Steven Minsky, CEO of LogicManager, Inc., both predicts and recommends the inclusion of enterprise risk management (ERM) requirements into regulatory standards and frameworks in his 2009 letter to the Securities and Exchange Commission.
Securities and Exchange Commission
Chairman Mary Shapiro
100 F Street, N.E., room 10700
Washington, D.C. 20549
RE: SEC Release NOS. 33‐9052 Proxy Disclosure and Solicitation Enhancements, File Number S7‐13‐09
Dear Madame Chair:
The Securities and Exchange Commission has proposed an expansion of the disclosure requirements for public companies to include information regarding the role of the board of directors in the management of risk (SEC Release NOS. 33‐9052 34‐60280 IC‐28817 File S7‐13).
The goals outlined to enhance transparency on activities that materially contribute to risk profile are well articulated. Please find below three enhancements that would make the SEC ruling even more effective in achieving the desired results.
1) Requirements are needed for businesses to disclosure their enterprise risk management processes. The process of determining which risks materially contribute to a company’s risk profile is as important as the disclosures themselves. A robust objective and repeatable process is required to extend down to the level of risk where activity occurs. Corporations need to disclose how they directly engage front line management in their analysis to uncover and address risks with material impact.
In the RIMS State of ERM Report that I authored (see attached or download from www.rims.org/rmm) it was determined that 96% of public sector organizations do not have an adequate enterprise risk management process in place. However, those organizations achieving a managed level of maturity in their enterprise risk management processes will already have the complete and accurate information to satisfy this new SEC disclosure ruling with minimal additional time. Requiring transparency on how a corporation achieves risk management competency is critical to the completeness and accuracy of the corporation’s disclosures.
2) A standard set of industry independent enterprise risk management guidelines should be referenced in the SEC ruling so that boards, management, regulators, auditors and rating agencies can objectively evaluate and measure risk management competency.
To objectively measure risk management competency across different organizations and across different industry segments these critical process aspects must be in place.
- Formalized industry independent indicators to measure risk competency
- Infrastructure to gather information and perform analysis in a timely fashion and
- Robust and consistent scoring methodology relevant to all risk cultures, processes and industries.
The Risk and Insurance Management Society’s Risk Maturity Model for ERM (RMM) (see attached or download from www.rims.org/rmm) meets all three of these criteria. In 2007, risk practitioners from 564 organizations of all types participated in an in‐depth assessment of their ERM practices. Using the RMM, participants assessed their organizations ERM program against 68 key readiness indicators identified as risk management competency drivers across all industries. The result of the study concluded at the 95% confidence level the positive correlation—the direct relationship—between higher RMM scores and higher business performance. Providing transparency on the standards used to measure competency provides for true accountability.
3) Compensation needs to be tied to risk management competency at the front‐line management level.According to the RIMS State of ERM Report direct, extensive involvement in ERM by front‐line management at all levels is the competency driver that is most strongly positively correlated with higher business performance. Three other competency drivers that also have strong correlation are:
- the degree to which risk assessments are effectively conducted by all business areas and aggregated
- the extent to which corporate goals and risk management issues are clearly understood at all levels and
- the depth to which ERM is woven into strategy and planning.
There remains a significant disconnect between the knowledge of risk management processes at the executive team level versus what actually takes place on the front‐line. Formally tying a portion of compensation to risk management competency, the type of imbalance between risk and reward will be effectively addressed. Using the existing performance review process as a mechanism to assess this risk management competency will incent both front‐line management and senior management with minimal impact to operations. ERM should not be conducted in a silo as a separate activity, but rather it is a standardized and common framework approach to operational management to surface and prioritize the most material issues for remediation or disclosure. Requiring compensation to be meaningfully tied to achievement of risk management competency at all levels produces the behavior that is paid for.
In closing, the new disclosures proposed by the SEC with these clarifications will benefit all stakeholders of all industries by increasing the transparency of the registrant’s enterprise risk management competency which has been proven to be correlated positively and directly with increased business performance.
Chief Executive Officer
Caitlin Seele: email@example.com | (617) 530-1208
Read this letter in full on the SEC’s website