increased risk reporting requirements: 5th webinar with ecoda and aig

Daniel Lebègue Chairman of the Board Transparency International (French section)

Dr. Alexandra Lajoux Chief Knowledge Officer Emeritus NACD

Eric Miller Head of Tax Advisory EMEA AIG

Helle Friberg FERMA Board Member

THE EUROPEAN CONFEDERATION OF DIRECTORS ASSOCIATIONS - AVENUE DES ARTS 41 - BRUSSELS 1040

Joint webinar with ecoDa/AIG and FERMA

2 Days of Professional Development for European Directors

“Increased Risk Reporting Requirements”

9 March 2017

Daniel Lebègue, Chairman of the Board of the French section of "Transparency International"




From financial reporting to shareholders to integrated reporting to all the stakeholders

Integrated reporting: financial and non financial (CSR,for example climate change, prevention of corruption, human rights)

Increased requirement from investors (SR asset managers, pension funds, sovereign funds)

Reporting required more and more by the different stakeholders of the company: employees, clients, business partners, NGOs, public entities




Accountability / reputation: the most valuable asset for a company

(for everybody in fact! )




Are there limits to transparency?

Yes!

Protection of private life (for clients, employees)

Secret of production, research

What about strategy?

NACD Advancing exemplary board leadership

Alexandra Lajoux Chief Knowledge Officer Emeritus

National Association of Corporate Directors (NACD)

To coin shorthand for today, we can call them “government” vs. “governance”

• The first term implies mere compliance (complying with laws, rules, or listing requirements).

• The second term refers to practices in the private sector intended to complement such rules (practices called variously voluntary, best, leading, aspirational or recommended practice).

NACD reports on government requirements but also fosters better governance.

“In the U.S., we are slowly moving from an age of compliance (ensuring disclosures on material issues are made) to an age of transparency (where as a result of technology, consumer activism and the primacy of ethics) where corporate (bad) behaviors and practices are almost instantaneously exposed and can severely damage reputation. Corporations can no longer control their reputation, they really have to earn it.”

Friso van der Oord, Director of Research, NACD, March 3, 2017

Today’s talk will encompass both “government” and “governance”.

8

Origins of U.S. risk reporting

“Government”

• In U.S. we have both federal and state governments, each of which have a legislative, executive, and judicial branch. Each and all are potentially important with respect to risk reporting.

– At the federal level, we have federal laws, which with respect to business tend to apply to all companies that are large (e.g.,50 employees or more) or publicly owned (e.g., registered with the Securities and Exchange Commission) comprises national statutes passed by Congress; federal regulations promulgated by federal agencies enforcing or promulgating those laws (including both agencies controlled by the executive branch and independent agencies such as the Securities and Exchange Commission [SEC], which promulgates rules relating to various laws, including most notably the 1933 Securities Act and 1934 Securities Exchange Act, pertaining to the sale and exchange of securities, respectively, which oversees our stock exchanges); and, within specific boundaries, executive orders. We also have federal courts that interpret federal laws and of course the U.S. Supreme Court, the final arbiter, based on Constitutional law. The most well-known risk reporting rules (as discussed later) are federal, and stem from language in the 1933 and 1934 Acts (as amended), and the Sarbanes-Oxley Act of 2002.

– At the state level, there are state laws, including most generally corporation statutes enshrining duties of loyalty and care, which are continually interpreted by courts – notably Chancery Court of Delaware, one of the few states that has a Chancery Court of equity for business. Under ordinary circumstances, corporations (including most financial institutions) are chartered by states, which may also have industry-specific laws, especially in industries such as insurance. Commercial banking is particularly complex, with different federal agencies enforcing capital standards for state-chartered banks and bank holding companies (FDIC, Federal Reserve) vs. nationally chartered banks (OCC).

– The 1996 Caremark decision from the Delaware Chancery Court stated that directors needed to ensure an adequate system of compliance and reporting.

– The current initiative to dismantle Dodd-Frank (2010) is focused on both banking provisions (via executive orders to review regulations, relying on laws allowing this); and on governance provisions such as pay ratio, now under review (under Acting SEC Chair Michael Piwowar). It is not likely that there will be a rollback of any rules pertaining to risk committees or risk reporting.

9

“Government” (continued)

• Risk reporting rules and expectations are many and diverse, and stem mostly from the above-mentioned laws, i.e., 1933 and 1934 Acts; Sarbanes-Oxley (2002); Dodd-Frank (2010), and related listing requirements of the two main exchanges, the New York Stock Exchange and Nasdaq. Here are some important rules in chronological order (all are still in force).

– All public companies must produce annual reports filed on Form 10-K that include a Management’s Discussion and Analysis of Financial Conditions and Results of Operations (MD&A) listing known risks. Origin: Regulation S-K under the 1933 and 1934 acts, as amended. Comment: Most MD&As today are extremely comprehensive (listing every single conceivable risk for fear of violating federal law) but some complain that they list too many risks, accusing them of being boilerplate and failing to prioritize risks.

– On June 29, 2016, The U.S. Department of Treasury and its Internal Revenue Service (IRS) released for publication in the Federal Register final regulations (T.D. 9773) that require annual country-by-country reporting by “certain U.S. persons that are the ultimate parent entity of a multinational enterprise group that has annual revenue for the preceding annual accounting period of $850 million or more.”

– Audit committees of companies listed on the NYSE have a duty to “discuss policies with respect to risk assessment and risk management.” In its commentary on this rule, the NYSE clarifies: “The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken.” Origin: a listing rules approved November 4, 2003, post Sarbanes-Oxley, as part of the required elements of an audit committee charter for NYSE-listed companies.

– All public companies must include in their annual proxy statement filings under Form DEF 14A a disclosure of “compensation policies and practices that present material risks to the company.” Origin: proxy disclosure enhancement rules passed in December 2009, seven months before passage of Dodd-Frank.

– Large banks must have an independent risk committee. Origin: a banking rule passed by the Federal Reserve (Fed) in 2014 post Dodd-Frank. Under Dodd-Frank Title I, Section 165, any publicly traded bank holding company with consolidated assets of $10 billion or more must have a board-level risk committee to oversee enterprise-wide risk management. According to a final rule on enhanced prudential standards for domestic banks issued by the Fed in February 2014 and effective June 1 of that year, this committee must have at least one expert with experience in “identifying, assessing, and managing risk exposures of large, complex financial firms”; the committee must also be chaired by a director who meets certain independence requirements1. Similar Fed requirements have been in effect since December 2012 for foreign-bank risk committees.2

1“Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organization,” Federal Register 79, no. 59 (Mar. 27, 2014), p. 17427; 2 Ibid, p. 17289.

10

“Governance”

NACD has issued a great deal of guidance on risk oversight (which includes risk reporting). Here are some of our publications:

• Report of the NACD Blue Ribbon Commission on Risk Oversight (2002) • Report of the NACD Blue Ribbon Commission on Risk Governance (2009) • Director Essentials: Strengthening Risk Oversight (2016)

Director Essentials: Strengthening Risk Oversight, draws on a survey of more than 1,000 directors (in our annual corporate governance survey) plus in-depth interviews with several public company directors. In this report, NACD recommends these improvements to ensure the “validity and relevance” of internal risk reporting from management to the board (as well as to external constituencies, as advise by legal counsel).

1. To reduce subjectivity and variability in risk reporting, ask management to clearly define how significant a “high risk” is, how much difference there is between a “high” risk and a “low” risk, and what the difference is between one “high” risk and another. Risk scorecards can be used to track the status of critical enterprise risks, linked to the company’s risk appetite.

2. Make sure that the time horizons used to assess the likelihood of risks are consistent with the time horizon of associated business objectives. For example, the risk is seen as likely to occur within the time horizon contemplated by the objective.

3. Understand the velocity and duration of risks. As the current environment has shown, risk velocity—or how quickly a risk’s results will manifest if it comes to pass—is an important factor in risk rating. Furthermore, the relative duration of a risk (if it comes to pass, how long will it impact a company?)—for example, a regulatory or macroeconomic risk—is an important dimension.

4. Ensure two-way information flow, both top-down and bottom-up. It’s important to communicate with management (including risk managers) about the types of risk information the board requires. Companies need strong escalation processes for critical risks. A good risk reporting system will deter the need for formal whistleblowing—whether the bottom-to-top process mandated by Sarbanes-Oxley or the director regulatory contact incentivized by Dodd-Frank.

5. Make sure there’s a regular cadence of risk reporting, allowing the board to frequently assess changes in risk exposure and keep a pulse on the effectiveness of risk management. The NACD 2016-2017 Public Company Governance Survey benchmarks show both frequency and the topical treatment of risk reporting.

11

13

What is Country-By-Country Reporting

• Assessing high level transfer pricing risks and other base erosion and profit shifting related risks, including non compliance with transfer pricing rules and economic and statistical analysis

Purpose and Use

• CbC report required to be filed for fiscal years beginning on or after Jan 1 2016 • First report generally filed on or after Dec 31 2017 (12 months after fiscal year end) • First CbC report to be exchanged between tax authorities no later than 18 months after last day of

fiscal year (e.g., June 30 2018) and 15 months for subsequent fiscal years Timeline

• CbC reporting for groups with revenues above 750 million Euro

Threshold

• CbC report to be filed with tax authority in which ultimate parent is resident • Legal and administrative means of implementation by individual countries still to

be determined • CbC reports to be exchanged electronically using common XML

Filing of report

14

What is In the Report?

1) Overview of allocation of income, tax and business activities by tax jurisdiction

2) List of constituent legal entities and business activities by tax jurisdiction

Rese

ach

and

Deve

lopm

ent

Hold

ing o

r Man

agin

g in

telle

ctua

l pro

perty

Purc

hasin

g or

Proc

urem

ent

Man

ufac

turin

g or

Prod

uctio

n

Sales

, Mar

ketin

g or

Dist

ribut

ion

Adm

inst

rativ

e,

Man

agem

ent o

r Sup

port

Serv

ices

Prov

ision

of S

ervic

es to

un

relat

ed p

artie

s

Inte

rnal

Grou

p Fin

ance

Regu

lated

Fina

ncial

Se

rvice

s

Insu

ranc

e

Hold

ing s

hare

s or o

ther

eq

uity

inst

rum

ents

Dorm

ant

Othe

r 2.

12

Tax Jurisdiction

Constituent Entities

resident in the Tax

Juridication

Tax Jurisdication of organisation

or incorporation if different from Tax Jurisdiction

of Residence

Name of the MNE group: Ficsal year concerned:

Main business activity(ies)

Unrelated Party

Related Party

Total

Name of the MNE group: Fiscal year concerned:

Income Tax Accrued (Current Year)

Stated capital

Accumalated earnings

Number of Employees

Revenues

Tax Jurisdiction

Profit (Loss) Before

Income Tax

Income Tax Paid (on cash

basis)

Tangible Assets other than Cash

and Cash Equivalents

1. The report is going to be shared and data analytics applied to it

2. Some multinationals are concerned that jurisdictions with special purpose entities, primarily financing entities and captive insurance entities are going to show large revenue numbers despite the small number of employees present.

3. These entities, if in certain smaller jurisdictions (e.g., Jersey, Cayman Islands, Bermuda, etc.) where there are not other operations, will “pop” out of the report. The fact that the entities may be required to be in such jurisdictions because that is where the relevant regulatory framework is in place is not a feature of the report.

4. The report does have a section or “box” for explanations.

15

What is Going to Come Out of the Report

1. How much did the entities in my jurisdiction pay to the captive?

2. How were the arrangements priced?

3. Did the captive insurer pay losses?

4. Can you prove that the arrangement provided a genuine economic benefit for the group beyond any tax savings (e.g., UK or Australian diverted profits tax)?

5. How was the risk bearing entity managed? Did it have the expertise to manage the risks it was assuming (see Actions 8-10 of the BEPS project)?

16

What Will Tax Authorities Be Asking?

Increased transparency – what role for the risk manager?

Helle Friberg FERMA board member

Views of the risk management community on transparency

In 2014 73% of risk managers indicated in the European Risk and Insurance

Report (ERIR) that they played an active role in providing input in the 'annual

report' process

For half of them, the disclosure of profits and paid taxes on a country by

country basis would pose a confidentiality issue regarding strategy

Views of the risk management community on transparency

In the 2016 ERIR, risk managers ranked “corporate governance

and transparency” in third position as a European priorities

for FERMA.

How can the Risk Manager add value?

The risk manager can make use of the already implemented

appropriate risk management process

• identification, collection of useful, sound and appropriate data, implementation of risk solutions, and monitoring

As a key person in the external reporting process

• the risk manager should risk-assess the content of the report - to identify the positive or negative impact that the information can have on the future business

Internal challenges • to answer questions from the Board when it comes to

transparency requirements (risk reporting, reputation…).

Act as a strategic advisor

• before it is made public - to anticipate unintended consequences (positive and negative).

Perform a risk assessment of the

content

• It could be tremendous - and in the end devastating to a company.

Review the cost of not being prepared

External challenges

Reporting is not only about the numbers

• Figures needs to have a context to avoid mis-interpretation by the public, taking into account the full spectrum of the company’s value chain.

The risk manager will be an essential contributor

to external reporting

• They should have a significant role in the creation of the reports for external use.

The Board signs off the report for public release

• They have the ultimate responsibility.

Conclusion: risk manager can add value

Providing a risk management process to ensure the quality

of the reported elements.

Ensuring that the risks of unintended impact on the future business

have been made aware of and scrutinized by management.

Being one of the strategic advisors for

the Board when it comes to questions

re. transparency requirements.

Any Questions?

Please use the GoTo Webinar Dashboard to send a question to

the Moderator

increased risk reporting requirements: 5th webinar with ecoda and aig

Business