We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

New Congressional Report: A Call to Action for ERM Regulation

Vote 0 Votes

Yesterday the Congressional panel overseeing the Troubled Asset Relief Program (TARP) program released a scathing report of the regulatory failures that led to the current financial crisis, Congressional Oversight Panel Special Report on Regulatory Reform.

The report concluded "The regulatory system not only failed to manage risk, but also failed to require disclosure of risk through sufficient transparency".

This Congressional report is a call to action that Enterprise Risk Management should be part of new stronger regulatory oversight. The report discovery of faults and recommendations for correction scream ERM as a solution. For example, one of the 68 RIMS Risk Maturity Model for Enterprise Risk Management standards, "Risk management competence is part of managers' performance reviews" is clearly articulated as one of the top eight action items for immediate implementation.

First the report outlines the failure of private sector risk management in devoting relatively little attention to risk assessment. The ERM guidelines contained in the RIMS Risk Maturity Model for ERM show step-by-step how best practices for risk assessments can be effectively adopted and performed. The Congressional report also points out the failure of rating agencies to recognize how severely they had underestimated the key risk. Rating agencies have made progress by including ERM evaluation criteria within their rating processes. However it is important for new regulation to require them to formalize their ERM policies for this forward looking indicator of business performance and make their ERM evaluation criteria more transparent. This formalization is needed to address the appearance of alleged inside dealings and conflicts of interest and restore confidence in their rating process outcomes.

The Congressional report also highlighted the failure of public risk management to control the worst financial excesses and abuses long before the crisis took hold. The report lays the foundation for ERM to be included in new regulation, naming the government "as the nation's ultimate risk manager".

The third major topic of the report is the failure to require sufficient transparency, and it is here that the new regulation must require corporations to not only disclose risk, but also demonstrate their competency in risk management in the systems and processes they use to manage risk.

The recently published RIMS State of ERM 2008 Report documented that 96 percent of organizations lack sufficient risk management competency for repeatable and sustainable ERM programs. We have seen this in the 10k disclosures of public companies that are in distress today either did not mention the risks or severely underestimated the risks that are affecting them just 6 to 8 months later. Therefore, the emphasis of new regulations need to require corporations to increase that competency by formalizing and building their enterprise risk management infrastructures as European countries have done several years ago. New regulations in the United States must add this same kind of teeth to require organizations to make those disclosures meaningful.

Today, in the United States organizations are not currently required to go into depth on how they identify risk, set risk tolerances and provide evidence of effectiveness. Since June 2006, and Boards of directors in the United Kingdom for example have been held accountable by the Combined Code on Corporate Governance to review and express opinions on their Enterprise Risk Management processes and systems.

Organizations unfortunately do what they have to do first, which leaves little time over for what they should do and that is why we are in the mess we are in today. As the report confirms, without Enterprise Risk Management regulatory oversight, organizations both public and private will destroy themselves (and our retirement investments and jobs along with them) unless they have the required risk management competency to perform in an every faster changing and integrated world that we live in.


| Leave a comment

Very interesting idea, but I'm not sure that your reference to the UK Combined Code is very encouraging - despite the Code, UK companies do not appear to have done any better than US companies in anticipating or managing risks.

If, for example, you mean BASEL II when saying 'Therefore, the emphasis of new regulations need to require corporations to increase that competency by formalizing and building their enterprise risk management infrastructures as European countries have done several years ago', it would be interesting to know how it helped banks in European countries to avoid or softer the credit risk crisis.

Even if some are ‘formalizing and building their enterprise risk management infrastructures’, what would be the guarantees that this infrastructure would be applied rather than made ‘realistic’, i.e. compromised to ease the enterprise risk management?


Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the CEO and Founder of LogicManager. the recognized leader of enterprise risk management solutions and is also the developer of the RIMS Risk Maturity Model for Enterprise Risk Management™. LogicManager provides a common, intuitive software-as-a-service platform of scientifically validated enterprise risk management decision and diagnostic tools for more effective corporate governance, risk and compliance.

Recently Commented On

Monthly Archives