ERM Compliance and Enforcement

8028222470?profile=originalIn my last blog and On-Demand Webinar “Presenting Risk Management to the Board,” I was asked for help identifying government regulations that hold Boards responsible for Enterprise Risk Management (ERM) compliance.

Definition: First some background, the SEC Proxy Disclosure Enhancements rule defines ERM compliance as extending the board's role in risk oversight to the threshold of material impact of the risk regardless of the level. Boards of Directors were previously only responsible for CEO- level risks, activities and decisions, but this rule extends the accountability mandate to the business process level were this material activity takes place. This includes risk management out through supply chains, as we saw with the BP oil spill in Louisiana, so private companies are not exempt.

Implementation: Sarbanes-Oxley compliance Audit Standard 5 (SOX AS5) holds management and boards accountable for a subset of Enterprise Risk Management, the risk of misstatement of an organization’s financials. The SEC disclosure rule is similar in approach, in using materiality as a threshold or measure of what needs to be controlled or mitigated, rather than prescribing which risks or how to cover them; however, unlike Sarbanes-Oxley it covers all risks and there is no organizational size limitation, so small and medium sized companies are equally on the hook for ERM compliance.

Enforcement: Enforcement of this rule is simple and powerful. Lack of disclosure and an ineffective ERM information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense. As a result, the number of SEC enforcement actions rose to 735 in 2011 from 677 in 2010. Moreover, the number of actions against investment advisers and investment companies rose to 146 in 2011 from 112 in 2010 (up 30%), with only 76 such actions in 2009 – just under half the number brought in 2011.

A corporation and its corporate officers may be held criminally liable for the acts of persons, even in the absence of any wrongdoing on their part.¹ For example, in the court case Stone v. Ritter² (but also, In Re Caremark³ and In Re Disney ) the Delaware Supreme Court affirmed the personal liability of the members of the Board of Directors and set the precedent for board accountability for effective risk monitoring. Board of Director's duty of care includes an obligation "... to assure that a corporate information and reporting system, which the board concludes is adequate, exists."

Minimize Penalties: ERM programs now fall under compliance and in November 2010, new incentives to Federal Sentencing Guidelines⁶ apply to ERM permit a substantial reduction in the penalties imposed on an organization if it has established an effective ERM information and reporting system.

Risk in itself is not to be avoided, but rather embraced, since all returns have risk as a prerequisite. Simply stated in the negative, no risk equals no reward. The key to business is taking risks that have a fair compensation in terms of reward. At the heart of fairness is disclosure, and failure to disclose risks involved, whether knowingly or unknowingly, is negligence. Therefore a large part of the penalty is around the inability to demonstrate the board and management’s extent of activity in trying to “know risk” at the front line. Organizations are thus incentivized to implement true ERM software so they can benefit from Federal Sentencing Guidelines, which offers relief for individuals and organizations from negligence claims as it provides evidence of effective risk management. Like a metal detector for a needle in a haystack, ERM Software uses a risk taxonomy to enable organizations to quickly identify and quantify the materiality of risks at the front line management level and aggregate to the board while preserving a direct connection to mitigation activities and monitoring. As a result, ERM software greatly reduces negligence penalties.

According to leading industry analysts on ERM and GRC, “Organizations are focusing on risk management as a central issue in the GRC equation. Enterprise risk management (ERM) is now a bigger driver for GRC than regulatory compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues, and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.”

Benefits of Software: Although there may be little difference in where the concepts of ERM or GRC theory have evolved to today, there is a very big difference in ERM vs GRC software technology origins and the impact. GRC was born out of prescriptive regulatory compliance, meaning a specified set of procedures that must be followed by all companies in the same way as of a specific date. Whereas ERM was born out of strategic performance management, which is all about managing uncertainty in future outcomes and making cost-benefit judgments on the unique choices management makes about how to control their business. Why is this important? New software is required for major shifts in the business environment. New software is required for major shifts in the business environment. ERM software with its holistic approach delivers a 60-80% gain in efficiency in time and effort by consolidating current governance, risk, and compliance activities currently done separately in silos and reduces total internal and external audit consultancy costs by more than 15%.

General steps for risk management personnel to take, before and during an SEC investigation:

  • Make sure the organization’s risk resources are adequate, so you’re prepared for the task of meeting the SEC’s demands.
  • Demonstrate that the way operational controls are documented match the way they actually conducted.
  • Examine written ERM process internal standards and evaluation criteria that quantify risk materiality
  • Provide evidence of risk assessments conducted over the past 12 months at the department manager level meet internal standards and cover all material business processes.
  • Look for above average risks that do not have risk mitigation and risk monitoring activities corresponding to them
  • Have a matching set of materials to back up documents given to the SEC.

The stronger and more effective the ERM program, the less severe the recommended penalty for non-compliance, negligence or fraud will be. Conversely, a weak ERM program or the lack of one will result in a harsher recommended penalty and criminal sentences. To self-assess the strength of your ERM program go to This 20 minute exercise will both tell you the effectiveness of your ERM program and provide you a roadmap to meet regulatory requirements.

¹ United States v. Park, 421 U.S. 658 (1975)
² 911 A.2d 362 (Del. 2006)
³ 698 A. 2d 959 - Del: Court of Chancery, 1996
906 A. 2d 27 - Del: Supreme Court, 2006
698 A.2d at 970 - Del: Court of Chancery, 1996
Federal Sentencing Guidelines Manual, Chapter Eight

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!