The corporate risk factor disclosure landscape

Corporate risks disclosed by public companies in SEC filings often are generic and do not provide investors with clear, concise and insightful information that is company-specific.

A new analysis of risk factor disclosures in annual reports finds that they typically are vague, repetitive and “boilerplate,” offering investors little actionable insight into the risks facing companies.

A new study published by the Investor Responsibility Research Center Institute (IRRCi) examines the risk disclosures of 50 large companies, including the five largest publicly traded companies in ten different industries with an aggregate market capitalization of approximately $8 trillion.

The reason for required risk factor disclosures is to inform investors and others of the risks faced by individual companies. Instead, we see corporate disclosures that read like a laundry list of generic risks couched in legalese and lacking meaningful specificity. This is not helpful for investors trying to understand corporate risks, and it certainly does not enable investors to distinguish between the relative risk profile of different companies or the relative importance of the risks on the laundry list,” said Jon Lukomnik, IRRCi executive director.

“The one ray of hope, interestingly, is that cybersecurity is one area where companies are providing more robust information on the extent, impact and management of cyber risks,” Lukomnik said. “Cybersecurity disclosure may serve as an example of the direction companies could take in terms of disclosing and explaining risk. But there is still so much more that can be done across all areas of disclosure.”

“As the SEC reconsiders the risk factor disclosure requirements as part of its disclosure effectiveness initiative, we are hopeful that the IRRCi study provides helpful insights into current practices as well as opportunities for improvements,” said Kellie Huennekens with the EY Center for Board Matters, the primary research entity and contributor to this report.

The report finds a need for companies to streamline language around common risk factors and to offer more insightful, company-specific information such as descriptions of how the nature, intensity and likelihood of key risks have changed or might change along with explanations of how significant risks can affect a company’s business. The report also indicates that companies could enhance disclosure by describing their risk mitigation efforts.

Key findings

• Competition, global market factors and regulatory matters are the most common risks cited by all companies but are often discussed generically. This suggests an opportunity for companies to reconsider existing generic discussions.
• Disclosures generally are lengthy, and companies with a lower risk profile in particular have opportunities to reduce the extent and number of generic risk factors disclosed.
• When companies do use specific language to discuss risk mitigation efforts and/or changes in the nature of the risk, those disclosures tend to be minimal (e.g., a couple of words or a sentence) and are overshadowed by the prevalent use of vague, boilerplate language throughout the risk factor disclosures.
• The disclosures may serve as an indicator of what a broad base of companies view as emerging risks. Attention to non-traditional risks such as cybersecurity and climate change is evident from the review.
• Cybersecurity is one area where companies have responded to recent concerns expressed by investors and policymakers with disclosure that discusses the extent, effects and management of cyber risks.