Managing Risk While Managing your Stock PlanWhat should and shouldn’t

be keeping you up at night

Managing Risk While Managing Your Stock Plan

Introductions

• Carine Schneider, CEO, Equity Administration Solutions, Inc.

Agenda

• Data Privacy• Software Model• Outsourcing• Plan Interpretation• Plan Set-up• SAS 70s

Data Privacy

• Understanding the EU Data Privacy Directive– Company obtain consent from participants before

data can be shared with a third party.– Consent must cover what data is being shared and

for what purpose.– Consent to share data should be part of the

communication of grants to participants, but be careful about how consent is requested in order not to violate the Directive with the request.

– Safe Harbor exception for processing in the United States

Data Privacy

• Data Privacy in the United States– No overarching rules.– Massachusetts is currently the most stringent

standard, and thus serves as a good guide to follow.– Need to assign an individual or a group to be

responsible for risk mitigation.– Encryption is required for sensitive data.– Comprehensive training on security standards and

procedures is required.– Review where data is housed and secured.

Software Models-The ‘pros’

• SaaS– Less demand from

internal IT– May be more globally

accessible for a mobile or remote administration team

– Scaling to future growth is easier (you’ve outsourced the problem)

• Server– Control over which

version of the software you are on

– Vendor Risk Assessment is limited to the development process, as hosting is your own environment

– May reduce issues related to data privacy

Software Models-The ‘cons’

• SaaS– Less control over

software version and changing browser compatibility

– Increases Vendor Risk Assessment requirements

– May increase data privacy requirements

• Server– May be difficult to

predict the cost of running the program into the future

– Transition to new versions of software poses a burden to the stock admin team as well as IT

To Outsource…

• What audit controls are in place?• What is the knowledge base of the people

administering your plan?• What technology is being leveraged to

administer your plan?• Is your entire participant base being cared for?• Who can you call?• Are your procedures written out? Do all parties

understand their part in the process?

Or Not to Outsource?

• How is access to data controlled?• How will the plan be supported on a day-to-

day basis? What cross-training exists?• How is ongoing education being handled? Are

all disciplines of share plan functionality being addressed?

• How well understood is the technology being used? (reference the earlier discussion on technology models)

Plan Interpretation

• Discrepancies between plan documents and grant agreements– Termination type definitions– Changes to definitions, how are they phased in?

• Ramifications of modifications– Be sure to discuss any proposed grant

modifications with accounting, tax, and legal– Document your process for modifications so

that they can be handled the same way each time

Plan Set-up

• Share Reserve– Be sure to track changes over time– Limits on award types– Fungible shares

• Rounding rules– Vesting– Share withholding

• FMV definitions

SAS 70, What does it really mean?

• SAS 70 is an audit style that gained popularity in the US with the passage of Sarbanes Oxley (SOX)

• This audit report should be available from most US based vendors of share plan administration, related software, or transaction processing services

• Audit does NOT confirm that your financial reporting is correct, only that it is performed in an environment with the proper controls in place

• As the issuing company, be aware that some of the controls are your responsibility

Questions?

• Carine Schneider– carine.schneider@easiadmin.com– 1-925-730-4343