During 2022 the SEC issued at least 36 comment letters requesting expanded discussion about the board’s role in risk oversight. We summarize below the basic requirements of this disclosure and the most common new elements requested by the SEC through its comment letters issued during 2022. We encourage all issuers to consider these elements as they prepare for the 2023 proxy season.
As required by Item 407(h) of Regulation S-K, proxy statements addressing the election of directors must contain a discussion about “the extent of the board’s role in the risk oversight of the [company], such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.” In the 2009 adopting release for Item 407(h), the SEC provided the following additional guidance:
“This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals.”
Our review of the comment letters issued during 2022 requesting expanded Item 407(h) disclosures suggests the SEC now also expects a discussion of the following common elements:
Given the frequency of these comments over the past year, issuers should consider addressing the above elements in their discussion of the board’s role in risk oversight. Companies with material cybersecurity risk or with publicly made statements about climate risks should take particular care to address the first element listed above with respect to those types of risks in their discussion of the board’s role in risk oversight.