ERM and Risk Appetite may Derail SoulCycle's IPO

Last month, SoulCycle, a well-known high-end cycling business, filed for an initial public offering. In the midst of this exciting transition from private to public, SoulCycle was hit with a lawsuit for violating the Credit Card Accountability and Disclosure Act. One might assume that the company was outed by a compliance agency or regulator. But, surprisingly, this lawsuit comes from a disgruntled former customer, Rachel Cody, who felt she was being "robbed" by the cycling mogul she once trusted.

According to the reportSaaS-Advantages-500x322.jpg?width=300, "The lawsuit alleges that SoulCycle's practice of not allowing customers to directly pay for classes, instead requiring them to purchase 'Series Certificates,' is not a fair and transparent practice." How does this violate the Credit Card Accountability and Disclosure Act? In order to abide by the act, a company must "establish fair and transparent practices relating to the extension of credit under an open end consumer credit plan." Cody claims SoulCycle violated this act with inexplicably short expiration periods, and without advanced notice. These expiration periods were much shorter than those mandated by federal and state laws.

With an industry fueled by customer satisfaction and return rate, did SoulCycle adequately assess the risks of their pricing packages? Furthermore, in light of SoulCycle's upcoming IPO, what deficits might this lawsuit have when it comes to producing windfall profit?

How can Actionable Risk Appetite Statements Help?

How could SoulCycle have taken steps to mitigate litigation risks related to customer dissatisfaction? Was any thought devoted to the risk associated with such drastic participation policies, regardless of whether they met the minimal regulatory compliance standards?

A crucial finding from this story is the absence of a risk appetite statement, which according to ISO 31000 is, "the amount and type of risk that an organization is prepared to pursue, retain or take."

With actionable risk appetite statements, SoulCycle can set the broad levels of risk deemed acceptable surrounding customer satisfaction. A missing risk appetite statement indicates the weakness of their ERM program. Organizations then need to narrow the scope of their risk appetite statements and achieve more granularity by defining their corresponding risk tolerances. For SoulCycle, these risk tolerances may have been measures of customer satisfaction, participation rates, or revenue driven from related programs, all of which would help weigh the risks and rewards associated with their class enrollment policies. In doing so, an organization has the ability to articulate acceptable risks, strengthen controls, and resolve tensions in the business plan.

By utilizing an ERM solution, risk appetites and risk tolerances are continuously monitored to test and track the true effectiveness of activities. According to Business Insider, Cody is not the only frustrated former customer. The lawsuit states that tens of thousands of customers were impacted, and that this risk is identifiable and ascertainable based on SoulCycle's records.

Clearly, another weakness of their ERM program is that their risk assessments do not reach the front line to surface risks known to managers and other employees at each location. This leaves senior leadership and the board blindsided by risk. Therefore regulators and standards bodies, such as the SEC, PCAOB, and even the State of New York (where SoulCycle is headquartered), require corporations to declare the effectiveness of their ERM programs and provide the evidence to back it up. In 2010, the SEC changed risk management rules. Now, not knowing about a risk is negligence, and there is no need to establish intent to commit fraud for the full penalties and liabilities to be enforced. That is one of the reasons why SoulCycle is so vulnerable to litigation. Had they utilized an Enterprise Risk Management program, not only would the risk likely have been discovered sooner and the damage prevented, but SoulCycle would have been protected from punitive damages and other penalties for negligence.

Without an ERM software solution to objectively assess complaints, the risk went unaddressed, causing major reputation and retention risks, as well as lawsuits alleging the company misled its consumers. With an ERM solution, the risk would have been escalated to senior management and the board much sooner, thus triggering an evolution of the related risk mitigation practices.


For more information on adopting actionable risk appetite and risk tolerance statements, download LogicManager's eBook, "5 Steps towards an Actionable Risk Appetite."


Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!