Item 407(h) of Reg S-K requires companies to disclose “the extent of the board’s role in the risk oversight of the [company], such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.” This Orrick memo says that the Staff issued three dozen comment letters last year asking companies to beef up their Item 407(h) disclosure. Based upon a review of those comments, the memo says the Staff expects to see the following common elements addressed in the risk oversight discussion:
1. Whether and why a company’s board would choose to retain direct oversight responsibility for certain material risks (particularly cybersecurity, ESG and sustainability related risks) rather than assign oversight to a board committee;
2. The timeframe over which a company evaluates risks (e.g., short-term, intermediate-term, or long-term) and how a company applies different oversight standards based upon the immediacy of the risk assessed;
3. Whether a company consults with outside advisors and experts to anticipate future threats and trends, and how often it reassesses its risk environment;
4. How a company’s board interacts with management to address existing risks and identify significant emerging risks;
5. Whether a company has a Chief Compliance Officer, or person serving in a similar role, and to whom this position reports; and
6. How a company’s risk oversight process aligns with its disclosure controls and procedures.
Since these comments were so frequent last year, the memo recommends that companies review their board risk oversight disclosures and address any of the topics raised by the Staff in the comment process that aren’t already covered. In particular, the memo urges companies facing material cybersecurity risks or that have made public statements about climate-related risks to address the first element listed above.
– John Jenkins