Yesterday the Congressional panel overseeing the Troubled Asset Relief Program (TARP) program released a scathing report of the regulatory failures that led to the current financial crisis, Congressional Oversight Panel Special Report on Regulatory Reform.
The report concluded “The regulatory system not only failed to manage risk, but also failed to require disclosure of risk through sufficient transparency”.
This Congressional report is a call to action that Enterprise Risk Management should be part of new stronger regulatory oversight. The report discovery of faults and recommendations for correction scream ERM as a solution. For example, one of the 68 RIMS Risk Maturity Model for Enterprise Risk Management standards, “Risk management competence is part of managers’ performance reviews” is clearly articulated as one of the top eight action items for immediate implementation.
First the report outlines the failure of private sector risk management in devoting relatively little attention to risk assessment. The ERM guidelines contained in the RIMS Risk Maturity Model for ERM show step-by-step how best practices for risk assessments can be effectively adopted and performed. The Congressional report also points out the failure of rating agencies to recognize how severely they had underestimated the key risk. Rating agencies have made progress by including ERM evaluation criteria within their rating processes. However it is important for new regulation to require them to formalize their ERM policies for this forward looking indicator of business performance and make their ERM evaluation criteria more transparent. This formalization is needed to address the appearance of alleged inside dealings and conflicts of interest and restore confidence in their rating process outcomes.
The Congressional report also highlighted the failure of public risk management to control the worst financial excesses and abuses long before the crisis took hold. The report lays the foundation for ERM to be included in new regulation, naming the government “as the nation’s ultimate risk manager”.
The third major topic of the report is the failure to require sufficient transparency, and it is here that the new regulation must require corporations to not only disclose risk, but also demonstrate their competency in risk management in the systems and processes they use to manage risk.
The recently published RIMS State of ERM 2008 Report documented that 96 percent of organizations lack sufficient risk management competency for repeatable and sustainable ERM programs. We have seen this in the 10k disclosures of public companies that are in distress today either did not mention the risks or severely underestimated the risks that are affecting them just 6 to 8 months later. Therefore, the emphasis of new regulations need to require corporations to increase that competency by formalizing and building their enterprise risk management infrastructures as European countries have done several years ago. New regulations in the United States must add this same kind of teeth to require organizations to make those disclosures meaningful.
Today, in the United States organizations are not currently required to go into depth on how they identify risk, set risk tolerances and provide evidence of effectiveness. Since June 2006, and Boards of directors in the United Kingdom for example have been held accountable by the Combined Code on Corporate Governance to review and express opinions on their Enterprise Risk Management processes and systems.
Organizations unfortunately do what they have to do first, which leaves little time over for what they should do and that is why we are in the mess we are in today. As the report confirms, without Enterprise Risk Management regulatory oversight, organizations both public and private will destroy themselves (and our retirement investments and jobs along with them) unless they have the required risk management competency to perform in an every faster changing and integrated world that we live in.