Is ERM Legally Required? Yes for Financial and Governmental Institutions, No for Private Enterprises

Research output: Contribution to journalArticlepeer-review

6 Scopus citations


We examine whether enterprise risk management (ERM) is legally required for financial institutions (e.g., banks, securities brokerage firms, insurance, hedge funds and mutual funds), government entities, publicly traded companies, and private enterprises. We find that ERM is legally required for U.S. financial institutions and for some government-sponsored enterprises. Legally required means required by U.S. statutes, federal case law, or U.S. regulatory agencies (e.g., Securities and Exchange Commission [SEC]). ERM is an important factor for rating organizations (e.g., Standard & Poor's [S&P]), but not legally required. We found no U.S. statutes or federal court cases requiring an ERM framework for private enterprises, although ERM is accepted as a value-contributing best practice, and elements of ERM are practiced by some private enterprises. For publically traded companies, elements of ERM are required by federal statute, by the SEC, and by S&P. We suggest that if a private enterprise is sued in U.S. federal court alleging breach of a legal duty to practice ERM, the suit will likely be dismissed. We trace the development of ERM from a traditional risk management (TRM) base. Fortunately, ERM is recognized as a value-contributing best practice in corporate governance even when legal standards do not require it.

Original languageEnglish (US)
Pages (from-to)161-197
Number of pages37
JournalRisk Management and Insurance Review
Issue number2
StatePublished - Sep 1 2015

Bibliographical note

Publisher Copyright:
© 2015 The American Risk and Insurance Association.


Dive into the research topics of 'Is ERM Legally Required? Yes for Financial and Governmental Institutions, No for Private Enterprises'. Together they form a unique fingerprint.

Cite this