Remember back in 2020, when the SEC adopted major amendments to Reg S-K designed to modernize the descriptions of business, legal proceedings and risk factors? You might recall that the SEC had long grumbled about “the lengthy and generic nature of the risk factor disclosure presented by many registrants”; to address that concern, the SEC instituted a number of requirements and “incentives” to encourage companies to be, um, more succinct. (See this PubCo post.) Among these changes were a new requirement to include a risk factor summary if the risk factor section exceeded 15 pages and changing the disclosure standard from “most significant” factors to “material” factors. In addition, because the SEC considered untailored, generic risks to be less informative and to contribute to increased length, it sought to discourage their use by requiring companies to organize the risk factors under relevant headings, with generic risk factors located at the end under a separate caption, “General Risk Factors.” So how’d that go? Did the rule changes achieve their purpose? Apparently, not so much—at least not at the largest public companies—according to this paper, published on the Harvard Law School Forum on Corporate Governance, from a group of authors from Deloitte and the USC Marshall School of Business. The authors also drilled down more specifically on risk factors related to climate change, where the increase in prevalence was dramatic (and probably also contributed to the increased length of risk factor sections in general).
The authors conducted several analyses of the risk factor disclosures in annual reports filed by 439 companies in the S&P 500 between November 9, 2020, the effective date of the amendments to the rules regarding risk factors, and May 20, 2022. The authors found that the number of pages devoted to risk factors has actually increased, not decreased as the SEC had intended, with an average number of pages of almost 13.5 per company, an increase from about 12 before the amendments. According to the authors, 77% of companies increased the number of pages in year one and 60% increased the number from year one to year two. The industry sectors averaging the longest sections were health care, financial, real estate and tech. The average number of risk factors per company also increased, from around 30.5 prior to the amendments to over 31 at year two. The authors concluded that the “change from disclosure of ‘most significant’ to ‘material’ risk factors under the revised rules seemed to have no impact on the average number of risk factors.”
Of course, as the authors observed at the outset, the last couple of years have witnessed a number of events exacerbating the global risk environment: the worst global pandemic in 100 years, the worst armed conflict in Europe since WWII, supply chain issues, geopolitical tensions and domestic conflict, not to mention inflation, climate change, cybersecurity incidents, and so on, all of which, some would contend, had something to do with the data above.
At the time of adoption, the SEC estimated that 40% of registrants would exceed the 15-page threshold and require a summary. Although the authors’ sample was limited to the S&P 500, they found that only 19% of companies included in the study presented more than 15 pages of risk factors in the first year of implementation, with 21% including a summary, and 21% of companies presented more than 15 pages in the second year of implementation, with 23% including a summary. The authors found that nine companies did not exceed the 15-page threshold but included a summary anyway.
With regard to headings, which the SEC had advocated as a way to improve readability, the authors found that companies used an average of five headings, with an average of six risks under each heading. However, the authors observed, there was some resistance: “over 75 companies included 20 and up to 45 risk factors under one heading, clearly not meeting the SEC’s expectations of headings improving ‘readability.’” And, notwithstanding the SEC’s admonition discouraging the use of risks that could apply generically to any registrant or any offering, the authors found that a third of companies used a “general risk factors” heading.
Climate risk factors. Some of the additional length amassed by companies in their risk factor sections was likely attributable to a new emphasis on climate-related risks, a development that gave the authors the opportunity to take a deep dive on climate-related risk factors. While they found that, prior to the release of the SEC’s proposal on climate disclosure in March 2022 (see this PubCo post, this PubCo post and this PubCo post), companies’ climate-related risk factors were consistent with the topics highlighted in the SEC’s 2010 Guidance Regarding Disclosure Related to Climate Change (see this PubCo post), this reporting season, after the release of the proposal, the authors found the change in quantity and substance to be “striking.”
Under the SEC’s proposal, a company would be required to disclose “any climate-related risks reasonably likely to have a material impact on the registrant’s business or consolidated financial statements.” As defined, “climate-related risks” are broadly defined as “the actual or potential negative impacts of climate-related conditions and events on a registrant’s consolidated financial statements, business operations, or value chains, as a whole. ‘Value chain’ would mean the upstream and downstream activities related to a registrant’s operations.” Risks can refer to physical risks (e.g., fires, hurricanes, sea level rise, drought and floods, including both “acute and chronic risks to a registrant’s business operations or the operations of those with whom it does business” ) and transition risks, meaning “the actual or potential negative impacts on a registrant’s consolidated financial statements, business operations, or value chains attributable to regulatory, technological, and market changes to address the mitigation of, or adaptation to, climate-related risks.” (Market changes can include changing consumer, business counterparty and investor preferences.)
According to the authors, the “number of new stand-alone climate-related risk factors soared this past reporting season,” with about 150 companies in the study adding at least one new stand-alone climate-related risk factor. The authors also reported that “[t]wo companies added three stand-alone risk factors each, another 16 companies added two each.” Among industry sectors, 28 companies in the Financial sector added new stand-alone climate-related risk factors, the most in any sector, followed by Consumer Discretionary and Industrials at 22 companies each and Healthcare at 18. Twelve companies in the Energy sector added new stand-alone climate-related risk factors, representing more than half of the companies in that sector, while only 13 companies in the Information Technology sector added these risk factors, representing less than a quarter of the companies in that sector.
Almost half of the companies adding new stand-alone climate-related risk factors described both transition and physical risks, over 45% described only transition risk, and approximately 5% described only physical risk, the authors report. With respect to transition risk, over 75% of companies included cautionary language warning that they may not achieve their sustainability goals or otherwise meet “regulatory, investor, consumer, and/or other stakeholder expectations” (although the authors note that the language often also included other ESG goals).
Based on prior research (including SEC staff analysis), the expectation was that the risk factors for most companies would focus on transition risk and pay less attention to physical risk. As a result, the authors’ finding that 55% of the 150 companies included risk factors addressing physical risk was considered “noteworthy. Of those companies, over 60% disclosed both acute and chronic risks, over 30% disclosed only acute risks, and over 7% did not specify acute or chronic risks.”
The authors advised that companies should “consider integrating their risk factor disclosure process, including their climate related risk disclosures, into their ERM reporting processes and dynamic risk programs. Not only would this contribute to meeting the SEC’s expectations about integrated climate-related risk reporting, but also meet the SEC’s goals set forth in the amended risk factor disclosure requirements of ‘disclosure that is more in line with the way the registrant’s management and its board of directors monitor and assess the business.’” They also recommended that companies “bring more specificity to headings,” by relying on their “internal taxonomies used to catalogue risks for their ERM or risk reporting to management and boards of directors.”