The metaphoric ERM tree, like its counterpart in nature, must adapt to its environment in order to thrive. The ERM tree is growing in an environment of increased regulation by various federal agencies. Reacting to the consequences of the recent Great Recession, provoked mainly by the financial crisis of 2008-2009, the two most important new (2010) regulations (at least in the United States) affecting both the growth and practice of ERM are (1) Securities and Exchange Commission (SEC) Amended Rule 33-9089, and (2) the Dodd-Frank Wall Street Reform and Consumer Protection Act.
SEC 33-9089 clearly places the oversight of risk management with the board of directors at publicly traded companies. Dodd-Frank's Section 165 mandates the formation of a stand-alone board-level risk committee consisting of independent directors, practicing enterprise-wide risk management, and requiring a chief risk officer (CRO) within the financial sector.
More recently (January 5,2012), the Board of Governors of the Federal Reserve proposed "Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies." Far more prescriptive and detailed mandates have been added to the original Section 165 that include:
• Board-level risk committees to be chaired by an independent director for bank holding companies over $10 billion, increasing the reach of the legislation to a greater number of institutions than the originally announced $50 billion
• A specific list of "Responsibilities of Risk Committee"
• "Appointment of CRO" who will report directly to the chief executive officer and board-level risk committee
• A specific list of responsibilities and actions by the CRO
The proposed "Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies [R-1438]," provides not only the detailed responsibilities of the risk committee of the board of directors, but insights into just how deep the Federal Reserve is attempting to reach within the governance structure of publicly traded companies within the broader financial sector.
The requirement for a separate and stand-alone risk committee of the board of directors with a CRO, reporting directly to the risk committee and the CEO, indicates the high level of importance the Federal Reserve is giving to the implementation and administration of enterprise-wide risk management. Tearing down individual internal risk silos that inhibit collaboration and communication across the enterprise about identified risks and intelligence about emerging risks and opportunities should be a priority on the risk management agenda.
• "[T]he board proposes that covered company and over $10 billion bank holding company risk committee must be chaired by an independent director. The board views the active involvement of independent directors as vital to robust oversight of risk management and encourages companies generally to include additional independent directors as members of their risk committees."
• "Specifically, the Board believes that best practices for covered companies require a risk committee that reports directly to the Board and not as part of or combined with another committee." Thus, "the proposed rule would require a covered company's risk committee not be housed within another committee or be part of a joint committee." In addition, "the proposed rule would require a covered company's risk committee to report directly to the covered company's board of directors."
• A separate stand-alone risk committee, not a part of or combined with the existing audit committee, is a signal or reminder by the Federal Reserve that the two committees (audit and risk) have different functions and responsibilities. The risk committee's responsibilities are to document and oversee the enterprise-wide risk management policies and practices of the company.
The risk committee's agenda is:
[to review and approve] an appropriate risk management framework that is commensurate with the company's capital structure, risk profile, complexity, size, and other appropriate risk-related factors. The proposed rule specifies that a company's risk management framework must include: risk limitations appropriate to each business line of the company; appropriate policies and procedures relating to risk management governance, risk management practices, and risk control infrastructure; processes and systems for identifying and reporting risks, including emerging risks; monitoring compliance with the company's risk limit structure and policies and procedures relating to risk management governance, practices, and risk controls; effective and timely implementation of corrective actions; specification of management's authority and independence to carry out risk management responsibilities; and integration of risk management and control objectives in management goals and the company's compensation structure.
• Appointment of a chief risk officer (CRO): "... in ensuring the effective implementation of a covered company's risk management practices, the proposed rule would require a covered company's CRO to report directly to the risk management committee and the chief executive officer."
As the name Dodd-Frank Wall Street Reform and Consumer Protection Act states, the law is aimed at the financial sector. However, the Act provides a model, or benchmark, of sound risk management practices that could be utilized (with some modification) in all industry sectors. The Federal Reserve model could strengthen ERM's core trunk if it does indeed become the de facto enterprise risk management standard and migrate from the financial sector to general business. The influence of the Federal Reserve cannot be understated, but adoption of its model by all publicly traded companies will take many more years without a specific push from regulators in other industries.
One example of how Dodd-Frank can extend the Federal Reserve model and reach, and has now done so, is the creation of the Financial Stability Oversight Council (FSOC). This group identifies and monitors excessive risks to the U.S. financial system arising from the distress or failure of large, interconnected bank holding companies or nonbank financial companies. In July 2013, the FSOC named the first nonbank financial companies considered systemically important financial institutions (SIFIs): American International Group and GE Capital. Prudential Financial, Inc. was added to the list in September 2013. These companies will now come under the supervisory standards, including examinations, established by the Board of Governors of the Federal Reserve for the first time.