The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

Transcription

1 The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies James Barkley, Simon Property Group, Inc. and David E. Weiss, DDR Corp. Introduction: As lawyers, particularly real estate lawyers, we are trained to identify and address risks in the various transactions we handle for our clients. We do so in many ways performing due diligence, obtaining surveys and title insurance, negotiating representations, warranties and indemnities, securing various forms of insurance to cover known and unknown liabilities, and negotiating for guarantees, cash holdbacks or other security, to name but a few. These risks, however, are transaction specific. Real estate lawyers spend much of their negotiating efforts finding ways to allocate risks away from their client. We spend a great deal of time trying to allocate risk to other contract parties or to third parties in exchange for premium consideration or other payments. Many external forces create business risks and are generally not addressed in everyday transactional work. The impact of a financial meltdown, the absence of adequate financing, the bankruptcy of tenants or other contract parties, are things that we may give thought to, but rarely address in our day-to-day transactional lives. Unfortunately, the same cannot be said of companies who operate in a significant risk environment every day. To successfully navigate the maze of risks that they face, companies must be proactive about both identifying and addressing risks. The best companies essentially embrace the risks that they face and do so in a way that can be turned to their business advantage. This is a relative new phenomenon and has its origins in a variety of different sources, but it has led to an approach adopted by most companies known 1

2 as Enterprise Risk Management, or ERM. This paper, and the accompanying presentation and roundtable discussion, will provide background into the origins of the risk management movement, as well as enterprise risk management programs and their design, implementation, communication and maintenance throughout an organization in a way that creates value and aligns the interests of various business units with a company s overall strategic vision. I. What is Enterprise Risk Management? The Committee of Sponsoring Organizations of the Treadway Commission ( COSO ) established a benchmark for both defining and implementing an effective ERM program. In its September 2004 paper ( Paper ), COSO defined enterprise risk management to mean the following: All entities face uncertainty, and the challenge for management is to determine how much uncertainty it is prepared to accept as it strives to grow stakeholder value. Enterprise risk management enables management to identify, assess, and manage risks in the face of uncertainty, and is integral to value creation and preservation. Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within the entity s risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. It consists of eight interrelated components, which are integral to the way management runs the enterprise. The components are linked and serve as criteria for determining whether enterprise risk management is effective. 2

3 COSO, however, was not the first organization to recognize the advisability of identifying and implementing an effective ERM program. There are also judicial underpinnings of ERM: a. In re: Caremark International Inc. Derivative Litigation, 698 A. 2 nd 959 (Del. Ch. 1996), the Delaware Chancery Court set standards for determining whether directors breached their duty of care, either because they ignored red flags suggesting that a company or its employees were violating company policy or applicable legal or regulatory standards, or because a company s board failed in its oversight responsibilities by ignoring systematic failures in a company s information and reporting systems. The decision was a wake up call for boards since directors are not exculpated, and cannot be indemnified, if they are found to have acted in bad faith. The legislative landscape has changed the view of ERM as well: a. The Sarbanes-Oxley Act of 2002 ( Sarbanes ) was adopted in response to a number of notable corporate meltdowns, including Enron and Worldcom. Its primary intent was to require that corporate disclosures be more accurate and reliable in order to protect investors. In doing so, Sarbanes mandated accountability for the boards of public companies, management and a company s auditors, and imposed personal liability on chief executives and chief financial officers for financial misstatements. Sarbanes also requires public companies to adhere to a variety of different standards that have a direct connection to ERM. i. Among other things, Sarbanes requires the boards of public companies to establish a formal framework for the operation of the board and its 3

4 committees through the adoption of governance principles, committee charters and the like. More importantly, Sarbanes requires public companies to establish a system of internal controls that support a company s financial reporting function. These internal controls are required to be evaluated periodically, and to the extent deficiencies are identified, they must be addressed and if material, those deficiencies must be disclosed. ii. A public company s auditing firm is required to attest to a company s assessment of its internal control environment. iii. Failure to comply with the requirements of Sarbanes can impose penalties, including fines and imprisonment. iv. Provides protection, and incentives, for whistleblowers to report noncompliance. v. For further information regarding Sarbanes, the reader should access the Act through Particular attention should be paid to Sections 302 (CEO and CFO responsibilities), 404 (Internal Controls), 409 (Required Disclosures), 802 and 807 (Criminal Penalties), and 806 (Whistleblower Protection). b. The Dodd-Frank Wall Street Reform and Consumer Protection Act ( Dodd- Frank ), was aimed primarily at the perceived abuses which led to the financial 4

5 crisis in 2008 and Even so, Dodd-Frank does contain a number of corporate governance provisions, including: i. The so-called say-on-pay mandate requiring advisory votes by stockholders on executive compensation. ii. A requirement that compensation committees for public companies be comprised solely of independent directors. iii. The need for additional compensation disclosures in public company proxy statements. iv. The expansion of executive compensation claw-backs in the event of a financial restatement. v. Proxy access rules regarding director nominations by company stockholders. The Securities and Exchange Commission has been charged with responsibility for rulemaking under Dodd-Frank. c. Rating agencies, stock exchanges and proxy advisory firms have also issued their own set of guidelines which can impact a company s analysis and approach to addressing risk. See for example: i. The New York Stock Exchange Listed Company Manual, Section 3 (Corporate Responsibility): 5