RR Donnelley Fall 2008SEC Hot Topics SeminarUniversity of California, Irvine

Board risk oversight

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 2September 10, 2008 Page 2

Agenda – Board risk oversight

► The legal foundation

► Advising management and the board

► Executing

► Questions and answers

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 3September 10, 2008 Page 3

Disclaimer

► The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.

► Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

► No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

The legal foundation Shayne Kennedy

Board risk oversight

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 5September 10, 2008 Page 5

The legal foundation for board risk oversight

► Director Fiduciary duties

— In re The Walt Disney Co. Derivative Litigation (2005)

— In re Caremark International Inc. Derivative Litigation (1996)

— Board has an obligation to “exercise good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.”

► Federal and regulatory requirements

— Sarbanes Oxley Act of 2002

— “A few of the commenter's urged us to adopt a considerably broader definition of internal control that would focus not only on internal control over financial reporting, but also on internal control objectives associated with enterprise risk management and corporate governance. While we agree these are important objectives . . . .”

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 6September 10, 2008 Page 6

The legal foundation for board risk oversight

► Securities exchange listing standards

— NYSE

► “The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken.”

► Code of business conduct and ethics

► Federal sentencing guidelines

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 7September 10, 2008 Page 7

TCB study: “Corporate directors may not be providing sufficiently robust risk oversight”

Source: June 6, 2006 News Release by The Conference Board

► Major study by The Conference Board (TCB)

► Corporate directors could find themselves exposed to liability if they fail to keep pace with

evolving best practices in Enterprise Risk Management”

— “Since ERM processes have improved, many directors could be functioning with a

false sense of security”

► “Directors serving on multiple boards reported significant variations in the quality of the risk

dialogue and fewer boards seem to have well established risk processes”

► Banks and insurance companies out front on Enterprise Risk Management

► “The Audit Committee is the sole repository for “risk oversight” in 66% of companies; in

23% of companies this responsibility is shared with another committee”

► “The Role of U.S. Corporate Boards in Enterprise Risk Management” –

www.conference-board.org

–`

Advising management

and the board John Ireland

Board risk oversight

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 9September 10, 2008 Page 9

Management risk identification and reporting

► Company must regularly disclose the most significant factors that may adversely affect the issuer’s business, operations, industry, financial position, etc. - Item 503(c) Reg S-K

— Item 1A -company risk factors - must be company specific, not just generic/applicable to all businesses

► Management to set up company risk assessment/management framework (Board approves)

— Framework designed to identify/prioritize/mitigate/monitor and update/report enterprise risks

— Numerous possible frameworks and tools available to set up framework— Consider tying into SOX Disclosure Controls framework – SOX 302

— Execs create company risk management tone which embeds risk management in all business decisions

— Enterprise wide approach/no silo stove pipe approach— M&A/new major contracts/new geographies/markets/business lines = new risks

► Export controls and new regulations

— Framework can emphasize rewards of proactive Risk management approach

— Creates an open, informed continuous dialogue/creates consistency in the Enterprise — Can lead to competitive advantage, i.e. revenue

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 10September 10, 2008 Page 10

Risk reporting and the board of directorsbottom up/top down

► Bottom up: Management reports to board— Types of reports

► Verbal – at quarterly meetings/regular strategy sessions/interim ad hoc basis.► Written – dashboards/heat maps/scoreboards

— Present data in concise plain English/graphics or financials terms – easily understandable

— Report legal and non-legal risk/present risks in context of the enterprise - no silo approach

— Reporting frequency

— Regular and consistent► Quarterly/annually/other► Consider more frequent reporting on selected issues, not one time info dump

► Top down: Board’s direct involvement in risk assessment/management— Board training:

► As to duties

— Board orientation/continuing board member education as part of corp governance► As to the company and its business

— Visits to company/review company publications

— Board interaction with executives:

► Facilitate regular meetings/interaction between board and management/customers/major vendors

Executing Bill Sacks

Board risk oversight

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 12September 10, 2008 Page 12

Board risk oversight – Who oversees what risks?

All other risks Board/Board Committee Oversight responsibility

until risk poses financial reporting implications

Financial reporting risksAudit Committee Oversight responsibility

RiskRisk

Risk

Risk

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 13September 10, 2008 Page 13

Overseeing the risk management process

► “Efficiency and effectiveness”:

— Assessing the right level of the right risk management capabilities at the right place at the right time

► Five key elements to assess:

— Risk governance

— Risk assessment and response

— Risk quantification and aggregation

— Risk monitoring and reporting

— Risk mitigation optimization

► Assessment levels:

— Board / Board Committee (“risk oversight” self-assessment criteria)

— Corporate (“entity-level”)

— Strategic business unit(s) / business unit(s) / functional units

► Clear accountability for managing risk at its source

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 14September 10, 2008 Page 14

Several questions for the Board…

Strategy

Are we taking the

right risks?

► “Portfolio view” - Do we know

the significant risks we are

taking?

► How are the risks we take

aligned with our business

objectives, growth strategies,

and performance goals?

► Do the risks we take help us

achieve competitive

advantage?

► How are the risks we take

related to activities that create

stakeholder value?

► Do we have timely, relevant

information about our KBRs

to make better, more

informed strategic choices ?

Risk appetite

Are we taking the

right amount of risk?

► Are we achieving a return that is

consistent with our overall risk

profile?

► Does our culture promote or

discourage the right level of “on-

strategy” risk taking behaviours and

activities? Performance incentives?

► Do we have a defined, well

communicated and understood

organizational risk appetite?

Tolerance?

► Is our risk appetite quantified both in

the aggregate and per event

occurrence?

► Is our actual risk profile consistent

with our risk appetite?

► Is our capital sufficient to support

our risk profile?

Capabilities

Are we effectively

managing our risks?

► Do we have a common risk

language?

► Is our risk management process

“uniform”, aligned with our strategic

decision-making process and key

performance measures?

► Risk governance – Is there clarity

of empowerment, boundaries/limits

and accountabilities?

► Do we have the right levels of the

right capabilities (P,P,T) for each

KBR?

► Is our risk management process

effectively monitored across the

entire enterprise?

► Is our uniform risk management

process cost efficient? Effective?

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 15September 10, 2008 Page 15

Role of internal audit in ERM

Giving assurance on the risk management process

Giving assurance that risks are correctly evaluated

Evaluating risk management processes

Evaluating the reporting of key risks

Reviewing the management of key risks

Facilitating identification & evaluation of risks

Coaching managem

ent in responding to risks

Coordinating of ERM activities

Consolidated reporting on risks

Mai

ntai

ning

& d

evel

opin

g th

e ER

M f

ram

ewor

kCh

ampi

onin

g es

tabl

ishm

ent o

f ERM

Deve

loping

ERM

stra

tegy

for b

oard

app

rova

lSe

tting t

he ris

k app

etite

Impo

sing r

isk m

anag

emen

t proc

esse

s

Management assurance on ris

ks

Making decisions on risk responses

Implementing risk response on management’s behalf

Accountability for risk management

Core internal audit roles in regard to ERM

Legitimate internal audit roles with safeguards

Roles internal audit should not undertake

Source: IIA UK and Ireland

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 16September 10, 2008 Page 16

Example ERM and board risk oversight publications

Risk Oversight: Board Lessons for Turbulent Times

The Conference Board

www.conference-board.org

National Association of

Corporate Directors

www.nacdonline.org

Emerging Governance Practices In Enterprise Risk Management

Ernst & Young LLP

www.ey.com

Managing Risk Across the Enterprise

Enterprise-Wide Risk Management

The Role of U.S. Corporate Boards In Enterprise Risk Management

Committee of Sponsoring

Organizations of the Treadway

Commission (COSO)

www.coso.org

Enterprise Risk Management – Integrated Framework

Financial Times Management

Briefings

www.pearsoned.co.uk

Strategic Business Risk 2008 – The Top 10 Risk for Business

April 10, 2023 RR Donnelley SEC Hot Topics Seminar – University of California - IrvinePage 17September 10, 2008 Page 17

Bill SacksErnst & Young Advisory Services Partner

Email: bill.sacks@ey.com

Tel: +1 310 955 7453

The information contained herein “Board Risk Oversight” is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Questions and answers….

John D. IrelandGeneral Counsel/Senior Vice-PresidentEpicor Software CorporationEmail: jireland@epicor.comTel: +1 949 585 4225

Shayne KennedyLatham & Watkins LLP

Email: shayne.kennedy@lw.com

Tel: +1 714 755 8181