Over 60% of large companies reviewed believe they have material artificial intelligence (AI) risks, according to a new report by Deloitte and University of Southern California Marshall School of Business.
“Numerous companies disclosed multiple AI-related risks this year, with 20% of companies disclosing three or more AI-related risks,” according to the October 2024 report. “Clearly, the AI revolution is well and truly underway and posing challenges for many companies in their ability to manage the associated risks.”
This was based on an analysis of risk factors disclosed by 434 S&P 500 companies that have filed four annual reports between November 9, 2020—which was the effective date of the SEC’s final rules updated disclosure rules—and April 23, 2024. AI-related risk factors were reviewed in annual reports filed between November 8, 2023, and April 23, 2024.
The SEC updated its rules four years ago to simplify and modernize the disclosure rules in Regulation S-K, which lays out the reporting requirements for periodic reports. But the rapid advances in generative AI tools have occurred more recently.
In particular, 273 out of 434 mentioned AI risks in at least one risk factor.
Over 90% of companies in the communications business, or 14 out of 15, mentioned AI risks. The next most mentioned sector at over 80% was in IT with 37 out of 45 companies doing so, followed by financials with 56 out of 70. Energy sector was the lowest with nine out of 23.
Almost 40% of companies discussed AI risks in multiple risk factors, “a notable decrease compared to those companies disclosing this risk in a single risk factor,” the report states.
Over 15% of companies included standalone risk factors dedicated to AI.
“These risk factors often mentioned a multiplicity of AI-related risks, including financial, cybersecurity, reputational, innovation, and/or legal and regulatory risks,” the report notes.
Deloitte and the USC have jointly published a trend analysis in risk factor disclosures filed by S&P 500 companies annually since 2021. But this year’s report also took a closer look at risk factors mentioning AI. In previous years, the reviews included more in-depth analysis of cybersecurity risks and climate-related risks.
In a separate report by Deloitte in August, 58% of C-suite and board members surveyed said they are benefiting from the use of GenAI. At the same time, companies said they are concerned about their ability to compete and innovate.
But over 30% of companies said failure to innovate and incorporate AI technologies into their products and services would harm their competitive position, financial results, reputation, or customer demand. Over 30% of companies feared they might lose market share to competitors if they were unable to offer products and services with AI.
Other Findings
In the meantime, the average number of pages on risk disclosures under Item 105 of Reg S-K has increased minimally over the past year, with about 13.7 pages per company, compared to 13.6 in the third year since the SEC amended the rules four years ago. Over 45% of companies increased the number of pages this past year.
Moreover, the number of risk factors has stabilized over the past three years.
The average number per company was 31.5 in the third and the fourth year of implementation, compared to just under 31.4 in the second year, and just over 31 in the first year, and just under 31 before the rule changed. But 28% of companies still increased the number of risk factors in the past year.
Under SEC rules, companies do not need to include a risk factor summary if their risk disclosure is longer than 15 pages. And 22% included such summary in the first year of implementation, 23% in the second year, and 24% in both the third and fourth years of implementation, according to the joint report.
Companies are using headings in their disclosures, but the report said that they are often very generic. Nearly 60% of companies used the same number of headings all four years of implementation. And the average number of headings per companies was five during all four years of implementation.
The most common heading categories over the past year were:
- legal, regulatory, and compliance;
- business;
- financial;
- operational;
- cybersecurity,
- information technology,
- data security,
- privacy;
- common stock;
- economic and macroeconomic conditions;
- industry;
- strategic transactions;
- strategic;
- indebtedness;
- tax and accounting;
- market;
- intellectual property;
- human capital; and
- international operations.
Almost one-third used a “general risk factors” heading during each of the four years, which the SEC discourages.
Companies used an average of almost five risk factors under the general risk factors heading in all four years, ranging from one to 18 in the fourth year.
The report also lists five matters to consider when making risk factor disclosures:
- integrate external risk factor disclosure processes with internal enterprise risk management (ERM) reporting processes;
- aim for specificity, avoid boilerplate;
- use risk taxonomies from ERM program for headings;
- avoid generic risks; and
- shorten sentence length.
This article originally appeared in the October 18, 2024, edition of Accounting & Compliance Alert, available on Checkpoint.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
