ERM and Risk Appetite may Derail SoulCycle’s IPO

Last month, SoulCycle, a well-known high-end cycling business, filed for an initial public offering. In the midst of this exciting transition from private to public, SoulCycle was hit with a lawsuit for violating the Credit Card Accountability and Disclosure Act. One might assume that the company was outed by a compliance agency or regulator. But, surprisingly, this lawsuit comes from a disgruntled former customer, Rachel Cody, who felt she was being “robbed” by the cycling mogul she once trusted.

According to the report, “The lawsuit alleges that SoulCycle’s practice of not allowing customers to directly pay for classes, instead requiring them to purchase ‘Series Certificates,’ is not a fair and transparent practice.” How does this violate the Credit Card Accountability and Disclosure Act? In order to abide by the act, a company must “establish fair and transparent practices relating to the extension of credit under an open end consumer credit plan.” Cody claims SoulCycle violated this act with inexplicably short expiration periods, and without advanced notice. These expiration periods were much shorter than those mandated by federal and state laws.

With an industry fueled by customer satisfaction and return rate, did SoulCycle adequately assess the risks of their pricing packages? Furthermore, in light of SoulCycle’s upcoming IPO, what deficits might this lawsuit have when it comes to producing windfall profit?

How can Actionable Risk Appetite Statements Help?

How could SoulCycle have taken steps to mitigate litigation risks related to customer dissatisfaction? Was any thought devoted to the risk associated with such drastic participation policies, regardless of whether they met the minimal regulatory compliance standards?

A crucial finding from this story is the absence of a risk appetite statement, which according to ISO 31000 is, “the amount and type of risk that an organization is prepared to pursue, retain or take.”

With actionable risk appetite statements, SoulCycle can set the broad levels of risk deemed acceptable surrounding customer satisfaction. A missing risk appetite statement indicates the weakness of their ERM program. Organizations then need to narrow the scope of their risk appetite statements and achieve more granularity by defining their corresponding risk tolerances. For SoulCycle, these risk tolerances may have been measures of customer satisfaction, participation rates, or revenue driven from related programs, all of which would help weigh the risks and rewards associated with their class enrollment policies. In doing so, an organization has the ability to articulate acceptable risks, strengthen controls, and resolve tensions in the business plan.

By utilizing an ERM solution, risk appetites and risk tolerances are continuously monitored to test and track the true effectiveness of activities. According to Business Insider, Cody is not the only frustrated former customer. The lawsuit states that tens of thousands of customers were impacted, and that this risk is identifiable and ascertainable based on SoulCycle’s records.

Clearly, another weakness of their ERM program is that their risk assessments do not reach the front line to surface risks known to managers and other employees at each location. This leaves senior leadership and the board blindsided by risk. Therefore regulators and standards bodies, such as the SEC, PCAOB, and even the State of New York (where SoulCycle is headquartered), require corporations to declare the effectiveness of their ERM programs and provide the evidence to back it up. In 2010, the SEC changed risk management rules. Now, not knowing about a risk is negligence, and there is no need to establish intent to commit fraud for the full penalties and liabilities to be enforced. That is one of the reasons why SoulCycle is so vulnerable to litigation. Had they utilized an Enterprise Risk Management program, not only would the risk likely have been discovered sooner and the damage prevented, but SoulCycle would have been protected from punitive damages and other penalties for negligence.

Without an ERM software risk assessment solution to objectively assess complaints, the risk went unaddressed, causing major reputation and retention risks, as well as lawsuits alleging the company misled its consumers. With an ERM solution, the risk would have been escalated to senior management and the board much sooner, thus triggering an evolution of the related risk mitigation strategies.