SEC Requirement Relative to Enterprise Risk Management of PubliclyListed Corporation
SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the
following
"The Board should oversee that a sound enterprise risk management (ERM) framework is in place
to effectively identify, monitor, assess and manage key business risks. The risk management
framework should guide the Board in identifying units/business lines and enterprise-level risk
exposures, as well as the effectiveness of risk management strategies.
Risk management policy is part and parcel of a corporation's corporate strategy. The Board is
responsible for defining the company's level of risk tolerance and providing oversight over its risk
management policies and procedures.
Principle 12 which deals with strengthening the Internal Control System and Enterprise Risk
Management Framework states that "To ensure the integrity, transparency and proper governance
in the conduct of its affairs, the company should have a strong and effective internal control system
and enterprise risk management framework."
The Board should oversee that a sound enterprise risk management (ERM) framework is in place
to effectively identify, monitor, assess and manage key business risks. The risk management
framework should guide the Board in identifying units/business lines and enterprise-level risk
exposures, as well as the effectiveness of risk management strategies.
Subject to a corporation's size, risk profile and complexity of operations, the Board should
establish a separate Board Risk Oversight Committee (BROC) that should be responsible for the
oversight of a company's Enterprise Risk Management system to ensure its functionality and
effectiveness. The BROC should be composed of at least three members, the majority of whom
should be independent directors, including the Chairman. The Chairman should not be the
Chairman of the Board or of any other committee. At least one member of the committee must
have relevant thorough knowledge and experience on risk and risk management.
Subject to its size, risk profile and complexity of operations, the company should have a separate
risk management function to identify, assess and monitor key risk exposures.
STEPS IN THE RISK MANAGEMENT PROCESS
To enhance management's competence in their oversight role on risk management the following
steps may be followed:
1. Set up a separate risk management committee chaired by a board member.
Creation of a risk management committee as board level will demonstrate the firm's commitment
to adopt an integrated company-wide risk management system
2. Ensure that a formal comprehensive risk management system is in place.
This fully documented formal system will provide a clear vision of the board's desire for an
effective company-wide risk management as well as awareness of the risks, internal and
external, that the company faces.
3. Assess whether the formal system possesses the necessary elements.
The key elements that the company-wide risk management system should possess are
a) goals and objectives
b) risk language identification
c) organization structure and
d) the risk management process documentation.
The risk organizational structure should include formal charters, levels of authorization reporting
lines and job description.
The risk management process shall include the following steps:
a) Assessment risks: Identification; Determination of their source,
b) Development actions plans: Reduce, avoid, retain, transfer or exploit
C) Implementation of action plans
d) Monitoring and reporting risk management performance.
e) Continuous improvement risk management capabilities.