Rightsizing the Risks Around Employee Rewards

The risks associated with employee compensation and benefits programs are multitudinous, but they rarely seemed mission-threatening -- until the options backdating scandal erupted. Then proliferating lawsuits and plunging stock prices quickly brought finance executives' attention to a swarm of rewards-related exposures ranging from employee mistrust to failure to comply with international labor laws.

A new white paper from Deloitte lays out a taxonomy of the risks and describes an approach to minimizing unrewarded exposures -- regulatory noncompliance, for example -- while managing rewarded risks, such as investing in a new employee wellness program.

The risks fall into the following categories:

• Compliance. Staying out of trouble is challenging, given the sheer volume of rules and regulations in this area and the rapid pace of change. The SEC is increasing its scrutiny of equity compensation, and the IRS, with its Focused Audit Approach, has stepped up its scrutiny of retirement plans.

Organizations may want to consider enhancing their controls and control testing, for example, by performing periodic evaluations of their compliance with the U.S. tax code, fiduciary obligations, and laws in foreign jurisdictions, and by proactively investigating the use of the IRS's remediation programs.

• Administration. The procedures around the administration of employee rewards may seem an unlikely locus of risk, but this is precisely where the stock options backdating furor exploded. The difficulty of administering programs across multiple business units and across borders generates errors and inefficiencies. Companies that use third-party service providers are vulnerable to control breakdowns that often result in penalties and lawsuits.

Mitigating actions might include greater automation of processes, inclusion of SAS 70 and right-to-audit clauses in vendor contracts, and tighter control over spreadsheets.

• Design. A poorly designed rewards program can expose an organization to such risks as talent shortages, budgeting and forecasting challenges, and out-of-control costs that hamstring corporate performance. To design effective programs, companies need to link them tightly to overall corporate objectives and take a long view of their likely future development. Rewards strategies that seem viable now may result in onerous obligations in the future.

Deloitte recommends a six-stage process for managing employee rewards risks:

1. Understand the context and strategy behind the company's rewards programs. Knowing the business purpose of the programs help you decide which rewards-related risks are worth taking, and which are not.

2. Identify the major risks. Compile a list of the risks and, most important, the people and departments responsible for each one.

3. Evaluate and prioritize exposures. Decide what your overall risk tolerance is and understand how it relates to both rewarded and unrewarded risks.

4. Mitigate risks and control. Make sure that the risk owners you identified in Step 2 are addressing the highest-ranked risks from Step 3. Establish a process for continuing risk mitigation efforts into the foreseeable future.

5. Monitor, report, and evaluate risks. Like Step 4, this should be an ongoing effort, including periodic re-evaluations of the risk outlook.

6. Communicate and continuously improve. This step involves educating the employees who are responsible for employee rewards programs about how to execute the controls and their role in the risk management process. Companies should also be on the alert for opportunities to deploy new risk management tools and strategies.

Download the complete white paper from Deloitte.