In my last blog and On-Demand Webinar "Presenting Risk Management to the Board, "I was asked for help in identifying government regulations that hold Boards responsible for Enterprise Risk Management (ERM) compliance.
Definition: First some background, the SEC Proxy Disclosure Enhancements rule defines ERM compliance as extending the board's role in risk oversight to the threshold of material impact of the risk regardless of the level. Boards of Directors were previously only responsible for CEO level risks, activities and decisions, but this rule extends the accountability mandate to the business process level were this material activity takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt.
Implementation: Sarbanes-Oxley Compliance Audit Standard 5(SOX AS5) holds management and boards accountable for a subset of Enterprise Risk Management, the risk of misstatement of an organization's financials. The SEC disclosure rule is similar in approach, in using materiality as a threshold or measure of what needs to be controlled or mitigated, rather than prescribing which risks or how to cover them; however, unlike Sarbanes-Oxley it covers all risks and there is no organizational size limitation, so small and medium sized companies are equally on the hook for ERM compliance.
Enforcement: Enforcement of this rule is simple and powerful. Lack of disclosure and an ineffective ERM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense. As a result, the number of SEC enforcement actions rose to 735 in 2011 from 677 in 2010. Moreover, the number of actions against investment advisers and investment companies rose to 146 in 2011 from 112 in 2010 (up 30%), with only 76 such actions in 2009 - just under half the number brought in 2011.
A corporation and its corporate officers may be held criminally liable for the acts of persons, even in the absence of any wrongdoing on their part.¹ For example, in the court case Stone v. Ritter² (but also, In Re Caremark³ and In Re Disney⁴ ) the Delaware Supreme Court affirmed the personal liability of the members of the Board of Directors and set the precedent for board accountability for effective risk monitoring. Board of Director's duty of care includes an obligation "... to assure that a corporate information and reporting system, which the board concludes is adequate, exists."⁵
Minimize Penalties: ERM programs now fall under compliance and in November 2010, new incentives to Federal Sentencing Guidelines⁶ apply to ERM permit a substantial reduction in the penalties imposed on an organization if it has established an effective ERM information and reporting system.
Risk in itself is not to be avoided, but rather embraced, since all returns have risk as a prerequisite. Simply stated in the negative, no risk equals no reward. The key to business is taking risks that have a fair compensation in terms of reward. At the heart of fairness is disclosure, and failure to disclose risks involved, whether knowingly or unknowingly, is negligence. Therefore a large part of the penalty is around the inability to demonstrate the board and management's extent of activity in trying to "know risk" at the front line. Organizations are thus incentivized to implement true ERM software so they can benefit from Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims as it provides evidence of effective risk management. . Like a metal detector for a needle in a haystack, ERM Software uses a risk taxonomy to enable organizations to quickly identify and quantify the materiality of risks at the front line management level and aggregate to the board while preserving a direct connection to mitigation activities and monitoring. As a result, ERM software greatly reduces negligence penalties.
According to leading industry analysts on ERM and GRC, "Organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than regulatory compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance."
Benefits of Software: Although may be little difference in where the concepts of ERM or GRC theory have evolved to today, there is a very big difference in ERM vs GRC software technology origins and the impact. GRC was born out of prescriptive regulatory compliance, meaning a specified set of procedures that must be followed by all companies in the same way as of a specific date. Whereas ERM was born out of strategic performance management, which is all about managing uncertainty in future outcomes and making cost-benefit judgments on the unique choices management makes about how to control their business. Why is this important? New software is required for major shifts in the business environment. ERM software with it's holistic approach delivers a 60-80% gain in efficiency in time and effort by consolidating existing governance risk and compliance activities currently done separately in silos and reduces total internal and external audit consultancy costs by more than 15%.
General steps for risk management personnel to take, before and during an SEC investigation:
- Make sure the organization's risk resources are adequate, so you're prepared for the task of meeting the SEC's demands.
- Demonstrate that the way operational controls are documented match the way they actually conducted.
- Examine written ERM process internal standards and evaluation criteria that quantify risk materiality
- Provide evidence of risk assessments conducted over the past 12 months at the department manager level meet internal standards and cover all material business processes.
- Look for above average risks that do not have risk mitigation and risk monitoring activities corresponding to them
- Have a matching set of materials to back up documents given to the SEC.
The stronger and more effective the ERM program, the less severe the recommended penalty for non-compliance, negligence or fraud will be. Conversely, a weak ERM program or the lack of one will result in a harsher recommended penalty and criminal sentences. To self-assess the strength of your ERM program go to www.rims.org/rmm. This 20 minute exercise will both tell you the effectiveness of your ERM program and provide you a roadmap to meet regulatory requirements.
¹ United States v. Park, 421 U.S. 658 (1975)
² 911 A.2d 362 (Del. 2006)
³ 698 A. 2d 959 - Del: Court of Chancery, 1996
⁴ 906 A. 2d 27 - Del: Supreme Court, 2006
⁵ 698 A.2d at 970 - Del: Court of Chancery, 1996
⁶ Federal Sentencing Guidelines Manual, Chapter Eight