We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

SEC Proposes Accountability for ERM at the Board Level

Vote 0 Votes
In my January 2009 blog post, New Congressional Report: A Call to Action for ERM Regulation, I outlined the likelihood of new Enterprise Risk Management regulation and how to prepare for it. As expected, the SEC has acknowledged a lack of risk management competency in corporate America as the root cause of this economic downturn and is taking action on this matter.

Boards are now required by the SEC to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward tradeoffs throughout the enterprise. Boards are also be held accountable by the SEC to review and express opinions on their involvement in the Enterprise Risk Management process. This change is intended to address the current problem, which concerns isolation of the risk management process from both the front line and the board at most organizations.

 The newly required SEC ruling goes beyond the executive level to target risk management competency at all employee levels that materially impact the company. The ruling puts teeth into the requirements for reporting measurement of risk management competency by requiring evidence of the alignment of risk-reward tradeoffs in an organization's overall compensation policy with a stated appetite for risk. In other words, you get the behavior you pay for: Setting compensation for risk-reward trade-offs means embedding enterprise risk management within business units to the process level where employees are given incentives to make decisions. 

The RIMS Risk Maturity Model for ERM that my company developed in collaboration with the Risk and Insurance Management Society (RIMS) provides a complimentary online assessment of your organization's risk management readiness. Most importantly it includes a personalized roadmap based on your responses that will guide you through 25 practical action items to put an effective risk management process in place to achieve the risk management competency soon to be required by the SEC. Go to www.rims.org/rmm and take this 30 minute assessment to understand the big difference between risk management and compliance and what is needed to meet the new SEC requirements. 

 To reach front line management and monitor risk management effectiveness as required by the SEC and other regulatory agencies and governing bodies, true Enterprise Risk Management systems are needed, so beware of compliance vendors renaming their products as Governance Risk and Compliance (GRC) products. Only purpose built ERM solutions address the kind of risk management competency challenges facing organizations. 

 What are the differences between ERM and GRC systems? Here are the top three:  

1.  Leading versus lagging indicators: ERM is all about assessing the root cause of risks that threaten to materialize and what can be done to prevent those threats. GRC is historic in nature and reinforces documentation of controls based on lagging indicators, e.g., historic losses or compliance failures.

2.  Dynamic versus static: ERM manages the risks that evolve in an ever-changing world. ERM helps set risk tolerances and assess residual and inherent risk. GRC systems focus on matching controls with static regulations for compliance purposes.

3. Risk-reward tradeoff: ERM solutions match risk at the activity level with strategy and risk tolerance set at the executive level to achieve better performance. GRC by nature is isolated from decision making and strategy and is designed to document and test controls.

The Securities and Exchange Commission proposed rule changes are posted on the SEC's website. The proposal contains requests for comment, and the new SEC rules are planned to be applicable to the 2010 proxy season.


| Leave a comment

Hello Steven

Interesting. The difference between ERM and GRC is in ways analogous to the difference between BI and EDM - passive and reactive vs. active and agile. We call BI 'the unfulfilled promise.'

Hi. I was wondering how you see process risk fitting into all this. The best definintion of process risk that I have seen is "The risk of loss resulting from inadequate or
failed internal processes, people and systems".

My personal interest in how unstructured process risk fits into ERM, but I think the question holds for any type of process.

Hi Steven,

Do you have, and would be be willing to provide me, the name of a contact at the SEC? I am planning a conference on ERM for early 2010 and would like to research with the SEC and the proposed rule changes. Perhaps someone there would also like to present. Let me know if you think you can help me in this regard.


Do you know if the SEC has its own enterprise risk management program?

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven Minsky is the CEO and Founder of LogicManager. the recognized leader of enterprise risk management solutions and is also the developer of the RIMS Risk Maturity Model for Enterprise Risk Management™. LogicManager provides a common, intuitive software-as-a-service platform of scientifically validated enterprise risk management decision and diagnostic tools for more effective corporate governance, risk and compliance.

Recently Commented On

Monthly Archives