Many companies struggle to adopt spirit of amended SEC risk disclosure rules
Deloitte* and USC's Leventhal School of Accounting's Risk Management Program
2020 was a year of unprecedented risk and uncertainty for societies and companies around the world. A global pandemic and economic downturn, social and political upheaval, and ongoing technology-driven disruption created a very challenging environment in which executives were required to identify, assess, and manage risks. In the United States, this coincided with the Securities and Exchange Commission’s (SEC) adoption of amended risk disclosure rules for registrants, requiring additional clarity, insight, and candor in the identification and communication of risks to investors and other stakeholders.
Deloitte and the Risk Management Program at the University of Southern California’s Leventhal School of Accounting have collaborated on an initial study of risk disclosures filed by Standard & Poor’s (S&P) 500 companies under the revised rules. Although still early in the annual reporting season, a number of trends have been identified in these disclosures and are outlined in this article. Following completion of the annual reporting season, a broad analysis of S&P 500 risk disclosures, including breakdowns by size of company, industry, and other demographics, will be published.
Changing risk disclosure rules
As part of its Disclosure Effectiveness Initiative, the SEC amended the requirements governing the disclosure of risks in SEC filings.1 Effective on November 9, 2020, these amendments sought “to address the lengthy and generic nature of the risk factor disclosure presented by many registrants.”2 The SEC promulgated the amendments to “improve the readability of disclosure documents as well as discourage repetition and the disclosure of information that is not material.”3 The SEC made three specific changes:
- Risk summaries are required for long disclosures. If a risk disclosure exceeds 15 pages, companies must include a summary of “concise, bulleted or numbered statements”4 of their risks (which should not be longer than two pages) to “enhance the readability and usefulness.”5
- Companies must now disclose “material” risks. “Material” refers to risks “to which reasonable investors would attach importance in making investment or voting decisions.”6 Previously, companies were required to disclose their “most significant” risks, a term which was not defined. Determining which risks are material is intended to be left to each company’s judgment, a “principles-based, registrant-specific approach.”7 The intent is to address the increasing “length of risk factor disclosures and the number of risks disclosed” by limiting the disclosure to only material risks.8
- Companies must organize risks under relevant headings. In an attempt to improve the organization and readability of risks, companies must group related risks under headings, and segregate generic risks that could apply to any company under a section titled “General Risk Factors.”
Analysis of rules adoption
To assess the adoption of the amended requirements, risk disclosures from the annual reports filed as of February 10, 2021 by 88 S&P 500 companies have been reviewed and all findings are based on the analysis of the 88 companies’ filings.9 Through this analysis, a number of trends, suggested practices, and learnings have been identified that may assist in the annual report filing process for companies moving forward. Key findings are as follows:
- Number of pages and number of risks did not decrease as anticipated.
- 89% of companies actually increased the number of pages. The average number of pages is now 13 per company, up from 12 before the amendments.
- 73% of companies also increased the number of listed risks, for an average of 30 risks per company compared to 29 before the amendments.
- Most companies did not need to include a risk summary, and most who did only included risk sub captions.
- Although the SEC estimated that 40% of registrants would exceed the 15-page threshold and require a summary,10 only 17% of companies reviewed fit into this category.
- Twelve summaries consisted of a bulleted list of all or most of the risk sub captions (often verbatim), rather than including a prioritized list as suggested by the SEC.11
- Three companies did prioritize their risks, which led to a more effective summary. One company mentioned less than half of its risks in the summary and set forth short bullet points capturing the gist of, rather than repeating verbatim, sub captions.
- Risk headings are being used, but they are often very generic.
- 55% of companies began using headings for the first time and, of the 40 companies previously using headings, 24 increased the number of headings used. One company did not comply with the requirement.
- The average number of headings per company was five and the average number of risks per heading was seven, although some headings contained as many as 41 risks.
- The most common heading categories were variants of business, operational, industry, strategic transactions, legal, regulatory, cyber, intellectual property, COVID-19, indebtedness, common stock, and economic risks.
- 39% of companies used a “general risks” heading, contrary to the SEC’s advice.12
- COVID-19 risk disclosures were extensive which is in line with the SEC’s guidance.
- All but one company included at least one stand-alone COVID-19 risk disclosure responding to the SEC’s April 2020 COVID guidance, which urged companies to disclose financial and operational impacts and “as much information as is practicable.” 13
- Stand-alone COVID-19 risk disclosures ranged from one-fifth of a page to five pages, and 72% of companies also mentioned COVID-19 in at least one other risk. Seven companies included COVID-19 in 12 or more other risks.
- Although these extensive disclosures may have increased page length and number of risks from last year, even when excluded, there has been no net decrease in the average page length or number of risks.
Recommended leading practices
- Align enterprise risk management and external reporting activities. There is a natural tension between the need to maintain the confidentiality of competitively sensitive information about unique and specific risks faced by a company, with the obligation to comply with SEC regulations and investor expectations regarding risk disclosures. Close collaboration between the enterprise risk management (ERM) or equivalent function, responsible for identifying, assessing, and managing material risks to the company, and the external reporting function responsible for meeting regulatory and investor expectations is recommended. This could result in closer alignment of internal risk registers with external risk disclosures and enable a company to meet the SEC’s expectations for “disclosure that is more in line with the way the registrant’s management and its board of directors monitor and assess the business and therefore would be easier for registrants to prepare using existing metrics and reporting mechanisms.”14 One company did follow this approach and outlined in its disclosure the alignment of its ERM process with its risk disclosure reporting, including compliance with the Committee on Sponsoring Organizations’ (COSO) ERM standards.
- Avoid listing generic risks. Including boilerplate, generic risks, or risks that could apply to many businesses operating in the same industry does not provide an investor with a sense of whether an investment in the company is “speculative or risky.” Wherever possible, a company should avoid inclusion of these risks. In those instances when use of a generic business risk is necessary, a company should follow the SEC’s recommendation to tailor the risk so that it highlights areas that are unique to the company, and avoid using a “General Risk Factors” section.15
- Use specific headings to improve readability and usefulness. Organizing risks into headings allows a reader to better understand a company’s systemic and linked risks, and to better compare the risks of one company to another. Headings should be specific enough that grouped risks have true connections, and should not include more than seven risks. Used properly, the headings can improve the readability and usefulness of the disclosure and offset the challenges posed by lengthier disclosures, in line with the SEC’s expectations.16
- Develop summaries to prioritize risks. The use of summaries can also improve readability and usefulness, and a company should consider including a summary even when not required. Rather than simply setting forth a bulleted list of risk sub captions, the summary should seek to highlight a subset of the most critical risks as the SEC has encouraged.17 A company can also organize its summary around the headings, with a general description of the types of risks under each heading and their impact upon the company.
Taken together, these early filings indicate that the revised rules have not resulted in a dramatic change to risk disclosures. Whether this trend will change as more companies file, or whether this result is directly tied to the risk events of this year and will shift in future years, is yet to be seen and will be considered in future analyses.
* As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and risk advisory services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
 Securities and Exchange Commission, Final Rule: Modernization of Regulation S-K Items 101, 103, and 105, Release No. 33-10825 (Aug. 26, 2020) [85 FR 63726 (Oct. 8, 2020)] [hereinafter Final Rule].
 Id. at 63742.
 Id. at 63726.
 Id. at 63761, §229.105(b).
 Id. at 63743.
 Id. at 63744.
 Id. at 63727.
 Id. at 63744.
 This review did not include analysis of risk disclosures in other SEC filings, such as Forms S-1, S-3, S-4, S-11, 1-A, and 10.
 Final Rule at 63744.
 Id. at 63743 (“We believe that imposing a page limit on the risk summary should lessen the burden of preparing the summary and also act as an incentive for registrants to give due consideration to the risk factors that are material to investors. Because the risk summary is not required to contain all of the risk factors identified in the full risk factor discussion, registrants may prioritize certain risks and omit others.”).
 Id. at 63761, §229.105(a) (“The presentation of risks that could apply generically to any registrant or any offering is discouraged, but to the extent generic risk factors are presented, disclose them at the end of the risk factor section under the caption ‘General Risk Factors.’’’).
 Jay Clayton, Chairman, Securities and Exchange Commission, and William Hinman, Director, Division of Corporation Finance, SEC, The Importance of Disclosure–For Investors, Markets and Our Fight Against COVID-19 (Apr. 8, 2020), available at https://www.sec.gov/news/public-statement/statement-clayton-hinman. Note that Clayton and Hinman mentioned that their statement was not a “rule, regulation, or statement of the SEC.” See also Division of Corporation Finance, SEC, CF Disclosure Guidance: Topic No. 9A (June 23, 2020), available at https://www.sec.gov/corpfin/covid-19-disclosure-considerations.
 Final Rule at 63748.
 Id. at 63746 (“[W]e encourage registrants to tailor their risk factor disclosures to emphasize the specific relationship of the risk to the registrant or the offering and therefore avoid the need to include the risk under the general risk heading.”).
 Id. at 63746 (“Amended Item 105 will require registrants to organize their risk factor disclosure under relevant headings…We believe that requiring this type of organization for all registrants will improve the readability and usefulness of this disclosure.”).
 Id. at 63743 (“Because the risk summary is not required to contain all of the risk factors identified in the full risk factor discussion, registrants may prioritize certain risks and omit others.”).
This publication contains general information only and Deloitte is not, by means of this publication rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Copyright © 2021 Deloitte Development LLC. All rights reserved.