SEC Requires Accountability for ERM at the Board Level

Steven Minsky | July 22, 2009

In my January 2009 blog post, New Congressional Report: A Call to Action for ERM Regulation, I outlined the likelihood of new Enterprise Risk Management regulation and how to prepare for it. As expected, the SEC has acknowledged a lack of risk management competency in corporate America as the root cause of this economic downturn and is taking action on this matter.

Boards are now required by the SEC to report in-depth on how their organizations identify risk, set risk tolerances, and manage risk/reward tradeoffs throughout the enterprise. Boards are also be held accountable by the SEC to review and express opinions on their involvement in the Enterprise Risk Management process. This change is intended to address the current problem, which concerns isolation of the risk management process from both the front line and the board at most organizations.

The newly required SEC ruling goes beyond the executive level to target risk management competency at all employee levels that materially impact the company. The ruling puts teeth into the requirements for reporting measurement of risk management competency by requiring evidence of the alignment of risk-reward tradeoffs in an organization’s overall compensation policy with a stated appetite for risk. In other words, you get the behavior you pay for: Setting compensation for risk-reward trade-offs means embedding enterprise risk management within business units to the process level where employees are given incentives to make decisions.

The Risk Maturity Model for ERM that my company developed in collaboration with the Risk and Insurance Management Society (RIMS) provides a complimentary online assessment of your organization’s risk management readiness. Most importantly it includes a personalized roadmap based on your responses that will guide you through 25 practical action items to put an effective risk management process in place to achieve the risk and policy management competency soon to be required by the SEC. Go to and take this 30 minute assessment to understand the big difference between risk management and compliance and what is needed to meet the new SEC requirements.

To reach front line management and monitor risk management effectiveness as required by the SEC and other regulatory agencies and governing bodies, true Enterprise Risk Management systems are needed, so beware of compliance vendors renaming their products as Governance Risk and Compliance (GRC) products. Only purpose built ERM solutions address the kind of risk management competency challenges facing organizations.

What are the differences between ERM and GRC systems? Here are the top three:

    • Leading versus lagging indicators: ERM is all about assessing the root cause of risks that threaten to materialize and what can be done to prevent those threats. GRC is historic in nature and reinforces documentation of controls based on lagging indicators, e.g., historic losses or compliance failures.
    • Dynamic versus static: ERM manages the risks that evolve in an ever-changing world. ERM helps set risk tolerances and assess residual and inherent risk. GRC systems focus on matching controls with static regulations for compliance purposes.
    • Risk-reward tradeoff: ERM solutions match risk at the activity level with strategy and risk tolerance set at the executive level to achieve better performance. GRC by nature is isolated from decision making and strategy and is designed to document and test controls.

The Securities and Exchange Commission proposed rule changes are posted on the SEC’s website. The proposal contains requests for comment, and the new SEC rules are planned to be applicable to the 2010 proxy season.

Get Cyber Compliant

Download our annotated guide to SEC cybersecurity guidelines here!