdings; and Robert Joss, dean and professor at the Graduate School of Business at Stanford University. The Treasury Department, as part of its bailout and turnaround of General Motors, also made over GM’s board, naming five new directors in July.

All the controversy around risk management is spurring discussion and study in governance circles. The NACD has convened a Blue Ribbon Commission to provide guidance to boards on managing risk oversight. Its 33 members comprise public company board members, management, shareholders, subject matter experts such as risk consultants, legal and governance advisers, and academics. Among them are chairman William Fallon, a retired US Navy admiral; Theodore Dysart, managing partner with Heidrick & Struggles; Cynthia Fornelli, executive director of the Center for Audit Quality; and Holly Gregory, a partner at Weil Gotshal & Manges. It is due to report in October, Daly says.

SEC action
Schumer’s call for separate risk committees may be muted by the SEC’s recent move to require more disclosure around risk. In July it proposed amendments to enhance compensation disclosure, building on requirements it passed in 2006. Under new rules, the SEC would broaden the scope of the compensation, disclosure and analysis (CD&A) section of proxy statements to include more information about how the company’s compensation programs could encourage excessive risk taking. This analysis would apply not only to the top officers of the company, but also to any employee in a unit of the company that carries a significant portion of the company’s risk profile.

The SEC is also asking for additional information about the board’s role in the company’s risk management process. ‘Similar to disclosure about the leadership structure of a board, disclosure about the board’s involvement in the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company,’ the proposed rules say.

Companies would naturally prefer to tackle the risk management issue via disclosure rather than face a mandate on how to build boards, but with so much crisis legislation coming forward, there hasn’t been too much obvious push-back on the board risk committee proposal yet. ‘Is this the one they want to use up their chips on? Probably not,’ Healy says.

For Benjamin Heineman, counsel to WilmerHale, it has been no surprise that the government is stepping in with a heavy hand to force corrections. New safety and soundness regulation for the banking sector, such as closer scrutiny of leverage and collateral requirements, and perhaps rating agency reform, is appropriate, he says. But companies could avoid inapposite reforms, such as specific board requirements, if they step forward themselves to demonstrate they are making internal corrections.

In the aftermath of the financial crisis, Heineman says he hasn’t heard enough from the corporate side as to what went wrong at their companies and how leaders will go about fixing problems. Companies could go far toward restoring investor confidence if they demonstrate that how they select, compensate and monitor the CEO promotes a good risk-reward balance.

Such a forthright discussion might not stop government action, but at least it could shape reforms that are more nuanced and less punitive. ‘The real solution is going to be inside the corporation,’ Heineman says.