1 / 18

Lessons Learned from Board Reporting

Lessons Learned from Board Reporting. Steven Minsky, CEO, LogicManager Paul Walker, Schiro / Zurich Chair in Enterprise Risk Management, St. John's University. IMPACT 2016. Learning Objectives. Learn the specific regulations and guidelines that are molding the risk management landscape

whittakerr
Download Presentation

Lessons Learned from Board Reporting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lessons Learned from Board Reporting Steven Minsky, CEO, LogicManager Paul Walker, Schiro / Zurich Chair in Enterprise Risk Management, St. John's University IMPACT 2016

  2. Learning Objectives • Learn the specific regulations and guidelines that are molding the risk management landscape • Identify attributes of strong risk management programs stemming from 6 key case studies • Learn how to benchmark your organization’s ERM maturity and measure progress over time

  3. What is Raising the Bar on Board Risk Oversight? • NYSE • SEC proxy disclosure • Dodd-Frank • 2014 SEC comment letters on cyber risk • SEC NEP 2013 – ERM and Governance • FINRA 2014 Exam Priority – ERM • World, business, and markets are unpredictable • Disruption is here • ISS uses board risk oversight in ratings • Ratings agencies • ISS Shareholder campaigns • New lawsuits

  4. Shareholder Campaigns • ISS said to vote against Wal-Mart Chairman, CEO, and audit committee because of the “board’s failure to adequately communicate material risk factors to shareholders, and to reassure shareholders that the board was exercising proper oversight” • A prominent proxy adviser urged the ouster of most Target board members for failing to manage risks… • WSJ, 5/28/14

  5. SEC Concern • “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.” • SEC Commissioner Aguilar

  6. Sustained Failure? • Caremark – liability when there is “sustained or systemic failure of the board to exercise oversight” • Citigroup– …alleged that directors breached duty by not monitoring business risks • Goldman Sachs– … alleged that directors failed to oversee the excessive risk taking • “Boards should keep in mind that cases involving egregious facts and circumstances and substantial shareholder losses could lead to a stricter standard… companies... should not structure their risk management policies around the minimum requirements.” • Harvard Law School Forum 2015

  7. General Motors Co Derivative Litigation • Facts • Ignition switch leads to deaths, recalls, lawsuits • Board had ERM/BRO but changed it: • Moved risk committee duties to audit committee • Moved CRO to CAE • No single committee for safety risk • Board was told ERM was there but needed improvement • Lessons • Will be sued for not knowing • Will be sued for board risk oversight setup (or changes) / not following best practices

  8. Penn State University • Facts • Leadership knew; the board did not • Board did not ensure disclosure of major risks to the board (process) • The board was overconfident in senior leaders • The board failed to see the reputation risk link • Lessons • Improve the channels of communication (require risk reporting to the board) • Require risk training • Top risks must be escalated

  9. Dwolla, Inc. 2016 CFPB-0007 • Facts • “Send and receive money to anyone”; “safer than credit cards” • But actually had poor security and failed to identify and assess risks • Board was ordered to ensure the company complies with the consent order • Lessons • Inaccurate risk disclosures are cause for an action (even without a breach) • Risk oversight and disclosure practices may be adopted by other regulators

  10. Morgan Stanley • Facts • Managing Director conspired to evade controls • MS had serious risk and compliance program (training; sign-offs; risk assessments) • No regulator went after MS • Lessons • Do ERM correctly and you receive a get out of jail free card

  11. Lessons Not Yet Learned What do Chipotle and Wendy’s have in common?

  12. Chipotle (February 8, 2016) Situation: Restaurant pioneered locally sourced, healthy fast food on a national scale. Complication: Food borne illnesses sickened hundreds in more than a dozen states. Insufficient vendor & supply chain risk management process to identify vulnerabilities. Result: Lawsuit for misleading investors on quality control risks. 30% drop in revenue,45% share drop. • Lessons NOT yet Learned • Preventable systemic failure in risk management • Risks precede laws, regulations, and industry practices • Assess risk impact for each business process and its upstream and downstream dependencies • Assess risk and control environments associated with new innovation

  13. Wendy’s (July 7, 2016) Situation: Wendy’s pursues franchise model for expanding its fast-casual restaurants. Complication: Decent internal corporate InfoSec policies, but very weak third-party management, policies and governance over franchise locations. Result: Cyberattacks at 1,025 franchise-owned locations. Class-action lawsuit filed against Wendy’s corporate, joined by more than 20 credit unions and credit union leagues. • Lessons NOT yet Learned • Preventable systemic failure in risk management • Risks precede laws, regulations, and industry practices • Assess risk impact for each business process and its upstream and downstream dependencies • Can outsource the process, but not the risk!

  14. Lessons Learned • Not knowing is negligence. • Failing to communicate with shareholders and customers • Risk management failures are preventable. • ERM is more than risk assessments • Must be able to cascade, aggregate, and link risk information • Compliance is the minimum performance standard. • Risks sometimes precede the laws • You’re underappreciated / underpaid!!

  15. How to Measure and Effect Change? • Objective Risk Maturity Assessment - Effectiveness • Establish a sustainable ERM program • Develop a roadmap for future improvements

  16. RIMS Risk Maturity Model Structure • 7 Attributes • 25 factors and 68 indicators that differentiate maturity levels • Umbrella framework based on the most widely used standards • 5 Maturity Levels • Measure to help reach goals for improvement • 25% market valuation premium for maturity1 • Benchmarking • Standing in peer group • Highlights ERM trends and priorities 1Independent study published in Journal of Risk and Insurance, “The Valuation Implications of Enterprise Risk Management Maturity,” by Mark Farrell and Ronan Gallagher. *Available as a plug-in in your LogicManager Environment

  17. RIMS Risk Maturity Model Structure

  18. Questions? Steven Minsky Author of the RIMS Risk Maturity Model CEO of LogicManager Paul Walker Executive Director of Centre for Excellence in ERM, St. John’s University

More Related