Is ERM Legally Required? Yes for Financial and Governmental Institutions, No for Private Enterprises

• DOI: http://doi.org/10.1111/rmir.12045
• Published date: 01 September 2015
• Date: 01 September 2015

Risk Management and Insurance Review

C

Risk Management and Insurance Review, 2015, Vol.18, No. 2, 161-197

DOI: 10.1111/rmir.12045

FEATURE ARTICLES

ISERM LEGALLY REQUIRED?YES FOR FINANCIAL AND

GOVERNMENTAL INSTITUTIONS,NOFORPRIVATE

ENTERPRISES

Andrew F. Whitman

ABSTRACT

We examine whether enterprise risk management (ERM) is legally requiredfor

financial institutions (e.g., banks, securities brokerage firms, insurance, hedge

funds and mutual funds), government entities, publicly traded companies, and

private enterprises. We find that ERM is legally required for U.S. financial in-

stitutions and for some government-sponsored enterprises. Legally required

means required by U.S. statutes, federal case law, or U.S. regulatory agencies

(e.g., Securities and Exchange Commission [SEC]). ERM is an important factor

for rating organizations (e.g., Standard & Poor’s [S&P]), but not legally required.

We found no U.S. statutes or federal court cases requiring an ERM framework

for private enterprises, although ERM is accepted as a value-contributing best

practice, and elements of ERM are practiced by some private enterprises. For

publically traded companies, elements of ERM are required by federal statute,

by the SEC, and by S&P. We suggest that if a private enterprise is sued in U.S.

federal court alleging breach of a legal duty to practice ERM, the suit will likely

be dismissed. We trace the development of ERM from a traditional risk man-

agement (TRM) base. Fortunately, ERM is recognized as a value-contributing

best practice in corporate governance even when legal standards do not require

it.

INTRODUCTION

Enterprise risk management (ERM) is a holistic framework for identifying, defining,

quantifying, prioritizing, and treating all material risks of potential loss and gain while

simultaneously considering potential correlation and interrelationships between indi-

vidual risks throughout the organization or enterprise. The ERM framework typically

has a chief risk officer (CRO) reporting to the chief executive officer (CEO) and a risk

committee at the board level. We find an ERM framework is legally required for U.S. fi-

nancial institutions (e.g., banks, securities brokerage firms, insurance, hedge funds, and

mutual funds), but is not legally required for private enterprises. Legally requiredmeans

required by U.S. statutes, federal case law,or U.S. regulatory agencies. In addition, ERM

is an important factor for rating organizations (e.g., Standard & Poor’s [S&P]). ERM

is accepted by professional organizations as a value-contributing best practice for all

Andrew F. Whitman is Professorof Insurance at the Carlson School of Management, University

of Minnesota.

161

162 RISK MANAGEMENT AND INSURANCE REVIEW

enterprises: the Committee of Sponsoring Organizations of the Treadway Commission

(COSO), the Risk and Insurance Management Society (RIMS), and the Casualty Actuarial

Society (CAS), which have designed, examined, and promoted ERM frameworks.

According to COSO (2004), “Uncertainties present both risks and opportunities, with

potential to erode or enhance value.” Findings reported by CAS (Dafikpaku, 2011)

show a value of ERM in linkages between the ERM processes and factors including risk

appetite, risk culture, and management competence. According to CAS, ERM assists

enterprises in making appropriate strategic decisions on uncertain outcomes to, at

worst, reduce disastrous losses and, at best, improve profitability in cases of opportuni-

ties. These frameworks recognize four primary categories of risk: hazard, operational,

strategic, and financial risk, and many risks exist within each category. Some risks, such

as market risk or property damage risk, lend themselves to measurement and analysis

based on known potential values and associated probabilities of loss (or gain). Other

risks, especially those that are mostly qualitative in nature, are difficult to estimate,

measure, or analyze. Strategic risks are difficult to quantify, which would include polit-

ical and cultural risks (external), competitive, and reputational risks (external–internal,

including brand/image, trustworthiness, and favorability), and governance risks (in-

ternal). ERM is required by financial institution regulators, recognized by credit-rating

agencies, and embraced by the risk management community. The ERM process can be

used not only to minimize the impact of adverse events that inevitably occur overtime,

but also to exploit opportunities that arise over time (Bugalla et al., 2014).

Attempts to Measure Value Added by ERM

Enterprises should reduce overall risk to improve the terms at which stakeholders, such

as employees, suppliers, debt holders, and customers, contract with the firm (Stulz and

Nocco, 2006). In addition, risk reduction can (1) reduce expected financial distress costs

(Smith and Stulz, 1985), (2) improve contractual terms with other claimants (Smith

and Stulz, 1985), (3) allow greater use of debt financing and tax shields (Stulz,1990),

(4) reduce the likelihood of having to raise costly external capital or forgo positive

net present value investment projects (Foot et al., 1993), and (5) reduce expected taxes

when tax rates are progressive (Graham and Smith, 1999). The authors of “Enterprise

Risk Management Though Strategic Allocation of Capital” (Jing et al., 2012) present

a mathematic approach to operationalizing the integration of ERM within the firm

to achieve its holistic strategic goals across time periods. They consider risk appetite,

prioritization, and operational decisions among risk categories. The challenges to

implementing ERM still exist and vary by type of enterprise, and the risk-reduction

possibilities from risk integration and portfolio theory are difficult to implement.

According to Acharyya and Brady, a connection between risk management activities of

corporations and the value of their economic activities are often claimed by practitioners

and some academics (Hoyt and Liebenberg, 2011; Acharyya and Brady, 2014). (Hoyt

and Liebenberg, 2011, simultaneously model the determinants of ERM and the effect of

ERM on firm value, and they estimate the effect of ERM on Tobin’s Q, a standard proxy

for firm value. Ultimately, they find a positive relation between firm value and the

use of ERM. The ERM premium of roughly 20 percent is statistically and economically

significant.) However, there is little empirical proof of such claims other than a few

works of finance scholars.

ISERM LEGALLY REQUIRED? 163

Froot et al. (1994) find that risk management reduces the expected cost of financial

distress, such as transaction cost and bankruptcy. Others (Smith and Stulz, 1985; Rawls

and Smithson, 1990; Stulz, 1996) contend that proper risk management reduces conflict

between shareholders and bondholders and reduces corporate tax liabilities through

cutting the rate of risk for buyout debts. However, these claims are mostly based on

theoretical works without confirmatory practical evidence, and it is argued that these

studies are unlikely to reflect reality (Ball, 2009). Consequently, it is difficult for the risk

management function to demonstrate the tangible value it adds to the firms’ operation

(Hoyt and Liebenberg, 2011). Nevertheless, risk management is still seen as an essential

tool of managerial decision making, at both operational and strategic levels, even with

the loose evaluation of risk and benefit (Acharyya and Brady, 2014).

ERM encompasses legal compliance at the board level, and there are important

economies of scale in monitoring legal compliance including financial information

for securities law and business ERM more generally. Today’s best practices involve

vigorous and widespread monitoring of the positive and negative risks that enterprises

face. Increasingly, guidance as to how such monitoring should occur has been advanced

under the label of “enterprise risk management.” Delaware case law often both draws

upon and reinforces corporate best practices.

Today, those best practices clearly include intense efforts at ERM (ABA, 2013). In 2014,

the National Association of Insurance Commissioner’s (NAIC) Financial Condition

Committee adopted a Corporate Governance Annual Disclosure Model Act and Model

Regulation for insurance companies, which provides a comprehensive narrative of

the corporate governance structure and sample policies and practices utilized by U.S.

insurers. Among the key items required to be described is the processes by which the

board of directors, its committees, and senior management ensure an appropriate level

of oversight to the critical risk areas impacting the insurer’s business activities including

risk management processes, the actuarial function, and investment, reinsurance, and

business strategy decision-making processes (NAIC, 2014).

Additionally, the NAIC’s Financial Condition Committee adopted a Corporate Gover-

nance Annual Disclosure Model Act and supporting Model Regulation, which requires

a comprehensive narrative of the corporate governance structure, policies and practices

utilized by U.S. insurers on an annual basis, to be reported to their lead state or domestic

regulator by June 1 of each year. The new disclosure requirements are expected to

commence in 2016 (NAIC, 2014).

The rise and role of the risk committee and the chief risk officer (CRO) was documented

in 2012 by a National Association of Corporate Directors (NACD) Public Company Gov-

ernance Survey (NACD, 2012), which showed a 198 percent increase in risk committees

over the last 5 years (4.5 percent of public companies in 2008 to 13.4 percent in 2012).

However, 64 percent of those boards that reportedthey had a risk committee were from

the financial sector (e.g., banks and securities, insurance, private equity,and hedge funds

and mutual funds) and government-sponsored enterprises (e.g., Fannie Mae and Freddie

Mac; www.fanniemae.com). For financial institutions and publicly traded companies,

the CRO oversees all risks facing an organization and typically reports to the CEO.

In its fifth annual board of directors survey, “Concerns About Risks Confronting

Boards,” EisnerAmper reported the most important risks to the board of directors as: