WASHINGTON—Most public companies must comply with federal risk management disclosure rules that go into effect in about two weeks.

The risk management disclosure requirements are part of a broader corporate governance document that the Securities & Exchange Commission approved in December. The rules, which take effect Feb. 28, require disclosures in proxy and information statements about:

c The relationship of a company's compensation policies and practices to risk management;

c The background and qualifications of directors and nominees;

c Legal actions involving a company's executive officers, directors and nominees;

c The consideration of diversity in the process by which candidates for director are identified;

c Board leadership structure and the board's role in risk oversight;

c Stock and option awards to company executives and directors; and

c Potential conflicts of interests of compensation consultants.

The requirement would not apply to some small public companies.

Matt Allen, global practice leader-enterprise risk services and solutions at Marsh Inc. in New York, said the provision dealing with the board's role in risk oversight is raising a lot of questions. The language is subject to considerable interpretation, such as what oversight means and what has to be actively disclosed, he said.

A briefing paper issued by Marsh this month recommends several actions that organizations should take. These include instituting or refining an enterprise risk management process, implementing one of the best practices structures in risk oversight, conducting a compensation risk assessment, educating the board on its role in the risk management process, and instituting a streamlined risk reporting function.

Board members need to be educated as to what they should be doing, what they need to be asking and where they “really intersect” with the ERM activities, said Mr. Allen. The CEO, chief financial officer or someone in legal or compliance activities should be telling board members what they need to do, he said, adding that the chief risk officer should be involved in the educational effort as well.

At Melbourne, Fla.-based Harris Corp., the risk manager already is involved.

“I have been given the role of heading our ERM efforts,” said Rick Broderick, director-risk management at the international communications and information technology company. “As we start going through that, that will include making sure we are aware of what the SEC requirements are and setting up the procedures to assure compliance,” he said.

“Harris has a fairly robust ERM process,” Mr. Broderick said. “We have a committee that involves very senior folks,” he said. “The corporate sponsor is our CFO in communicating with board.

“It's a very good process. We think what we've already been doing in the past meets that requirement. We are continuing to walk through it. We'll be in compliance, we believe,” Mr. Broderick said.

A veteran risk management professional hailed the move, but warned that simply emphasizing enterprise risk management is not enough.

“That truly has been a long time coming,” said Lance Ewing, former vp-risk management for Harrah's Entertainment Inc. in Las Vegas and a former president of the Risk & Insurance Management Society Inc. “The focus on enterprise risk management, while it's important and I think it's a step in the right direction,” there were companies that had ERM processes in place and still failed during the economic downturn.

Mr. Ewing said those overseeing ERM need to have direct contact with the board and “have the audit committee's ear on a regular basis.”

The SEC's approach is a “vast undertaking,” said Derrick Neuhauser, a partner in international consulting firm BDO Seidman L.L.P.'s, Chicago office. “The SEC, I believe, is hoping for this area to be covered quite extensively,” he said.

Companies will have “to evaluate every incentive plan they have in the organization.” That raises the question of “what part of the board is going to take ownership of this responsibility? Is it a governance issue? Is it an audit committee issue, should the compensation committee tackle it?” Mr. Neuhauser said. “There's a lot of scrambling going on.”

Marsh's Mr. Allen said he's looking at the process from a shareholder's perspective. “All I'm asking is get a little more formal about how they manage risk. Is that too much to ask?”