“It ain’t over ‘til it’s over.” Truer words were never spoken when it comes to the new pay ratio rule.
A key chapter in pay regulations closed August 5, 2015 when the U.S. Securities and Exchange Commission (SEC) issued its final rule on the pay ratio disclosure mandated by the Dodd–Frank Wall Street Reform and Consumer Protection Act. This final rule capped a two-year comment period intended to resolve many thorny issues around exactly when and how to calculate the two numbers involved in the ratio—namely median employee compensation/CEO compensation. (To see NACD’s comment letter, visit the NACD Resource Center on Corporate Governance Standards and click on our Comment on Pay Ratio.) The NACD comment letter, like some others, noted that the “annual total compensation” figure can be misleading, and suggested solving this problem by asking the SEC to permit the use of industry averages, to limit employees to full-time domestic employees, and to permit supplemental notes. In its final rule, the SEC did not make these changes but did address concerns about total annual pay by allowing companies to use any “consistently applied compensation measure” (CACM) to calculate median annual compensation for employees.
This concept of a CACM led to questions, however. So on October 18, 2016, the SEC’s Division of Corporation Finance addressed them by updating its C&DI for Regulation S-K, one of the 32 “Compliance and Disclosure Interpretations” (C&DIs) the staff maintains on its most complex regulations. Although the five questions raised are technical rather than strategic, and represent only a tiny fraction of the many issues raised by the final rule overall, they still merit board attention. Therefore, this blog presents, in simplified English, the five ratio-relevant Q&As in the newly updated C&DI (codified under Section 128 C) and provides a key question and a final “takeaway” for boards.
Summary of the SEC’s Five Questions and Answers
Summary of Question 1: If a company does not use annual total compensation to identify the median employee, how should it choose another consistently applied compensation measure (CACM) to do so?
Summary of Answer 1: SEC’s updated C&DI assures companies that a CACM can be any measure that “reasonably reflects the annual compensation of employees,” but asks that companies explain their rationale for the metric they choose. An appropriate CACM will depend on “particular facts and circumstances,” says the SEC. For example:
Total annual cash compensation can work as a CACM, unless the company has also made a wide distribution of annual equity awards for the same period.
Social Security taxes withheld would likely not be an appropriate CACM unless all employees earned less than the Social Security wage base.
Summary of Question 2: May a registrant exclusively use hourly or annual rates of pay as its CACM?
Summary of Answer 2: No. Although an hourly or annual pay rate may be a component used to determine an employee’s overall compensation, the use of the pay rate alone generally is not an appropriate CACM to identify the median employee.
Summary of Question 3: When a registrant uses a CACM to identify the median employee, what time period may it use?
Summary of Answer 3: The SEC’s answer to this question says that the company must select a date within three months of the end of its most recent fiscal year to determine the population of employees from which to identify the median employee. The CACM need not be contemporaneous. In fact, it can come from the prior fiscal year, as long as there has not been a material change in the registrant’s employee population or employee compensation arrangements—that is, a change that would “result in a significant change of its pay distribution to its workforce.”
Summary of Question 4: What about furloughed employees?
Summary of Answer 4:The SEC’s response clarifies that the final rule identifies four classes of employees: full-time, part-time, temporary, and seasonal. It does not define or even address furloughed employees, because a furlough could have different meanings for different employers. It is a matter “facts and circumstances” and provides additional guidance on the matter.
Summary of Question 5: What about independent contractors? Under what circumstances can their pay be included in the CACM for the employee?
Summary of Answer 5:The final rule had stated that “leased” workers are excluded from the definition of employees “as long as they are employed, and their compensation is determined, by an unaffiliated third party.” The SEC’s answer preserves this distinction, and gives some flexibility. In determining when a worker is an “employee,” the company “must consider the composition of its workforce and its overall employment and compensation practices.” So a company should include workers whose compensation it (or a subsidiary) determines “regardless of whether these workers would be considered ‘employees’ for tax or employment law purposes.”
Are you familiar enough with compensation patterns in your company to know whether a chosen CACM “reasonably reflects” the compensation in your company? If not, you may wish to meet with the officer responsible for employee pay below the executive level to get a better sense of this important issue.
Compensation committees have traditionally focused on executive compensation, leaving employee compensation to management. In the past few years, however, several factors have combined to broaden the committee’s purview, including concerns about pay disparity, and the new requirement to disclose compensation risk. Therefore, more compensation committees are overseeing enterprise-wide pay. For example, in its 2016 proxy statement, WPX Energy disclosed that in the past year “With the oversight of our Compensation Committee, we conducted a risk assessment of the Company’s human capital with a focus on enterprise-wide compensation programs.” (Emphasis added.)
The key word in all of these questions and answers is “reasonably.” It is exactly the right word for compensation committees to use as they oversee this disclosure, as well they should.
Alexandra R. Lajoux is chief knowledge officer emeritus at the National Association of Corporate Directors.
It is clearer than ever before that sustainability practices can affect corporate value. That was the main thread of a panel that I led at the National Association of Corporate Directors’ 2016 Global Board Leaders’ Summit in Washington, D.C. My co-panelists Christianna Wood, director at H&R Block, and Seth Goldman, founder of Honest Tea, and I discussed the potential risks and opportunities that environmental and social issues pose to companies.
Sustainability is a broad term, and not every environmental or social issue belongs on the board agenda. But when an environmental or social issue has the potential to affect corporate revenue and earnings in the short and long term, sustainability absolutely should be on the table.
At the end of the day, it all comes down to materiality, and this is where corporate directors have a critical role to play.
Materiality is about determining a company’s priorities. As fiduciaries responsible for overseeing a company so that it not only survives but also thrives in the long term, directors have a responsibility to assess whether a company is making the right choices.
But the much harder question is: When does an environmental or social issue rise to the level of being material?
Here are some steps directors can take to drive discussions about whether sustainability issues are material to the companies that they oversee.
1.) Understand how sustainability is being integrated into your company’s efforts as a way to identify material issues.
There are a few ways to do this. Directors could point management towards the Sustainability Accounting Standards Board’s Company Implementation Guide, which provides a great starting point for companies to assess whether certain sustainability factors could be considered material for the purposes of the company’s financial filings. Directors could also integrate themselves more meaningfully into corporate efforts aimed at identifying material sustainability issues. They could provide perspectives on the connections between sustainability factors, corporate strategy, risk, and revenue.
2.) Include key issues being raised by critical stakeholders in the materiality exercise.
While a broader range of stakeholders is raising a variety of issues these days, the financial community is a particularly critical constituency to direct attention towards. As we discussed in our panel, the U.S. investor community is starting to make the connections between sustainability and the financial value of companies in their portfolios. During the 2016 proxy season, close to 400 shareholder resolutions on climate change and other sustainability issues were filed. Large investors including CalPERS, CalSTRS and State Street Global Advisors are asking their portfolio companies to put directors with climate expertise on their boards.
In addition to tracking broad sustainability trends that investors are paying attention to, prudent directors could consider opportunities to engage directly with key shareholders to get a sense of issues specific to the company and the industry. Directors could also track and engage with the broader activist and advocacy community as a risk management exercise.
3.) Weigh in on the time frame over which issues are considered to be material.
Since the board in particular is responsible for long-term corporate performance, directors play an important role in examining whether their company’s materiality process focuses on considering issues over the long or short term.
Overall, momentum is building to adopt a more long-term view to encourage companies and boards to think more broadly about sustainability and materiality. The recently released Commonsense Corporate Governance Principles, which are backed by major U.S. companies including JPMorgan Chase & Co., Berkshire Hathaway, and Blackrock, support the move to long-term thinking. And more companies including Unilever, Coca Cola, and National Grid are moving away from the practice of issuing quarterly guidance specifically to encourage investors and other stakeholders to adopt long-term thinking.
4.) Disclose details on what you consider to be your company’s material priorities.
Noting that determinations of materiality depend on whom the company considers to be its most significant stakeholders, governance experts are starting to call on corporate boards to release a statement noting critical audiences that the company is oriented towards and issues that the corporation is prioritizing. Companies like the Dutch insurance company Aegon have started to issue such statements.
The process of helping to identify the right issues is just a first step in a director’s responsibility on materiality. Directors have an important role to play in ensuring that material issues, when identified are integrated into board deliberations on strategy, risk, revenue and accountability systems. However, getting to the right issues lays an important foundation for the company and its key stakeholders to build on.
The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.