Home > Risk > The US Supreme Court and risk assessment

The US Supreme Court and risk assessment

October 12, 2023 Leave a comment Go to comments

A decision by the US Supreme Court in 1976 is relevant to practitioners for several reasons.

One of the questions before the court was what the word “material” meant[1].

In TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, they said that a fact is material if there is “a substantial likelihood that the …fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” They also said that determinations of materiality require “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him ….”

Why is this relevant to risk assessment?

It doesn’t talk about an investor’s decisions being affected by a single fact in isolation.

Instead, it talks about the “total mix” of information.

The SEC refers to the same idea in its new cyber disclosure rule:

The Commission affirmed in the Proposing Release that the materiality standard registrants should apply in evaluating whether a Form 8-K would be triggered under proposed Item 1.05 would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano, and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”) and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”).  That is, information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

This is my point:

When an organization’s management or board are making decisions, they should be considering the “total mix” of information about what might happen (i.e., risks and opportunities) rather than one source of risk at a time.

I explain this in my books with examples like this.

The CEO is considering whether a new product is ready and should be released a month earlier than planned.

She consults her direct reports, including the CRO, and is told that:

    • Product quality risk is low to moderate and within acceptable limits.
    • The risk that related marketing will not be effective is low, and the EVP Marketing says she is “cautiously optimistic”.
    • The additional cyber and information security risk that would be created with the new product are also within defined tolerance levels.
    • The risk that the help desk and other support functions will not be able to handle the additional volume of calls and need for support is moderate and acceptable.
    • The risk that our sales staff are not fully trained in the new product is also “on the low side”. Management is confident they can handle it, “as they always do”.
    • While our cash is currently low, the risk to our cash flow that would be posed by the major expenditures needed for the rollout is ‘manageable’.
    • The upside is high, and Sales are 90% confident of achieving or exceeding projected revenue targets.

The CEO considers all of the above (i.e. the ‘total mix’ of information, or what I call ‘the big picture’), not just one source of risk or opportunity, and asks what would change if they deferred release for a month.

She decides that taking the additional risk in the earlier release scenario is not justified by an additional month of revenue, given all the things that might go wrong and the opportunity to mitigate them over the next month.

Even though each of the individual sources of risk is within tolerable levels, the wise business decision is to wait.

The UK’s FRC has proposed changes to the UK’s Corporate Governance Code that requires risk management and systems of internal control to focus on what would be material to the achievement of enterprise objectives.

This again requires considering the total mix of risk and opportunities (the ‘big picture’), not just one source of risk at a time.

When will risk practitioners move from lists of individual risks to helping decision-makers and leaders of the organization see the big picture?

When will they help them see how the total mix of risks and opportunities will affect the achievement of enterprise objectives?

Risk practitioners need to change.

Internal audit practitioners need to start reporting as ineffective risk programs that only provide a list of risks, and don’t help leaders make informed and intelligent decisions.

What do you think?

——————————————————————————————————————–

[1] The definition they arrived at is still used by the regulators when defining “material” for Sarbanes-Oxley compliance and other matters of law and regulation

  1. Anonymous
    October 12, 2023 at 12:35 PM
    Reply

    Dear Norman, on the example of the launch of a product a month earlier, l learned from the perspective of a bigger picture however these are within the control of the company. Maybe if an element beyond the company’s control like the competitor is launching a similar product, information from market intelligence, then the decision making process become a business decision taking into consideration all the internal controls or inputs. Comment please. Thanks

    • Norman Marks
      October 12, 2023 at 12:44 PM
      Reply

      The possibility of a competitor’s action is another piece of the big picture. It needs to be understood and drawn in.

  2. David Griffiths
    October 13, 2023 at 3:05 AM
    Reply

    This press release https://www.frc.org.uk/news-and-events/news/2023/10/sanctions-against-kpmg-llp-kpmg-audit-plc-and-two-former-partners/ shows what happens when you don’t look at all aspects of risk.

  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.