SEC Reprioritizes ERM in 2014

The Security and Exchange Commission announced its examination priorities for the New Year, and Enterprise Risk Management heads the list. The priorities, selected by Senior Staff from the National Examination Program, aim to address areas of weakness that threaten fair, orderly, and efficient markets.

On the subject of Enterprise Risk Management, the NEP states that it will continue to meet with boards and high level senior management to discuss the firm’s Enterprise Risk Management process, especially as it pertains to identifying legal, compliance, financial, and operational risks.

This initiative is designed to: (i) evaluate firms’ control environment and “tone at the top,” (ii) understand firms’ approach to conflict and risk management, and (iii) initiate a dialogue on key risks and regulatory requirements.

The SEC’s renewed focus comes on the heels of 2013, a year that featured a bevy of high profile failures in risk management, such as the Edward Snowden NSA leaks, European horse meat scandal, Barney’s and Macy’s shop-and-frisk incident, Carnival Cruise Line’s generator fire, and culminating with Target’s credit card heist and the security breach of over 70 million customer records.

Also of note is the language used in the Commission’s briefing. Too often, enterprise risk management is seen as a static or silo’d practice, but the SEC specifically identifies dialogue as a critical component of any ERM program. The SEC is further demonstrating the need for organizations to be proactive in their risk management practices, and the days of maintaining an out-of-sight out-of-mind approach to risk management have been replaced by regulations designed to prosecute boards and leadership that fail to adequately address their ERM process.