Maximizing Your Comp Risk AssessmentZoom inDownload PDF
At the height of the financial crisis, many believed that compensation policies and practices had contributed to the excessive risk-taking activity that had spawned the crisis itself. In response, the Securities and Exchange Commission (SEC) enacted new controls for the monitoring of compensation-related risk in February 2010, and public companies have engaged in compensation risk reviews each year since. Perhaps not surprisingly, few companies have identified compensation-related risks that are reasonably likely to have a material adverse affect on the company in the last three years. These findings highlight the fact that, in most cases, pay was simply an “enabler” (and not a “motivator”) of excessive risk-taking, and that such risk-taking was more often a function of weak controls and/or a culture that was too shortsighted.
However, there is a real possibility that the experience to date may lure companies into a false sense of security and complacency. History has shown that as memories of past risky behavior (and their consequences) recede, companies again tend to assume ever greater levels of risk in their search for higher yields and returns. Thus, the potential still remains that the wrong combination of economic factors, company cultures, weak controls, and poorly designed and/or managed compensation programs can again contribute to the unintended consequences which put companies and the overall economy at risk. For these reasons, we believe that the SEC’s controls remain as relevant today as they were three years ago, and companies need to ensure they continue to approach their annual compensation risk reviews with the same rigor as they approach their enterprise risk assessment processes.
The SEC’s 2010 rule-making mandated that companies disclose in their proxies a narrative discussion of compensation policies and practices as they relate to risk management. Under these regulations, companies are required to address compensation for all employees, including non-executive officers, if those policies and practices create risks that are reasonably likely to have a material adverse effect on the company. The rules were intended to provide an early warning about compensation programs, processes, or practices that might have unintended consequences and influence employee behavior in a way that could put the company at risk. Unfortunately, some companies have found less value in this exercise than others. Many companies have struggled to establish an effective process for assessing compensation risk, at times reverting to rote, “check the box” exercises rather than substantively addressing situations in which compensation might materially exacerbate business risks. Such cursory reviews often focus solely on the elements of compensation design rather than holistically evaluating supporting processes and practices and other cultural drivers of behavior that may adversely affect key business risks.
To fulfill the spirit of the SEC rules, we advocate applying a process that seeks a broader understanding of a company’s risks and how its compensation programs, processes, and practices could exacerbate them. To do so, we believe a road map is needed to construct a better compensation risk assessment process: one that starts with a company’s business risk assessment and flows to a holistic evaluation of both the compensation hardware (i.e., program design) and the software (i.e., the supporting processes and practices, such as goal setting, performance evaluation and the use of discretion). Engaging in a multidimensional process of this nature will foster a more comprehensive and thought-provoking conversation about the interplay between compensation and business risk.
As shown in Exhibit 1, effective risk assessment starts with a top-down review of the company’s potential for risk in a variety of areas, including financial, operational, regulatory and reputational. It then moves to a bottom-up assessment of how compensation programs may exacerbate a given enterprise risk.
Step 2 determines which, if any, enterprise risks could be exacerbated by the compensation program. This step delves more deeply into the design, mechanics and administration of the compensation program. It addresses all elements of the compensation hardware and software, including the internal controls and company culture that influence compensation decisionmaking. The review should focus on identifying any key risk factors inherent in each design element (e.g., pay mix, pay positioning, severance/change-incontrol provisions) and the degree to which those risk factors are mitigated by other aspects of the program. For example, significant leverage in the relationship between performance and pay can be mitigated by a cap on the maximum payout. These are best reviewed by creating an incentive plan inventory and then assessing the design features and characteristics of the plans. The inventory aids institutional awareness of the various active incentive plans and their overall characteristics and emphasis.
In its ruling, the SEC provided the following (nonexclusive) list of circumstances within a company to look for compensation policies and practices that could potentially create material risks to the company, but that might not be discovered in a review of the NEO programs only. These circumstances included:
- At a business unit of a company that carries a significant portion of the company’s risk profile
- At a business unit with compensation structured significantly differently than other units within the company
- At a business unit that is significantly more profitable than others within the company
- At a business unit where the compensation expense is a significant percentage of the unit’s revenues
- Where programs vary significantly from the overall risk and reward structure of the company, such as when bonuses are awarded upon accomplishment of a task, while the income and risk to the company from the task extend over a significantly longer period of time
As shown in Exhibit 3, once the plans have been inventoried, the review should go on to identify any key risk factors inherent in a given incentive plan and the degree to which those risk factors are mitigated by certain other design elements.
As noted below, a review of compensation design alone may not fully produce thoughtful and creative discourse on the manner in which the company’s processes, practices and culture may influence and affect risk. The result can be unaddressed risks like cultural influences and internal controls that create a potentially hazardous path forward.
Companies that have not completed a sufficiently well rounded assessment may find themselves exposed if they disclose that their compensation programs do not incur undue risk and cannot back up that claim. By establishing a multi-faceted compensation risk assessment that incorporates an evaluation of the business and compensation elements, processes and practices, companies can initiate a more comprehensive discussion on the topic of compensation risk and extract more value from the exercise. A holistic analysis as described above ensures the most obvious red-flags are addressed and the company’s environment and the controls encourage the intended and desired risk-taking behavior.
This article, written by Mark Emanuel and Blair Jones, originally appeared in NACD Directorship.