View all posts | View current post
In my last blog and On-Demand Webinar “Presenting Risk Management to the Board,” I was asked for help in identifying government regulations that hold Boards responsible for Enterprise Risk Management (ERM) compliance.
Definition: First some background, the SEC Proxy Disclosure Enhancements rule defines ERM compliance as extending the board's role in risk oversight to the threshold of material impact of the risk regardless of the level. Boards of Directors were previously only responsible for CEO level risks, activities and decisions, but this rule extends the accountability mandate to the business process level were this material activity takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt.
Implementation: Sarbanes-Oxley compliance Audit Standard 5(SOX AS5) holds management and boards accountable for a subset of Enterprise Risk Management, the risk of misstatement of an organization’s financials. The SEC disclosure rule is similar in approach, in using materiality as a threshold or measure of what needs to be controlled or mitigated, rather than prescribing which risks or how to cover them; however, unlike Sarbanes-Oxley it covers all risks and there is no organizational size limitation, so small and medium sized companies are equally on the hook for ERM compliance.
Enforcement: Enforcement of this rule is simple and powerful. Lack of disclosure and an ineffective ERM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense. As a result, the number of SEC enforcement actions rose to 735 in 2011 from 677 in 2010. Moreover, the number of actions against investment advisers and investment companies rose to 146 in 2011 from 112 in 2010 (up 30%), with only 76 such actions in 2009 – just under half the number brought in 2011.
A corporation and its corporate officers may be held criminally liable for the acts of persons, even in the absence of any wrongdoing on their part.1 For example, in the court case Stone v. Ritter2 (but also, In Re Caremark3 and In Re Disney4 ) the Delaware Supreme Court affirmed the personal liability of the members of the Board of Directors and set the precedent for board accountability for effective risk monitoring. Board of Director’s duty of care includes an obligation "… to assure that a corporate information and reporting system, which the board concludes is adequate, exists."5
Minimize Penalties: ERM programs now fall under compliance and in November 2010, new incentives to Federal Sentencing Guidelines6apply to ERM permit a substantial reduction in the penalties imposed on an organization if it has established an effective ERM information and reporting system.
Risk in itself is not to be avoided, but rather embraced, since all returns have risk as a prerequisite. Simply stated in the negative, no risk equals no reward. The key to business is taking risks that have a fair compensation in terms of reward. At the heart of fairness is disclosure, and failure to disclose risks involved, whether knowingly or unknowingly, is negligence. Therefore a large part of the penalty is around the inability to demonstrate the board and management’s extent of activity in trying to “know risk” at the front line. Organizations are thus incentivized to implement true ERM software so they can benefit from Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims as it provides evidence of effective risk management. Like a metal detector for a needle in a haystack, ERM Software uses a risk taxonomy to enable organizations to quickly identify and quantify the materiality of risks at the front line management level and aggregate to the board while preserving a direct connection to mitigation activities and monitoring. As a result, ERM software greatly reduces negligence penalties.
According to leading industry analysts on ERM and GRC, “Organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than regulatory compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.”
Benefits of Software: Although may be little difference in where the concepts of ERM or GRC theory have evolved to today, there is a very big difference in ERM vs GRC software technology origins and the impact. GRC was born out of prescriptive regulatory compliance, meaning a specified set of procedures that must be followed by all companies in the same way as of a specific date. Whereas ERM was born out of strategic performance management, which is all about managing uncertainty in future outcomes and making cost-benefit judgments on the unique choices management makes about how to control their business. Why is this important? New software is required for major shifts in the business environment. ERM software with it's holistic approach delivers a 60-80% gain in efficiency in time and effort by consolidating existing governance risk and compliance activities currently done separately in silos and reduces total internal and external audit consultancy costs by more than 15%.
General steps for risk management personnel to take, before and during an SEC investigation:
- Make sure the organization’s risk resources are adequate, so you’re prepared for the task of meeting the SEC’s demands.
- Demonstrate that the way operational controls are documented match the way they actually conducted.
- Examine written ERM process internal standards and evaluation criteria that quantify risk materiality
- Provide evidence of risk assessments conducted over the past 12 months at the department manager level meet internal standards and cover all material business processes.
- Look for above average risks that do not have risk mitigation and risk monitoring activities corresponding to them
- Have a matching set of materials to back up documents given to the SEC.
The stronger and more effective the ERM program, the less severe the recommended penalty for non-compliance, negligence or fraud will be. Conversely, a weak ERM program or the lack of one will result in a harsher recommended penalty and criminal sentences. To self-assess the strength of your ERM program go to www.rims.org/rmm. This 20 minute exercise will both tell you the effectiveness of your ERM program and provide you a roadmap to meet regulatory requirements.
1 United States v. Park, 421 U.S. 658 (1975)
2 911 A.2d 362 (Del. 2006)
3 698 A. 2d 959 - Del: Court of Chancery, 1996
4 906 A. 2d 27 - Del: Supreme Court, 2006
5 698 A.2d at 970 - Del: Court of Chancery, 1996
6 2011 Federal Sentencing Guidelines Manual, Chapter Eight
View all posts | View current post
The presidential commission stated that compliance, the focus of GRC efforts, was not a key cause of the Deepwater Horizon disaster. They concluded instead that it was BP's lack of governance or an ERM approach to risk management that was the root cause of their failure.
The commission reported that, "BP did not have adequate controls in place to ensure that key decisions in the months leading up to the blow-out were safe or sound from an engineering perspective."
This report confirms what we have been saying since 2006 in our blogs BP Oil Pipeline Leak: A Cry for Enterprise Risk Management and Don't Let BP's Disaster Happen to You; in these blog entries we revealed that BP had failed to identify key vendor risks and depended too heavily on quantitative models to make decisions.
Following both incidents employee written notifications surfaced that identified critical risks not addressed and that BP lacked the ability to reach front line managers with a risk management infrastructure to prioritize these unresolved issues.
An oil rig blowout that could cost billions in losses and clean-up is certainly a risk BP can manage, however it is the gaps between silos (vendor management) and the consequences of those gaps that blindsides them in their most critical core competency areas. As long as this blind side exists, the accidents will continue to occur.
There are far too many controls to spend resources on all of them equally. If BP were using an ERM approach they would have identified which controls were managing the most risky issues and put their resources on those most impactful controls.
GRC misses the point; more money allocated to safety regulations is not going to solve the problem. You can spend all you like on compliance but it's a waste of time unless you can use a risk based approach to prioritize resources to those issues that matter most and deliver actual business value.
Here are the top three things that BP should do now:
- Connect vendor risk to business processes based on the impact of their products and services
- Have front line process owners assess their risks
- Use standards in risk assessment criteria to make priorities comparable across business silos
Can you measure the degree your risk management activities contribute to your organization's bottom line? Go to the RIMS Risk Maturity Model (RMM) and take the RIMS RMM assessment to get your score and specific action items of what to do next based on your score.
View all posts | View current postEveryone closely followed the BP saga that began last spring. Could this reputational and environmental catastrophe have been avoided through uncovering weaknesses in their risk management program? The disaster, which is estimated to cost the company up to $37 billion, left a resounding fear in everyone's mind--could something like this happen to my company? Can I help my company be better prepared?
To these three questions, the answer is simply yes.
Now former BP CEO, Tony Hayward, said soon after the disastrous explosion on the Deepwater Horizon rig: "This was not our accident ... This was not our drilling rig ... This was Transocean's rig. Their systems. Their people. Their equipment," But, at end of the day, as BP has now admitted, the company is held "ultimately responsible" for the spill and cleanup. Every organization, including yours, outsources activities to vendors, but you still own the risk of those activities.
How are you managing your vendor relationship risks today to assure that, what happened at BP doesn't happen on your watch? Can you quickly identify which of your vendors are critical? Do you know which vendors you rely upon to achieve each of your strategic imperatives? How can you be sure that you are not missing the combination of vendors, products and processes that combine to create a career ending scenario?
Had BP asked some of these crucial questions, they could have discovered the weaknesses in their vendor management and program oversight risk plans. You may already be working on these issues and may have some answers. In my blog post in October 2006, BP Oil Pipeline Leak: A Cry for Enterprise Risk Management, I outlined the opportunity to get ready for their next big disaster. Perhaps this time, lessons can be learned by BP and others as unexpected events tend to occur each four years.
How can you measure the risk management capability at your organization? Go to the RIMS Risk Maturity Model (RMM), and score your risk program on 25 key factors and their underlying competency drivers. Your RMM score highlights the root causes of your organization's vulnerabilities so that you can combat your risk at the source of the problem. Take away one lesson from BP--assess your RMM score and begin to find the weaknesses in your risk management program.
View all posts | View current post
Whenever there is a disaster or event that causes losses, it is usually proven that someone or several employees in middle management or on the front lines had been forecasting the event years before but no action had been taken. The recent story of British Petroleum’s oil pipeline leak in Alaska is no different. The headline from the CNN news story, BP was warned, this week reads “Interviews with employees and a 2002 letter predicting 'catastrophe' show that BP’s problems should have come as no surprise to management”
According to the article, “One current BP employee who worked at both Prudhoe Bay and in Texas and spoke to Fortune on condition of anonymity says no one should be surprised by what eventually occurred. "The mantra was, Can we cut costs 10 percent?” he recalls.
How can such bad decision making be made by such smart people? The answer is found in the over reliance on quantitative analysis. There is a philosophy among some risk managers that all answers can be found in the deep quantitative analysis of the numbers in databases to detect patterns. This is true for high frequency risks. However, for low frequency and high impact risks (like the BP oil leak) quantitative analysis will often lead to incorrect decision making or more analysis with no decision making at all. First, there is insufficient data historically to analyze and many possible outcomes can easily and incorrectly be “fit to the data”. Second, with too little data, the patterns of correlation, dependency and therefore big picture ramifications can not be easily understood.
The solution is Enterprise Risk Management (ERM). ERM is an iterative and sequential series of steps that utilizes risk self-assessment (the process of identifying and evaluating risk with regard to their potential impact and likelihood, as well as related controls) as well as the subsequent risk management process of control evaluation, action plan definition, monitoring of risk- and implementation development. Enterprise Risk Management starts with a holistic and qualitative approach to first identify all the possible root causes of an issue and then systematically help quantify the total risk consequence taking all the possibilities into consideration with scenario analysis and if needed quantitative analysis.
Quantitative analysis is expensive and very focused in applicability. Enterprise Risk Management is all about best practices of performing a self-assessment and scenario analysis before deciding where, when and how to invest in an deeper quantitative analysis like loss database approaches. With ERM, management can prioritize the full costs versus the benefits to make a better decision. Click here to watch a 5 min video to learn how to make your organization's risk management program more strategic by building the connections between risks, activities, and the goals they impact.