View all posts | View current post
In my last blog and On-Demand Webinar “Presenting Risk Management to the Board,” I was asked for help in identifying government regulations that hold Boards responsible for Enterprise Risk Management (ERM) compliance.
Definition: First some background, the SEC Proxy Disclosure Enhancements rule defines ERM compliance as extending the board's role in risk oversight to the threshold of material impact of the risk regardless of the level. Boards of Directors were previously only responsible for CEO level risks, activities and decisions, but this rule extends the accountability mandate to the business process level were this material activity takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt.
Implementation: Sarbanes-Oxley compliance Audit Standard 5(SOX AS5) holds management and boards accountable for a subset of Enterprise Risk Management, the risk of misstatement of an organization’s financials. The SEC disclosure rule is similar in approach, in using materiality as a threshold or measure of what needs to be controlled or mitigated, rather than prescribing which risks or how to cover them; however, unlike Sarbanes-Oxley it covers all risks and there is no organizational size limitation, so small and medium sized companies are equally on the hook for ERM compliance.
Enforcement: Enforcement of this rule is simple and powerful. Lack of disclosure and an ineffective ERM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense. As a result, the number of SEC enforcement actions rose to 735 in 2011 from 677 in 2010. Moreover, the number of actions against investment advisers and investment companies rose to 146 in 2011 from 112 in 2010 (up 30%), with only 76 such actions in 2009 – just under half the number brought in 2011.
A corporation and its corporate officers may be held criminally liable for the acts of persons, even in the absence of any wrongdoing on their part.1 For example, in the court case Stone v. Ritter2 (but also, In Re Caremark3 and In Re Disney4 ) the Delaware Supreme Court affirmed the personal liability of the members of the Board of Directors and set the precedent for board accountability for effective risk monitoring. Board of Director’s duty of care includes an obligation "… to assure that a corporate information and reporting system, which the board concludes is adequate, exists."5
Minimize Penalties: ERM programs now fall under compliance and in November 2010, new incentives to Federal Sentencing Guidelines6apply to ERM permit a substantial reduction in the penalties imposed on an organization if it has established an effective ERM information and reporting system.
Risk in itself is not to be avoided, but rather embraced, since all returns have risk as a prerequisite. Simply stated in the negative, no risk equals no reward. The key to business is taking risks that have a fair compensation in terms of reward. At the heart of fairness is disclosure, and failure to disclose risks involved, whether knowingly or unknowingly, is negligence. Therefore a large part of the penalty is around the inability to demonstrate the board and management’s extent of activity in trying to “know risk” at the front line. Organizations are thus incentivized to implement true ERM software so they can benefit from Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims as it provides evidence of effective risk management. Like a metal detector for a needle in a haystack, ERM Software uses a risk taxonomy to enable organizations to quickly identify and quantify the materiality of risks at the front line management level and aggregate to the board while preserving a direct connection to mitigation activities and monitoring. As a result, ERM software greatly reduces negligence penalties.
According to leading industry analysts on ERM and GRC, “Organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than regulatory compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.”
Benefits of Software: Although may be little difference in where the concepts of ERM or GRC theory have evolved to today, there is a very big difference in ERM vs GRC software technology origins and the impact. GRC was born out of prescriptive regulatory compliance, meaning a specified set of procedures that must be followed by all companies in the same way as of a specific date. Whereas ERM was born out of strategic performance management, which is all about managing uncertainty in future outcomes and making cost-benefit judgments on the unique choices management makes about how to control their business. Why is this important? New software is required for major shifts in the business environment. ERM software with it's holistic approach delivers a 60-80% gain in efficiency in time and effort by consolidating existing governance risk and compliance activities currently done separately in silos and reduces total internal and external audit consultancy costs by more than 15%.
General steps for risk management personnel to take, before and during an SEC investigation:
- Make sure the organization’s risk resources are adequate, so you’re prepared for the task of meeting the SEC’s demands.
- Demonstrate that the way operational controls are documented match the way they actually conducted.
- Examine written ERM process internal standards and evaluation criteria that quantify risk materiality
- Provide evidence of risk assessments conducted over the past 12 months at the department manager level meet internal standards and cover all material business processes.
- Look for above average risks that do not have risk mitigation and risk monitoring activities corresponding to them
- Have a matching set of materials to back up documents given to the SEC.
The stronger and more effective the ERM program, the less severe the recommended penalty for non-compliance, negligence or fraud will be. Conversely, a weak ERM program or the lack of one will result in a harsher recommended penalty and criminal sentences. To self-assess the strength of your ERM program go to www.rims.org/rmm. This 20 minute exercise will both tell you the effectiveness of your ERM program and provide you a roadmap to meet regulatory requirements.
1 United States v. Park, 421 U.S. 658 (1975)
2 911 A.2d 362 (Del. 2006)
3 698 A. 2d 959 - Del: Court of Chancery, 1996
4 906 A. 2d 27 - Del: Supreme Court, 2006
5 698 A.2d at 970 - Del: Court of Chancery, 1996
6 2011 Federal Sentencing Guidelines Manual, Chapter Eight
View all posts | View current post
Recently, Gartner released its 2011 Magic Quadrant for enterprise governance, risk, and compliance (eGRC) software. While the report highlights the top vendors of eGRC, which includes LogicManager, it also identifies some revealing trends within the eGRC marketplace based on reliable consumer feedback. The most notable trend recognized is the shift towards enterprise risk management (ERM) software by eGRC programs. As Gartner states,
"ERM has emerged as the most significant use of EGRC platforms."
It used to be that compliance was by far the leading use of eGRC. Now however, ERM is seen by business leaders as the way to provide their boards of directors with transparency, monitor the achievement of organizational goals, and be proactive on emerging risks. Overall, Enterprise Risk Management (ERM) software is now seen as the method to improve business performance.
This trend can be directly attributed to increased regulatory pressures on boards of directors. These new regulations, which came into effect in February 2010, now hold boards of directors personally accountable for risk management oversight of material risks all the way down to the front-line, meaning that boards are given the choice between closing gaps in risk management or disclosing these gaps to the public. Doing neither, is now considered fraud. The "we didn't know about it" defense is no longer valid.
Considering these regulations went into effect in early 2010, it comes as no surprise that Enterprise Risk Management (ERM) software capabilities became the priority by GRC programs in 2010, and continued to be in 2011. Similarly, this is now the second consecutive year that LogicManager, the leader in Enterprise Risk Management (ERM) software, has been represented in the magic quadrant.
So what does this all mean for risk managers?
Action must be taken. In the past it may have been sufficient to only reach senior managers for risk assessments, now however, due to the above regulatory changes, risk managers need to engage the front-line directly with risk assessments.
Risk management reporting has changed, so don't be caught waiting for your board to give direction. The board expects the risk manager to identify and assess risks across all levels and silos of the organization and reveal the gaps in reporting to the front-line. If you continue to report using senior-level assessments only, even if the board seems to be complacent, it won't be long before the board turns to someone else for risk management.
Three metrics to present at your next board meeting:
- Business Process Improvement: Engagement at the front-line - Roughly 10% of all employees are front line managers. Do the math for your organization. How many risk assessments has the front-line conducted this year? How many front-line managers do we reach? Show the board how large the gap is and determine how much liability (or gap) they are willing to accept.
- Performance Management: Linking risks to processes and goals - Of the front-line managers you're not reaching, how many have assessed risks related to strategic goals this year have gone unreported? The risk manager must be able to make the connections and demonstrate how these risks impact business processes and strategic goals.
- Identifying emerging risks - How many emerging risks, that front-line managers are in the position to identify, are going unaddressed? What is the degree of disconnect between the number of unaddressed risks and those that have proven, sufficient mitigation action in place?
After presenting these metrics, the next step is showing the board how the gaps in reporting can be filled. Tell them what resources are needed and what decisions need to be made, after all, the board does not want to be charged with fraud and does not want to turn away stockholders by reporting their flaws in risk management.
Click here to learn more about the trend identified by Gartner "ERM is seen by many regulators and business leaders as a strategic approach to achieve improved corporate governance, more transparency in the decision making of the board and senior executives, and improved performance against business objectives" and Gartner's recognition of LogicManager's completeness of vision and ability to execute in this area.