Comment Letter Trend: SEC Seeks Expanded Discussion of Board’s Role in Risk Oversight


During 2022 the SEC issued at least 36 comment letters requesting expanded discussion about the board’s role in risk oversight. We summarize below the basic requirements of this disclosure and the most common new elements requested by the SEC through its comment letters issued during 2022. We encourage all issuers to consider these elements as they prepare for the 2023 proxy season.

As required by Item 407(h) of Regulation S-K, proxy statements addressing the election of directors must contain a discussion about “the extent of the board’s role in the risk oversight of the [company], such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.” In the 2009 adopting release for Item 407(h), the SEC provided the following additional guidance:

This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals.”

Our review of the comment letters issued during 2022 requesting expanded Item 407(h) disclosures suggests the SEC now also expects a discussion of the following common elements:  

  1. Whether and why a company’s board would choose to retain direct oversight responsibility for certain material risks (particularly cybersecurity, ESG and sustainability related risks) rather than assign oversight to a board committee;
  2. The timeframe over which a company evaluates risks (e.g., short-term, intermediate-term, or long-term) and how a company applies different oversight standards based upon the immediacy of the risk assessed;
  3. Whether a company consults with outside advisors and experts to anticipate future threats and trends, and how often it reassesses its risk environment;
  4. How a company’s board interacts with management to address existing risks and identify significant emerging risks;
  5. Whether a company has a Chief Compliance Officer, or person serving in a similar role, and to whom this position reports; and
  6. How a company’s risk oversight process aligns with its disclosure controls and procedures.

Given the frequency of these comments over the past year, issuers should consider addressing the above elements in their discussion of the board’s role in risk oversight. Companies with material cybersecurity risk or with publicly made statements about climate risks should take particular care to address the first element listed above with respect to those types of risks in their discussion of the board’s role in risk oversight.