Dean Kingsley is a Principal and Matt Solomon is a Senior Manager at Deloitte & Touche LLP. Kristen Jaconi is an Associate Professor of the Practice in Accounting and Executive Director at Peter Arkley Institute for Risk Management at the USC Marshall School of Business. This post is based on their recent Deloitte report.
We are certainly continuing to live in “interesting times.” Even when we feel as though the volume and velocity of risks can’t possibly accelerate further, they do. The past 12 months have seen US companies reacting to numerous cyber events, unprecedented political activity, conflicts in the Middle East and Europe, fluctuations in the US economy, and an increase in artificial intelligence (AI) capabilities. That’s to say nothing of accelerating extreme weather events, regulatory changes, and the continued rise of stakeholder and social activism.
In light of this ever more complex risk environment, what do the largest US public companies view as their most material risks? Deloitte and the USC Marshall School of Business Peter Arkley Institute for Risk Management (USC Marshall Peter Arkley Institute for Risk Management) have completed our fourth year of analysis of annual risk factor disclosures of Standard & Poor’s (S&P) 500 companies. The results show a continued trend toward more extensive risk factor disclosures to reflect this complex environment, even though the SEC’s risk reporting reforms in 2020 [1] sought to simplify and reduce the volume of risk factor disclosures.
This year, we conducted a deeper review of risk factors mentioning AI, complementing our deeper reviews in previous years of cybersecurity risks and climate-related risks. Over 60% of the S&P 500 companies reviewed believe they have material risks around AI, and this wasn’t restricted to the Information Technology sector – companies in all sectors disclosed AI risks relating to cybersecurity, competition, innovation, regulatory, intellectual property, ethical, and/or reputational risks. Numerous companies disclosed multiple AI-related risks this year, with 20% of companies disclosing three or more AI-related risks. Clearly, the AI revolution is well and truly underway and posing challenges for many companies in their ability to manage the associated risks.
Background
Since 2021, Deloitte and the USC Marshall Peter Arkley Institute for Risk Management have conducted a series of analyses on the risk factor disclosures filed by S&P 500 companies to understand the impact of SEC rules finalized in 2020 to address the increasingly lengthy and generic risk factor disclosures of registrants. For a description of these rules, see Appendix: Summary of SEC’s Final Rule on Regulation S-K, Item 105.
We published our initial results in March 2021, Many companies struggle to adopt spirit of amended SEC risk disclosure rules, reviewing 88 companies that had filed their annual reports by early February 2021. We concluded that risk factor disclosures were becoming lengthier contravening the SEC’s stated intention in the amended requirements. Follow-up reports in November 2021 and December 2022, both reviewing 439 companies, and November 2023, reviewing 440 companies, confirmed our initial March 2021 analysis and showed a continuing trend toward lengthier disclosures.
In this latest report, we have reviewed the risk factor disclosures in the annual reports of 434 S&P 500 companies to identify trends during this fourth year of implementation, including an analysis of risk factors mentioning AI. We have also provided some high-level considerations for companies as they prepare for the next reporting season.
Analysis of rules adoption
To assess the adoption of the amended requirements over four years of implementation, we have reviewed the risk factor disclosures of 434 S&P 500 companies that have filed four annual reports between November 9, 2020, the effective date of these requirements, and April 23, 2024. Our key findings are as follows: [2]
- The number of pages has increased minimally over the past year.
➢ The average number of pages is about 13.7 per company, compared to 13.6 the third year and the second year after the amendments, but up from 12.2 before the amendments and about 13.3 one year after the amendments. Over 45% of companies increased the number of pages this past year
- The number of risk factors has stabilized over the past three years.
➢ The average number of risk factors per company was 31.5 the third year and fourth year of implementation as compared to just under 31.4 the second year, just over 31 the first year, and just under 31 before the amendments. However, 28% of companies still increased the number of risk factors this past year
- Most companies did not need to include a risk factor summary, which is required if the risk factors disclosure is longer than 15 pages.
➢ Approximately 22% included a summary in the first year of implementation, 23% in the second year of implementation, and 24% in the third year and the fourth year of implementation.
➢ The average number of pages for the summaries was approximately 1.5 pages all four years of implementation, with a range of .25 to 2.75 pages.
- Headings are being used, but they are often very generic.
➢ Nearly 60% of companies used the same number of headings all four years of implementation.
➢ The average number of headings per company was five all four years of implementation.
➢ The average number of risk factors per heading was six all four years of implementation. Eighty companies had significantly more—20 to as many as 54 risk factors under one heading during the fourth year of implementation.
➢ The most common heading categories this fourth year of implementation were variants of legal, regulatory, and compliance; business; financial; operational; cybersecurity, information technology, data security, privacy; common stock; economic and macroeconomic conditions; industry; strategic transactions; strategic; indebtedness; tax and accounting; market; intellectual property; human capital; and international operations.
- Nearly one-third of companies used a “general risk factors” heading during each of the past four years, contrary to the SEC’s advice. [3]
➢ Companies used an average of just under five risk factors under the general risk factors heading all four years of implementation and a range of one to 18 during the fourth year. [4]
➢ The most common risk factors included under the general risk factors heading during this fourth year of implementation were recruitment and retention of talent/key personnel; natural and man-made disasters/catastrophes; economic conditions; stock price volatility; litigation; climate change; financial reporting internal control weakness; COVID-19; environmental, social, governance; tax law and regulation changes; cybersecurity; strategic transactions.
Insights on artificial intelligence risk factors
Recent rapid advances in publicly available Generative AI (GenAI) tools have signaled the long-awaited AI boom. [5] Calls to harness AI through private sector leading practices and legislative and regulatory proposals soon followed.
The SEC has focused primarily on the use of AI by broker-dealers and investment advisers. In 2023, the SEC proposed a rule addressing broker-dealers’ and investment advisers’ conflicts of interest with respect to AI use. [6] At the end of 2023, the SEC’s Division of Examination launched a sweep asking broker-dealers and investment advisers about their AI use. In March 2024, the SEC announced settlements against two investment advisers for false and misleading statements about their AI use. [7]
However, in February 2024, in remarks at Yale Law School, SEC Chair Gary Gensler focused, albeit briefly, on disclosures of material AI risks. He noted, “When disclosing material risks about AI—and a company may face multiple risks, including operational, legal, and competitive—investors benefit from disclosures particularized to the company, not from boilerplate language.” [8] In June 2024, the SEC brought its first “AI-washing” enforcement action against an AI recruitment start-up for issuing false and misleading statements about its customers, users, and revenues. [9]
Given these remarks and the growth in the adoption of AI in the past two years, using directEDGAR, a tool to search SEC EDGAR filings, we reviewed risk factor disclosures mentioning AIrelated risks in the annual reports filed between November 8, 2023 and April 23, 2024 by 434 S&P 500 companies. Over 60% of companies, 273 of 434, discussed AI-related risks in at least one risk factor. There is a notable variance among the sectors with over 90% of the Communication Services sector mentioning AI-related risks in at least one risk factor and less than 40% of the Energy sector.
Nearly 40% discussed AI-related risks in multiple risk factors, a notable decrease compared to those companies disclosing this risk in a single risk factor.
Over 15% of companies included stand-alone risk factors dedicated to AI. These risk factors often mentioned a multiplicity of AI-related risks, including financial, cybersecurity, reputational, innovation, and/or legal and regulatory risks.
Companies mentioned in their risk factor disclosures a variety of AI-related risks.
Cybersecurity
Our November 2023 report noted companies disclosed facing increased cybersecurity risk due to remote work and geopolitical conflicts. AI is also adding to this risk: Over 40% of companies included AI as contributing to cybersecurity risk, often noting the increasingly sophisticated and evolving AI tools hackers could use. Of all types of risk factors, companies most frequently mentioned AI in cybersecurity risk factors.
Failure to Innovate and Competition
In Deloitte’s August 2024 report, State of Generative AI in the Enterprise, 58% of C-suite and board members surveyed noted they were deriving benefits from the use of GenAI, including “increased innovation, improved products or services, or enhanced customer relationships.” [10] At the same time, companies are concerned about their ability to compete and innovate. Over 30% of companies noted in their risk factor disclosures their failure to innovate and incorporate AI technologies into their products and services would harm their competitive position, financial results, reputation, and/or customer demand. Over 30% of companies expressed their fear that they might lose market share to competitors if they were unable to offer market-acceptable products and services with AI.
Legal, Regulatory, Data Protection and Privacy, and Intellectual Property Risk
The legal and regulatory environment around AI continues to evolve rapidly. The European Union stands at the forefront already issuing rules governing AI. [11] Although there is no federal US law governing the use of AI, several policy-makers in Congress have introduced legislation. [12] Many other countries have proposed AI-related frameworks. [13] Several states have proposed or enacted AI-related legislation. [14]
Given this environment, nearly 30% of companies noted the challenges of complying with these new and evolving AI-related laws and regulations. Over 15% of companies mentioned a similar challenge with respect to AI laws and regulations specifically related to data protection and/or privacy.
One of the more unsettled legal areas with respect to AI is intellectual property. Over 17% of companies noted evolving AI laws and regulations related to intellectual property rights. A key question is whether creations developed by machines should be protected by copyright and patent laws. Some companies just briefly mentioned the risk of violating intellectual property laws or their fear of either infringing on others’ intellectual property rights or their intellectual property rights being infringed. However, several companies discussed in more detail the unclear status of intellectual property rights with respect to AI-generated creations.
Responsible AI: Reputation, Ethics, and Flaws and Biases
Many companies are disclosing the risks associated with failing to use or deploy “responsible AI.” [15] Approximately one-quarter of companies disclosed that their use of AI posed reputational risks. Nearly 15% of companies were concerned that their use of AI posed ethical risks. One-fifth of companies reported their AI models, algorithms, and/or training methodologies and/or their related outputs could be flawed, biased, or defective or cause social harm.
Talent
In Deloitte’s first quarter 2024 CFO Signals report, 60% of the chief financial officers surveyed noted “bringing in talent with GenAI skills over the next two years is either extremely important or very important.” [16] However, only 12 companies, including four in the Financials sector and four in the Information Technology sector, mentioned the risk of not attracting and retaining employees with AI skills.
Inability to Mitigate AI Risk
While many companies reported they did not understand all the risks AI poses, 11 companies, including nine in the Financials sector, admitted that their risk management programs might not be able to mitigate AI-related risks.
Considerations
Integrate external risk factor disclosure processes with internal enterprise risk management (ERM) reporting processes. As we have mentioned in each of our past reports, companies can consider integrating their external risk factor disclosure process into their internal ERM reporting processes. Companies may then be better positioned to meet the SEC’s goals set forth in the amended risk factor disclosure requirements of “disclosure that is more in line with the way the registrant’s management and its board of directors monitor and assess the business.” [17] In addition, the SEC has shown it will use its enforcement powers to drive better alignment between external and internal risk reporting. In an October 2023 complaint, the SEC alleged a software company made materially false and misleading statements, including in its risk factor disclosures, about its cybersecurity risk. The SEC used as evidence internal company documents that allegedly contradicted the company’s public disclosures. [18] Although a district court dismissed most of the SEC’s charges in July 2024, [19] this case should prompt companies to consider better aligning their external risk reporting, such as their risk factor disclosures, with their internal risk reporting.
Aim for specificity, avoid boilerplate. As noted above, SEC Chair Gary Gensler has called upon companies to be specific when describing their material AI-related risks and not use “boilerplate language.” [20] This advice aligns with the spirit of the SEC’s amended risk factor disclosure requirements regarding all material risks. [21] Companies should strive to make their risk factor disclosures more specific.
Use risk taxonomies from ERM program for headings. Companies continue to use generic headings, such as “business” risks, “industry” risks, and “operations” risks. To bring more specificity to headings and enhance readability, companies could rely on their internal taxonomies used to catalogue risks for their ERM and risk reporting to management and boards of directors. Companies could also use external taxonomies promulgated by regulators and/or professional organizations. [22] Using more specific headings could lead to the more integrated external and internal reporting the SEC has alleged was lacking in the case against the software company mentioned above and sought in the revised risk factor disclosure rules.
Avoid generic risks. The SEC suggested in its amended requirements that companies avoid using a “General Risk Factors” heading. However, one-third of companies have used this heading in the past four reporting seasons since the SEC’s amended requirements went into effect. [23] If companies are disclosing these “general” risks to their management and boards, companies could use the more descriptive headings they use in their risk taxonomies for management and board reporting. It is also a leading practice for companies to engage their external advisers to review the need for these general risk factors.
Shorten sentence length. We have now reviewed four reporting seasons of risk factor disclosures since the effective date of the SEC’s risk factor disclosure reforms. The SEC’s amendments have overall not prompted the largest public companies to make their disclosures more readable, a key purpose of these amendments. [24] A strong salve to readability would be for companies to decrease the number of words in each sentence in line with Plain English standards for sentence length (no more than 20 words per sentence). [25] Companies could start this exercise by shortening their subcaptions.
Conclusion
During this fourth year of implementation of the SEC’s amended requirements, risk factor disclosures of 434 S&P 500 companies—similar to last year—are stabilizing. Some of the length in the first two years after the implementation of the amended requirements was due to the introduction of new stand-alone risk factors related to COVID-19 and climate. The SEC continues to focus in its rulemaking on encouraging companies to integrate their specific risk management processes, such as those related to cybersecurity and climate-related risks, with their overall risk management processes. [26] The SEC is also using its enforcement powers to drive home the point of the need for alignment between internal and external risk reporting. Given the SEC’s actions, companies should aim to enhance and more fully integrate their external risk factor disclosure processes with their internal ERM reporting processes.
Link to full repot can be found here.
1Securities and Exchange Commission, Final Rule: Modernization of Regulation S-K Items 101, 103, and 105, Release No. 33-10825 (Aug. 26, 2020) [85 FR 63726 (Oct. 8, 2020)] [hereinafter Final Rule].(go back)
2In this report, we have used the sectors set forth in the Global Industry Classification Standard (GICS). We have disclosed average data rather than median data given the limited difference between the average data and median data for the 434 S&P 500 companies reviewed.(go back)
3Final Rule at 63761 (“The presentation of risks that could apply generically to any registrant or any offering is discouraged, but to the extent generic risk factors are presented, disclose them at the end of the risk factor section under the caption ‘General Risk Factors.’’’).(go back)
4The number of companies by sector disclosing risk factors under a general risk factors heading for the four years of implementation was: Materials, Y4: 7; Y3: 7; Y2: 7; Y1: 8; Real Estate, Y4: 12; Y3: 13; Y2: 14; Y1: 14; Consumer Staples, Y4: 5; Y3: 6; Y2: 6; Y1: 6; Financials, Y4: 15; Y3: 15; Y2: 14; Y1: 13; Communication Services, Y4: 3; Y3: 4, Y2: 4, Y1: 5; Energy, Y4: 11; Y3: 11; Y2: 10; Y1: 8; Utilities, Y4: 8; Y3: 8; Y2: 9; Y1: 9; Health Care, Y4: 23; Y3: 24; Y2: 25; Y1: 25; Information Technology, Y4: 20; Y3: 20: Y2: 19; Y1: 19; Consumer Discretionary, Y4: 13; Y3: 14; Y2: 13; Y1: 13; Industrials, Y4: 19; Y3: 18; Y2: 19: Y1: 22. All the sectors together follow: Y4: 136; Y3: 140; Y2: 140; Y1: 142.(go back)
5See Herbert Simon, The New Science of Management Decision, 1st ed. 38 (Harper & Row, Jan. 1, 1960) (“[M]achines will be capable, within twenty years, of doing any work that a man can do.”).(go back)
6SEC, Proposed Rule: Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers, Release No. 34-97990 (July 26, 2023) [88 FR 53960 (Aug. 9, 2023)].(go back)
7SEC, SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence, Press Release No. 2024-36 (Mar. 18, 2024).(go back)
8Gary Gensler, AI, Finance, Movies, and the Law – Prepared Remarks Before the Yale Law School (Feb. 13, 2024).(go back)
9SEC, SEC Charges Founder of AI Hiring Startup Joonko with Fraud, Press Release No. 2024-70 (June 11, 2024).(go back)
10Deloitte, State of Generative AI in the Enterprise: Quarter three report (Aug. 2024).(go back)
11European Parliament and Council, Artificial Intelligence Act Regulation (May 14, 2024). To understand effective dates, see European Parliament, EU AI Act: first regulation on artificial intelligence (Updated June 18, 2024).(go back)
12To monitor US and international legislative and regulatory AI-related initiatives, see White & Case LLP, AI Watch: Global regulatory tracker. Retrieved from https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker#introduction. (go back)
13Id. (go back)
14To monitor state legislative and regulatory AI-related initiatives, see Bryan Cave Leighton Paisner LLP, US State-by-State AI Legislation Snapshot. Retrieved from https://www.bclplaw.com/en-US/events-insights-news/us-state-by-state-artificial-intelligence-legislation-snapshot.html.(go back)
15Many organizations have defined Responsible AI. See Cole Stryker, IBM, What is responsible AI? (Feb. 6, 2024). Retrieved from https://www.ibm.com/topics/responsible-ai (“Responsible artificial intelligence (AI) is a set of principles that help guide the design, development, deployment and use of AI—building trust in AI solutions that have the potential to empower organizations and their stakeholders. Responsible AI involves the consideration of a broader societal impact of AI systems and the measures required to align these technologies with stakeholder values, legal standards and ethical principles. Responsible AI aims to embed such ethical principles into AI applications and workflows to mitigate risks and negative outcomes associated with the use of AI, while maximizing positive outcomes.”).(go back)
16Deloitte, CFO Signals: What North America’s top finance executives are thinking—and doing 2 (Q1 2024).(go back)
17Final Rule at 63748.(go back)
18Complaint, SEC v. SolarWinds Corp. and Timothy G. Brown, Civil Action No. 23-cv-9518 (Oct. 30, 2023). The SEC amended the complaint in February 2024. Amended Complaint, SEC v. SolarWinds Corp. and Timothy G. Brown, No. 23-cv-9518-PAE (S.D.N.Y. Feb. 16, 2024).(go back)
19Opinion and Order, SEC v. SolarWinds Corp. and Timothy G. Brown, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024).(go back)
20Gary Gensler, AI, Finance, Movies, and the Law – Prepared Remarks Before the Yale Law School (Feb. 13, 2024).(go back)
21Final Rule at 63744-45.(go back)
22For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) sets forth in its 2017 Enterprise Risk Management: Integrating with Strategy and Performance external environment risk categories, such as political, economic, social, technological, legal, and environmental, and internal environment risk categories, such as capital, people, process, and technology. COSO, Enterprise Risk Management: Integrating with Strategy and Performance 47 (June 2017).(go back)
23Companies may be disclosing these generic risk factors with the aim of these disclosures being afforded the “meaningful cautionary statement” safe harbor under the Private Securities Litigation Reform Act. See Final Rule at 63745 for the SEC’s description of a comment letter on the proposal describing the use of the risk factor disclosure to satisfy the Private Securities Litigation Reform Act safe harbor. See also SEC, Concept Release: Business and Financial Disclosure Required by Regulation S-K, Release No. 33-10064 [81 FR 23916, 23955 (Apr. 22, 2016)].(go back)
24Final Rule at 63726 (“Specifically, the amendments are intended to improve the readability of disclosure documents, as well as discourage repetition and the disclosure of information that is not material.”).(go back)
25Martin Cutts, Oxford Guide to Plain English, 5th ed. 22 (Oxford: Oxford University Press, Feb. 27, 2020).(go back)
26SEC, Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023) [88 FR 51896 (Aug. 4, 2023)]; SEC, Final Rule: The Enhancement and Standardization of Climate-Related Disclosures for Investors, Release No. 34-99678 (Mar. 6, 2024) [89 FR 21668 (Mar. 28, 2024)].(go back)
27Final Rule at 63744.(go back)
28Id. at 63743.(go back)