180 likes | 199 Views
Lessons Learned from Board Reporting. Steven Minsky, CEO, LogicManager Paul Walker, Schiro / Zurich Chair in Enterprise Risk Management, St. John's University. IMPACT 2016. Learning Objectives. Learn the specific regulations and guidelines that are molding the risk management landscape
E N D
Lessons Learned from Board Reporting Steven Minsky, CEO, LogicManager Paul Walker, Schiro / Zurich Chair in Enterprise Risk Management, St. John's University IMPACT 2016
Learning Objectives • Learn the specific regulations and guidelines that are molding the risk management landscape • Identify attributes of strong risk management programs stemming from 6 key case studies • Learn how to benchmark your organization’s ERM maturity and measure progress over time
What is Raising the Bar on Board Risk Oversight? • NYSE • SEC proxy disclosure • Dodd-Frank • 2014 SEC comment letters on cyber risk • SEC NEP 2013 – ERM and Governance • FINRA 2014 Exam Priority – ERM • World, business, and markets are unpredictable • Disruption is here • ISS uses board risk oversight in ratings • Ratings agencies • ISS Shareholder campaigns • New lawsuits
Shareholder Campaigns • ISS said to vote against Wal-Mart Chairman, CEO, and audit committee because of the “board’s failure to adequately communicate material risk factors to shareholders, and to reassure shareholders that the board was exercising proper oversight” • A prominent proxy adviser urged the ouster of most Target board members for failing to manage risks… • WSJ, 5/28/14
SEC Concern • “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.” • SEC Commissioner Aguilar
Sustained Failure? • Caremark – liability when there is “sustained or systemic failure of the board to exercise oversight” • Citigroup– …alleged that directors breached duty by not monitoring business risks • Goldman Sachs– … alleged that directors failed to oversee the excessive risk taking • “Boards should keep in mind that cases involving egregious facts and circumstances and substantial shareholder losses could lead to a stricter standard… companies... should not structure their risk management policies around the minimum requirements.” • Harvard Law School Forum 2015
General Motors Co Derivative Litigation • Facts • Ignition switch leads to deaths, recalls, lawsuits • Board had ERM/BRO but changed it: • Moved risk committee duties to audit committee • Moved CRO to CAE • No single committee for safety risk • Board was told ERM was there but needed improvement • Lessons • Will be sued for not knowing • Will be sued for board risk oversight setup (or changes) / not following best practices
Penn State University • Facts • Leadership knew; the board did not • Board did not ensure disclosure of major risks to the board (process) • The board was overconfident in senior leaders • The board failed to see the reputation risk link • Lessons • Improve the channels of communication (require risk reporting to the board) • Require risk training • Top risks must be escalated
Dwolla, Inc. 2016 CFPB-0007 • Facts • “Send and receive money to anyone”; “safer than credit cards” • But actually had poor security and failed to identify and assess risks • Board was ordered to ensure the company complies with the consent order • Lessons • Inaccurate risk disclosures are cause for an action (even without a breach) • Risk oversight and disclosure practices may be adopted by other regulators
Morgan Stanley • Facts • Managing Director conspired to evade controls • MS had serious risk and compliance program (training; sign-offs; risk assessments) • No regulator went after MS • Lessons • Do ERM correctly and you receive a get out of jail free card
Lessons Not Yet Learned What do Chipotle and Wendy’s have in common?
Chipotle (February 8, 2016) Situation: Restaurant pioneered locally sourced, healthy fast food on a national scale. Complication: Food borne illnesses sickened hundreds in more than a dozen states. Insufficient vendor & supply chain risk management process to identify vulnerabilities. Result: Lawsuit for misleading investors on quality control risks. 30% drop in revenue,45% share drop. • Lessons NOT yet Learned • Preventable systemic failure in risk management • Risks precede laws, regulations, and industry practices • Assess risk impact for each business process and its upstream and downstream dependencies • Assess risk and control environments associated with new innovation
Wendy’s (July 7, 2016) Situation: Wendy’s pursues franchise model for expanding its fast-casual restaurants. Complication: Decent internal corporate InfoSec policies, but very weak third-party management, policies and governance over franchise locations. Result: Cyberattacks at 1,025 franchise-owned locations. Class-action lawsuit filed against Wendy’s corporate, joined by more than 20 credit unions and credit union leagues. • Lessons NOT yet Learned • Preventable systemic failure in risk management • Risks precede laws, regulations, and industry practices • Assess risk impact for each business process and its upstream and downstream dependencies • Can outsource the process, but not the risk!
Lessons Learned • Not knowing is negligence. • Failing to communicate with shareholders and customers • Risk management failures are preventable. • ERM is more than risk assessments • Must be able to cascade, aggregate, and link risk information • Compliance is the minimum performance standard. • Risks sometimes precede the laws • You’re underappreciated / underpaid!!
How to Measure and Effect Change? • Objective Risk Maturity Assessment - Effectiveness • Establish a sustainable ERM program • Develop a roadmap for future improvements
RIMS Risk Maturity Model Structure • 7 Attributes • 25 factors and 68 indicators that differentiate maturity levels • Umbrella framework based on the most widely used standards • 5 Maturity Levels • Measure to help reach goals for improvement • 25% market valuation premium for maturity1 • Benchmarking • Standing in peer group • Highlights ERM trends and priorities 1Independent study published in Journal of Risk and Insurance, “The Valuation Implications of Enterprise Risk Management Maturity,” by Mark Farrell and Ronan Gallagher. *Available as a plug-in in your LogicManager Environment
Questions? Steven Minsky Author of the RIMS Risk Maturity Model CEO of LogicManager Paul Walker Executive Director of Centre for Excellence in ERM, St. John’s University