TY - JOUR
T1 - Is ERM Legally Required? Yes for Financial and Governmental Institutions, No for Private Enterprises
AU - Whitman, Andrew F.
N1 - Publisher Copyright:
© 2015 The American Risk and Insurance Association.
PY - 2015/9/1
Y1 - 2015/9/1
N2 - We examine whether enterprise risk management (ERM) is legally required for financial institutions (e.g., banks, securities brokerage firms, insurance, hedge funds and mutual funds), government entities, publicly traded companies, and private enterprises. We find that ERM is legally required for U.S. financial institutions and for some government-sponsored enterprises. Legally required means required by U.S. statutes, federal case law, or U.S. regulatory agencies (e.g., Securities and Exchange Commission [SEC]). ERM is an important factor for rating organizations (e.g., Standard & Poor's [S&P]), but not legally required. We found no U.S. statutes or federal court cases requiring an ERM framework for private enterprises, although ERM is accepted as a value-contributing best practice, and elements of ERM are practiced by some private enterprises. For publically traded companies, elements of ERM are required by federal statute, by the SEC, and by S&P. We suggest that if a private enterprise is sued in U.S. federal court alleging breach of a legal duty to practice ERM, the suit will likely be dismissed. We trace the development of ERM from a traditional risk management (TRM) base. Fortunately, ERM is recognized as a value-contributing best practice in corporate governance even when legal standards do not require it.
AB - We examine whether enterprise risk management (ERM) is legally required for financial institutions (e.g., banks, securities brokerage firms, insurance, hedge funds and mutual funds), government entities, publicly traded companies, and private enterprises. We find that ERM is legally required for U.S. financial institutions and for some government-sponsored enterprises. Legally required means required by U.S. statutes, federal case law, or U.S. regulatory agencies (e.g., Securities and Exchange Commission [SEC]). ERM is an important factor for rating organizations (e.g., Standard & Poor's [S&P]), but not legally required. We found no U.S. statutes or federal court cases requiring an ERM framework for private enterprises, although ERM is accepted as a value-contributing best practice, and elements of ERM are practiced by some private enterprises. For publically traded companies, elements of ERM are required by federal statute, by the SEC, and by S&P. We suggest that if a private enterprise is sued in U.S. federal court alleging breach of a legal duty to practice ERM, the suit will likely be dismissed. We trace the development of ERM from a traditional risk management (TRM) base. Fortunately, ERM is recognized as a value-contributing best practice in corporate governance even when legal standards do not require it.
UR - http://www.scopus.com/inward/record.url?scp=84942117957&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84942117957&partnerID=8YFLogxK
U2 - 10.1111/rmir.12045
DO - 10.1111/rmir.12045
M3 - Article
AN - SCOPUS:84942117957
SN - 1098-1616
VL - 18
SP - 161
EP - 197
JO - Risk Management and Insurance Review
JF - Risk Management and Insurance Review
IS - 2
ER -