Return to Table of Contents

Enterprise Risk Management

ERM: Way beyond compliance

The “governance, risk and compliance” approach is fraught with problems

By Michael J. Moody, MBA, ARM

Risk management continues to be a major topic of discussion with regard to its role in the current financial meltdown. Many industry observers have indicated that it was a failing of risk management that led to the current crisis. Without question, risk management failings did account for some of the problems that arose out of the mess; however, this current situation also has shown that the shortcomings in risk management can be corrected.

A growing trend

Despite the fact that enterprise risk management (ERM) has been an active management discipline for more than 10 years, it is still fighting for its own identity. For example, one of the more recent trends has been to combine risk management with compliance and governance. The combined approach is referred to frequently as “governance, risk and compliance” (GRC).

While there are any number of reasons why this grouping was originally formed, many believe that it got its start during the early days of the Sarbanes-Oxley (SOX) legislation. SOX was designed to provide various stakeholders with some assurance that published financial results were developed with recent and relevant information and were providing a true representation of the corporation’s financial condition.

Bottom line, however, SOX was one of the primary factors that has led to a “culture of compliance.” Clearly, most of the public firms in the United States have invested significant amounts of both financial and intellectual capital in order to meet federal financial reporting compliance requirements as spelled out in the SOX regulations. Compliance was the focus of much of the work that encompassed GRC. However, the past few years have seen a growing concern about the risk aspects.

Today, boards and management are beginning to realize that their risk management efforts must be integral and strategic to be a useful business driver. This position is also becoming apparent to other stakeholders as well. For example, ratings agencies such as S&P have noted that they can draw a straight line from excellent ERM ratings to better credit ratings. Obviously, as this direct relationship between ERM and better financial results becomes more noticeable, demand for successful ERM programs will grow. However, a simple compliance approach will not satisfy most stakeholders.

The buck stops here

Unfortunately, multiple issues led to the meltdown; it is not always easy to isolate a single area. Despite this, when viewed in hindsight, several key areas become apparent. Some are well documented. For instance, a recent article in The Washington Post puts the members of corporate boards of directors in its cross hairs.

With few exceptions, boards have received little media attention as the country has sought explanations for financial firms’ taking such perilous risks. These boards—which typically consist of a dozen or more well-known executives, politicians, and other influential people—were ultimately responsible for the decisions of the Wall Street companies, housing firms and banks at the heart of the crisis. The boards signed off on the risks the companies took and the compensation package awarded to top executives.

The Post has correctly focused on one of the most overlooked groups of bad actors that were involved in the current situation. They have not, however, been overlooked by all parties. For example, in early 2009, Mary Schapiro, the new SEC chairman, began actively looking for ways to strengthen the boards of directors at publicly owned corporations with the express purpose of being able to hold them more accountable with regard to risk oversight in the future.

The National Association of Corporate Directors (NACD) is also fully aware of its members’ obligations regarding risk oversight. NACD realizes that in all too many instances, it was not a case of risk managers not sounding the warning alarms but, rather, the alarm bells were not being heard. In a recent study, Managing Risk in Perilous Times: Practical Steps to Accelerate Recovery, which NACD undertook in cooperation with The Economist Intelligence Unit, they found that, “the attitude that the opportunity for profit was trumping any concerns being raised by risk managers” was paramount. One of the primary conclusions of the study is: “To counteract these authority issues, risk management must be given an independent function that is given sufficient authority to challenge risk-takers effectively.”

In addition, the study left little doubt about the role of the board in establishing this authority. The study indicated that, “If risk management is to be given appropriate attention throughout the organization, leadership and tone from the most senior level in the organization will be essential.” And it also noted how difficult this will be because in many organizations, “risk management is still struggling to shake off an outdated perception that it is largely a support function.”

The NACD study goes on to say that ERM must be viewed as obtaining its authority directly from senior management and championed by the chief executive. In addition, there must also be appropriate board oversight of risk via the audit committee or risk committee. To take this one step further, the study says that, “the chief executive, as the ‘owner’ of risk in the organization, must be seen to elevate the authority of risk management, and his or her focus on risk must filter through the organization to build a robust, pervasive risk culture.”

Board members who were part of the above noted study identified “risk oversight” as their most important and immediate concern. However, despite this recognition of importance, 67% of the survey participants indicated that they assign the majority of risk-related tasks directly to the audit committee. This is unfortunate because it would appear that the board still has not gotten the message that risk oversight is their responsibility. In order to do their jobs, meet their fiduciary responsibility and manage their own personal liability, they must begin to take a more active role in risk oversight.


One of the existing concerns that continues to elude management of many organizations is the failure to fully understand the “opportunity” value of ERM. For the most part, many companies view risk management from a more traditional position of “helping to avoid losses.” Certainly this is an important aspect; however, it is only a portion of the enterprise risk management model. Corporations and their boards of directors need to begin to look at ERM as a business imperative. And as such, ERM is continuing to provide a competitive advantage to those firms that successfully implement it.

Equally as damaging are those organizations that have combined compliance with risk management, thus fostering more of a “checklist mentality.” As a result, boards have begun to voice their concerns regarding compliance-related issues. Many have noted that management at their firms is spending too much time and too many dollars on compliance matters and not enough on strategic initiatives. Some experts have indicated that a GRC approach to risk management is not sustainable, efficient or even effective in support of strategic risk management. As a result, some believe that risk management must be separated from governance and compliance.

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.


Some experts suggest that a GRC approach to risk management is not sustainable, efficient or even effective in support of strategic risk management.














Return to Table of Contents