Are You Managing the Risks of Disclosure? – Revisiting Your Controls in the Age of ESG, DEI, and Social Media

by | Oct 4, 2023

Do people in your organization worry about saying too much, too little, or the wrong thing? 

I can guess the answer is yes. The risks of disclosure (and nondisclosure) are intensifying with the rise of new regulations regarding what we say and how and when we say it. New communication channels allow more people to speak (and to speak more often). Now, more than ever, it’s imperative to revisit your disclosure controls and procedures (DCPs) as part of your internal control program.

DCPs have been a cornerstone of the financial certification landscape for public companies in North America for the past 20 years. The goal has been to get companies to share essential financial information that is accurate, complete, and timely so that investors, analysts, stakeholders, and the public can use it to make better decisions.

However, not all internal control programs (i.e., SOX, CSOX, ICFR) formally assess them or have best practices that are relevant to the current landscape. This means many organizations and leadership teams need a fresh approach to address changes in our regulatory, corporate, and social world. Our disclosure controls in turn need to look at the broader issues related to how companies release information and show it to the public. Otherwise, more companies, CEOs, and boards will face risks that are hiding in plain sight, such as late regulatory filings, PR disasters, or missed opportunities.

In this article, let me share some practices we’re using with clients today, based on what we’ve learned from 15 years running internal control and DCP programs for organizations of all sizes. 

What Exactly Are Disclosure Controls & Procedures (DCPs) —A Refresher

In the enactment of Sarbanes-Oxley (aka “SOX”) in 2002, the SEC introduced the term “disclosure controls and procedures” to ensure that SOX programs address controls and procedures around the quality and timeliness of disclosures in public reports. Like our American counterparts, CEOs and CFOs of Canadian TSX-listed companies are also required to certify the design and the effectiveness of their company’s disclosure controls and procedures (DCPs) and internal control over financial reporting (ICFR).

DCPs SIMPLIFIED: DCPs are the activities that ensure that key information is controlled, reviewed, and approved before it is released to the public.

DCPs typically include:

  • A disclosure committee to oversee the disclosure process.
  • An inventory or listing of disclosure reporting requirements.
  • A standard reporting package for the Board, Management, or other stakeholders.
  • Responsibilities determined for disclosure obligations.
  • A Disclosure Policy to address how disclosures are handled.

Disclosure Controls & Procedures in a Brave New World: 4 Priorities

Here are four of the top developments that are putting a new twist (and perhaps new life) into how information is defined, controlled, and released to the public. While they may not be included as part of your DCPs, at least yet, they strongly signal the need to revisit them and raise the bar.

1. ESG (Environment, Social, and Governance) Reporting

In 2020, BlackRock, the world’s largest asset manager, called on the companies it invests in to publish disclosures in line with the SASB and the Taskforce for Climate-Related Financial Disclosure. This led to Governor DeSantis dumping Blackrock funds from Florida’s investment holdings over its “woke” policies.

In 2021, the SEC sent letters to companies requesting information about their climate-related disclosures (or lack thereof) referencing the Commission Guidance Regarding Disclosure Related to Climate Change

Over the past three years, the pressure on ESG disclosures (both for and against) has exploded, coming from investors, activists, employees, regulators, banks, and others. While ESG reporting is not mandatory for many organizations (including my Canadian-listed clients), it’s strategic nonetheless as it can lead to commercial advantages or disadvantages. 

What does this mean for DCPs today (and for the future)?

  • ESG reporting should be treated with similar rigor as financial information and become a part of your DCP program with processes, procedures, reviews, and approvals handled before it is released to the public. 
  • DCP risks need to address the newest fraud risk of greenwashing” (i.e., misleading or deceptive publicity to present an environmentally responsible public image).
  • For organizations just starting out or with light ESG reporting, DCP controls can be built into your existing DCP program without a need to recreate the wheel. 
  • For larger, more robust, or complicated programs, ESG reporting (e.g., for emissions) demands more tailored controls with careful design to capture processes and information flow.

2. Cybersecurity Incident Reporting

July 2023, the SEC adopted a new rule on cybersecurity risk management requiring companies to disclose “material cybersecurity incidents” within four days of deciding that the incident is material. 

 “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.”

The interesting part about this legislation is that the clock starts only after you have determined that the incident is “material.” This isn’t purely a quantitative exercise either. There’s a high degree of professional judgment that goes into determining whether the incident is material or not. This regulation points to the growing theme we have all seen across organizations where cybersecurity is no longer just an operational risk, but a top-of- mind concern of the Board.

What does this mean for DCPs today (and for the future)?

  • DCPs need to include cyber incidents as part of their inventory of disclosure obligations.
  • Organizations require a protocol for assessing the materiality of cybersecurity incidents.
  • Cyber disclosures will need to become a part of your Incident Response Plan.
  • Cybersecurity incidents require a cross-team collaboration including working with Legal, IT, Accounting, Operations, Senior Management, and the Board.

3. Social Media

Controlling what we say and who says it to the public has always been a part of disclosure controls. But we are living in a new world where everyone has their own “public,” to speak to. Social media puts a new twist on how information is released and the speed with which it can be disseminated.

Unlike traditional media or disclosures, sharing information through social media often doesn’t follow a formal internal process for releasing information to the public. But that’s a mistake. Social media is a disclosure like any other and should follow the same elements of “control” as other types of communication, which includes having the right people, review processes, and approvals. The only difference is that social media demands a faster, more iterative release process. Obviously, it’s not good enough for the Disclosure Committee to review social media posts once a quarter. It’s a new world, which demands new processes, new thinking, and a new approach to DCPs.

So, what does this mean for DCPs today (and for the future)?

  • Social media posting should be included as part of your disclosure obligations or inventory.
  • The Communications team should be educated on disclosure rules and regulations and coordinate with Legal and Senior Management.
  • Organizations need to assess the risks and opportunities of social media, including taking a balanced approach that looks at the risks of lost opportunities of not using social media.
  • Organizations need a social media policy in place that is regularly communicated to employees, monitored, and enforced.

4. DEI (Diversity, Equity, and Inclusion) 

DEI statements are becoming a hot topic. (See this article for inspiring examples.) As of 2021, Canadian corporations, under the Canada Business Corporations Act (CBCA), are required to disclose information to their shareholders and to Corporations Canada on the diversity of their boards of directors and senior management teams. Corporations Canada implemented guidelines to help corporations report on the representation of women, Indigenous peoples, persons with disabilities, and members of visible minorities.

This one small example (of many) relates to the ways DEI is impacting what corporations need to disclose and the risk of saying too little. While DEI isn’t always formally included as part of DCPs, this moment is coming. If you want to be proactive, you should make it part of your disclosure strategy.

So, what does this mean for DCPs today (and for the future)?

  • DEI strategies should be linked to the overall disclosure strategy and DCPs.
  • Organizations should assess the risks and opportunities around DEI disclosures, including the risks of not disclosing.
  • DEI disclosures need to reflect the actual actions and thinking of the organization and not “faux” or “wished for” DEI.

2 Tools to Boost Your DCP Program

Finally, because I want to leave you with something practical and tangible, let me share two simple (but highly effective) tools to boost your DCP program. We use them extensively at Risk Oversight to support our clients, while we continue to refine them.

Disclosure Control Review Template (To Get Started)

To get going on your DCP assessment, this simple template covers the key areas I recommend that you review first. While it doesn’t cover all elements of DCPs, it’s enough to get you started.

Control Area Control Description Questions
DCP1 Disclosure Policy There is an appropriate, up to date Disclosure Policy in place to guide how disclosures are made to the public and external parties. The policy is reviewed    and updated regularly to reflect best practices and the needs of the organization.
  • Does a Disclosure Policy exist?
  • Is the Disclosure Policy updated on a regular basis to reflect best practice and the needs of the organization?
  • Does the Disclosure Policy cover the appropriate topics including:
    o Disclosure Committee
    o Disclosure principles or requirements
    o Designated spokespersons
    o Disclosure obligations (e.g., press releases, financial statements)
    o Material changes
DCP2 Disclosure Committee There is a Disclosure Committee in place that meets regularly to review the financial statements and key disclosures.

Material or significant disclosures go through the Disclosure Committee before release to the public.		 • Has a Disclosure Committee been established?
• Does the committee review key filings, reports, and press releases?
• Are the appropriate people on the committee including:
• CFO/accounting officer
• Legal/general counsel
• President
• Are disclosure committee meetings documented?
DCP3 Disclosure Obligations and RACI Disclosure obligations (i.e., filings, other regular disclosures) are understood and tracked and responsibilities assigned to the appropriate team members. Team members understand “RACI” (Responsible, Accountable, Consulted, Informed) responsibilities related to disclosure obligations. • What is the process/protocol overall for reviewing and approving disclosure obligations before they are released to the public?
• Is there an inventory of disclosure obligations? How are disclosures tracked and managed?
• Is there an understanding of “RACI” requirements for disclosure obligations?
• For what types of disclosures, does Legal need to be involved?
DCP5 Insider Management There is an Insider Trading policy that sets the rules around trading company stock. The list of Insiders is reviewed regularly. Blackout periods are communicated quarterly.
  • Is there an Insider Trading (or related) policy in place that sets the rules around trading company stock for Insiders? 
  • Is the policy updated regularly and does it have an appropriate owner?
  • Is there a list of Insiders? Is this list updated for changes to the business to include stakeholders who may have confidential information?
  • Have blackout periods been established? 
  • Are blackout periods communicated regularly?

 

Disclosure Control RACI Matrix

My favorite tool for disclosure controls is the Disclosure RACI (“Responsible, Accountable, Consulted, Informed”) Matrix. It’s a practical way to step back and take an inventory of your disclosure obligations and the roles involved in the process. If you are a smaller organization, your disclosure controls might not involve a lot of people, but it’s still important to get organized with what needs to be released (and when) and who needs to be involved, or not.

What I have pasted below is an example from the matrix, but if you are looking for the complete matrix, you can download it below.

Get the Disclosure Matrix

Disclosure is not a risk–and a requirement–to take lightly. These areas are all front and center with regulators, boards, investors, customers, stakeholders, and the public at large. I hope this article helps you to think about elements and developments that help you with your DCP program today and for the future too.