Innovation vs. Negligence

Steven Minsky , Paul Walker


October 3, 2016

enterprise risk management regulation

In today’s business environment, organizations must continuously adapt to evolving consumer interests and regulatory requirements. But as tempting as it may be to focus only on innovation and improvement, innovation, by definition, introduces risk. If companies do not integrate regular enterprise risk management (ERM) activities into their innovation process, the results can often be counterproductive. Even worse, the enterprise value that can be lost through an ill-conceived move can exceed the operational costs of the mistake many times over.

About half of the Fortune 100 have identified innovation as one of their key risks. As a result, boards not only need to oversee their companies’ ERM programs, but also to understand how things like innovation impact their overall risk profile.

Risk management is not just an extra precaution, it is an obligation, and companies in violation of minimum requirements run the risk of being slapped with significant negligence penalties by regulators. If a risk event occurs, boards can no longer say, “We were not aware of the conditions that led to this incident, so we are not responsible.”

But even if the company’s operations function normally, without interruptions, data breaches or other incidents, risk management still needs to be a proactive effort. Risk management competency is now a critical success metric, from senior leadership to the front-line operational managers. This is because required disclosures have shifted from simply identifying risks to being held accountable for either not disclosing a risk or for not doing enough to manage disclosed risks. Public and private companies are being held to this standard by the Securities and Exchange Commission (SEC), Consumer Financial Protection Bureau (CFPB) and many other regulators.

In addition, even if a company launches an innovative strategy without incident, it is still potentially vulnerable to noncompliance or negligence issues on risks that are deemed preventable. Not only are fines being levied, but often brand reputations are damaged and class-action lawsuits filed against companies and their board members.

Regulators Raise the Bar

ERM is not a barrier to innovation, however. In fact, it simultaneously mitigates risk and supports the innovation process. But multiple factors have raised the bar for board-level enterprise risk management responsibilities.

Drivers for this change began in 2010 with SEC rule 33-9089 and were quickly adopted by other federal, state and industry regulations including, but not limited to, the SEC’s National Examination Programs 2013, the Financial Industry Regulatory Authority’s 2014 Exam Priority Letter and the Dodd-Frank Act. In addition, the January 2013 change in the Institute of Internal Auditors’ International Professional Practices Framework (IPPF) requirements further defined audit, risk management and board reporting requirements. After the 2013 IPPF update, many trade organizations followed suit with mandates on risk management processes and systems.

Among the most significant of these drivers are the SEC’s proxy disclosure enhancements rule 33-9089, which increased the accountability of shareholders and regulators for inaccurate risk statements or insufficient risk mitigation. This appears to have changed the conditions of liability. Previously, the burden of proof for risk management inadequacy was fraud, which meant proving intent. Proxy disclosure enhancements rule 33-9089 reduced this burden of proof to negligence. The effect is that not knowing about a risk or not adequately managing it carries the same penalty as fraud.

Many test cases have upheld this negligence rule, even up to the Supreme Court, and this rule has since provided significant protection for companies with ERM programs supported by a “reasonable information and reporting system.” Among those now-required elements are “board leadership structure” and “the board’s role in risk oversight,” according to an SEC report.

More recently, the SEC published additional details related to cyberattacks. The regulator is interested specifically in the robustness of organizations’ disclosures of current cyberrisks. Has the organization suffered a hack or data breach in the past? Are its statements totally transparent, or do they soften the reality of the risk situation (either intentionally or accidentally)? The SEC also takes a closer look at organizations that actually have suffered some sort of incident. For example, what was the organization’s response in the wake of the cyberattack? Did the attack occur because the organization previously failed to address a material risk? If so, it is likely the organization will be found guilty of risk management negligence.

On the other hand, regulators like the SEC will also reward organizations with robust risk management procedures provided they can provide documented proof that they were attempting to manage the risk adequately. If an incident like a data breach occurs, historical documentation of a robust, repeatable ERM program has proven sufficient to demonstrate due diligence and therefore disprove allegations of negligence.

Other regulators are beginning to adopt similar cybersecurity requirements. Consider the CFPB’s recent case against Dwolla, an e-commerce company: Even though Dwolla never suffered a data breach or cyberattack, the company was found guilty of risk management negligence due to insufficient data security practices. It was targeted for misrepresenting procedures (those outlined on its website were more robust than everyday practices) and deceiving consumers. Upon discovering the misrepresentation, the CFPB issued the company a $100,000 fine, a significant penalty considering Dwolla had estimated revenues of $11 million and only 75 employees. The result of the case proves that no one—not even small, private companies—can assume they will never be under the microscope.

When it comes to avoiding regulatory penalties, flying under the radar is not what is important. Companies should consider proactively disclosing the effectiveness (or ineffectiveness) of an enterprise risk management and board risk oversight program. Disclosing ineffectiveness is a difficult decision to make, since it will likely undermine stakeholder confidence to some degree. It is better, however, than the possibility of a risk management negligence charge and the resulting reputational damage and fines that are sure to be heavier than a voluntary disclosure.

The best option is to assess the state of an organization’s risk management program and, if it is lagging, adopt proactive enterprise risk management processes. Maintaining a mature ERM program kills two birds with one stone because: 1) it is the most effective way to minimize the likelihood that negative surprises of any kind will occur, and 2) ERM systems, when executed properly, simplify the documentation process and provide a historical record that can easily be procured to satisfy regulators’ inquiries.

Innovation Blindspots

If there is one commonality among recent regulations, it is that they do not consider ERM an optional discipline. From a regulator’s perspective, an organization either has an effective ERM program in place or it is operating negligently. Senior leaders are responsible for communicating how such programs impact strategic goals. They need to understand the company’s complete risk picture and disclose related details to stakeholders. This process must occur in conjunction with innovation and adaptation.

Unfortunately, many organizations across industries fail to assess the risks inherent in their innovations. While the cases of Chipotle, Volkswagen and BP may seem unrelated at first glance, all three companies share the same initial mistake: In their drive to produce innovative products and services, they neglected to evaluate the changing risks that accompanied those new approaches.

Chipotle sought to pioneer the strategy of locally sourcing ingredients on a national scale. Volkswagen sought to dramatically reduce the emissions of its vehicles. BP entered untapped deep-water drilling environments. They all made significant progress toward their objectives, but upon making that progress, they failed to objectively assess the upstream and downstream effects on their operations and overall risk profile.

Each of these companies recognized the potential upside of rapid innovation. They did not recognize the importance of proper risk management, which is necessary in order to navigate the risks accompanying new, unfamiliar processes. Failure to assess possible negative impacts—along distributed supply chains, from new regulatory standards and from insufficient technological capabilities—allowed the worst to happen. All of these factors are regularly assessed by companies practicing strong enterprise risk management programs.

Furthermore, because the companies did not extend their risk assessment and reporting programs across organizational levels, they missed information that would have revealed early red flags. These signs were obvious to those working on the front lines, but not to those at the board and executive levels. A Chipotle branch manager, for example, is more familiar with operational risks, such as those associated with the evaluation and preparation of local food ingredients, than an executive at corporate headquarters would be.

Front-line employees often recognize problems long before they turn into larger issues like food contamination, falsified emissions results or an oil spill. They just lack the channels they need to provide input before the problem leads to other, more serious issues, quickly and efficiently escalate emerging risks to key decision-makers, and incorporate risk management into all existing business processes, such as budgeting and forecasting.

Enabling Success

When incorporated into everyday activities, ERM is not an innovation killer. By embedding cross-functional risk identification at crucial steps in the product development cycle, companies can more effectively identify new threats and opportunities, prioritize resources, and prevent surprises. Including multiple functions and levels in the risk management process means an organization acquires a more detailed understanding of risk and elevates the right conversions to the executive table as they pose potential impacts against strategic goals.

The cases of BP, Chipotle and Volkswagen demonstrate that best practices in enterprise risk management still have to be adopted by many companies, and that too many fail to understand the risks inherent in their innovations. By fully integrating ERM best practices across an organization’s functions and levels, today’s leaders can better protect their companies as they continue to move forward and innovate successfully.
Steven Minsky is CEO of LogicManager, a provider of ERM tools and services, and author of the RIMS Risk Maturity Model framework and assessment tool. He is also a recognized thought leader and writer on ERM topics.
Paul L. Walker, Ph.D., CPA, is the James J. Schiro/Zurich Chair in Enterprise Risk Management and executive director for the Center for Excellence in ERM at St. John’s University’s Tobin College of Business.