If a company’s ERM program is implemented and formal risk assessment is completed, executives may be in a better position should a lawsuit ensue.… An ERM program may in fact provide corporate officers and directors with a “Do Not Go To Jail” card.
Enterprise Risk Management
ERM: Slow movement or no movement?
Companies need to move apace to set up ERM programs to reassure investors and raters
By Michael J. Moody, MBA, ARM
|
If a company’s ERM program is implemented and formal risk assessment is completed, executives may be in a better position should a lawsuit ensue.… An ERM program may in fact provide corporate officers and directors with a “Do Not Go To Jail” card. |
Over the past several years, Rough Notes has documented the rise in the enterprise risk management (ERM) concept. We have attempted to report on the many benefits that can be achieved by moving away from the traditional silo approach of risk management to a more holistic view. Central to this evolution is the ability to view risk from both a risk and opportunity standpoint. Such a long-term view makes it clear that ERM can provide a value creation aspect that is simply not available under the silo approach to risk management.
We have also chronicled some of the roadblocks to successful ERM implementation. Among the critical issues that appear to be holding ERM back from attaining its ultimate value are:
• Lack of a common definition of ERM
• Lack of appropriate tools and technology
• Lack of appropriate leadership
Obviously, all three of these items are necessary to provide the measured growth needed to advance the ERM concept. It should be noted however, that the past few months have seen a number of advancements and solutions for mitigating several of these issues.
ERM assistance
Among the most helpful advances has been the publication of the COSO “Enterprise Risk Management—Integrated Framework.” While there has been some resistance to the approach that COSO has outlined in the Framework, it’s time to face reality. This is a complete, well-thought-out ERM foundation and when combined with the “Application Techniques Manual,” provides a good starting point for any organization’s ERM efforts. And as the document’s authors point out, it was intended as only a starting point. Further refinement will need to be completed at an industry or individual company level. In addition, a variety of software products have been introduced subsequent to the release of the COSO document. Many of the software applications can assist with one or more critical tasks associated with successful ERM implementation, thereby accelerating the implementation phase.
Despite these advancements, it appears that ERM is still suffering from only modest growth. Certainly, the lack of leadership has hampered the growth of ERM, but it appears that another roadblock continues to stall ERM efforts. This issue is management’s inability to move past the concept of insurability that is intertwined with traditional risk management. Historically, corporate risk managers have limited their focus to the insurability silo. As a result, many C-Suite executives as well as corporate risk managers still think of risk management in terms of insurable risks. Obviously, this view is quite narrow and extremely limiting since it puts risk management in the “chance of loss or no loss” category. This is one of the key reasons why corporate risk management has rarely gotten the attention in the boardroom that it deserves.
Movement must occur
Despite some initial setbacks, the time is at hand for ERM to flourish. While it is obvious that ERM is still a “work in progress,” organizations must begin to embrace the concept and begin to adapt the ERM model into their corporate culture. In fact, the time has passed for simply adopting the ERM model; corporations must now advance ERM to a strategic imperative. Worldwide there is ample evidence that additional regulatory and legislative initiatives directed at corporate wrongdoing will continue. In the United States, the Sarbanes-Oxley Act of 2002 (SOX) offers a glimpse into the future direction of regulatory efforts. Over the past few years, many major corporations have made a significant commitment, both from a time and money standpoint, to SOX compliance. Unfortunately, some companies believe that SOX compliance is the end of the journey. Actually, SOX compliance is just the starting point and ERM is the end of the journey.
In addition to the federal SOX regulations, there has been a flurry of regulatory activity within the major stock exchanges, most notably the NYSE. The NYSE has drafted regulations that will require senior management and corporate directors to certify their knowledge regarding the organization’s current and future risks. The regulations go one step further by requiring certification regarding the specific programs that are in place to manage those risks. Most experts agree that it will be very difficult to provide such certification without the benefit of an ERM program.
Despite its slow acceptance, ERM is finally taking its place as a foundation for strategic risk management. While hard numbers are still difficult to come by, management consultant Deloitte has stated that Fortune 500 companies are now addressing their ERM requirements. They estimate that somewhere between one-third and one-half of all Fortune 500 companies are in various stages of ERM implementation. These figures would indicate a major movement of the concept beyond the financial services sector where ERM principles were introduced.
A life preserver
The well-publicized events surrounding corporate wrongdoing over the past several years provide a clear indication of the trend toward making corporate officers and directors personally responsible and accountable for their actions. Without question, corporate America should consider these legal actions as a warning shot across their bow. While some people may believe that jail time for Martha Stewart was just some kind of a PR stunt, it shows just how serious these actions can be. And as several recent settlements with outside directors illustrate, these actions can be costly. While directors and officers liability coverage has provided some protection in the past, since these are now considered excluded acts, coverage will be limited. The future trend is clear: Corporate wrongdoing will result in personal monetary penalties and/or jail time for those convicted.
All of this new review and scrutiny has put intense pressure on non-employee directors. Corporations nationwide are having to restructure their directors’ compensation packages to make up for this increased concern, and a number of Fortune 500 companies are having a difficult time finding appropriate candidates for board positions. As corporations review their options, they need to remember that in today’s business climate there appears to be a direct link between good corporate governance and effective risk management.
This direct link between corporate governance and risk management may also hold the key to some additional protection for corporate executives as they try to defend themselves against criminal lawsuits. This belief comes out of the U.S. Sentencing Guidelines that were issued last fall. Consistent with most of the other recent legislative and regulatory efforts, the Guidelines also indicate that corporate executives and directors are responsible and accountable for their actions. The Guidelines also clearly spell out the need for the organization to perform formal risk assessment activities. Further, some believe that if the company’s ERM program is implemented and formal risk assessment is completed, the executives may be in a better position should a lawsuit ensue. If this is true, an ERM program may in fact provide corporate officers and directors with a “Do Not Go To Jail” card.
Conclusion
While many of the benefits attributed to ERM have yet to materialize due in large part to the newness of the concept, and much of the value of the concept is anecdotal, most people agree that a holistic approach to risk management, such as ERM, should be more effective than the traditional silo approach. While corporate America has not fully appreciated the advantages of ERM, investors have been quick to pick up on the concept. Many investor groups now see ERM as “a guidepost for well-run companies.” In addition, rating agencies such as Standard & Poor’s are beginning to examine a company’s risk management approach as an integral part of the rating process.
With more and more regulatory scrutiny of the risk management function, organizations can ill afford to postpone moving to ERM. The organizations can signal to the public that they are a well-run company and give rating agencies tangible evidence of their concern about risk management. And as a result of the federal sentencing guidelines, corporations and their management can place themselves in a better position to fight potential lawsuits by implementing an ERM program. Why would anyone delay implementation? *
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.