Risk Management at the U.S. Securities and Exchange Commission
Marc Jarsulic, Senior Risk Advisor at the U.S. Securities and Exchange Commission (SEC) based in Washington, DC spoke at the April 27, 2007 roundtable, providing an overview of the SEC’s approach to risk management as the leading regulator over entities whose securities are publicly traded in U.S. capital markets. Jarsulic is part of the Office of Risk Analysis, which was created in 2004 to lead the risk management efforts at the SEC.
SEC’s View of Risk Management
The SEC sees itself as an organization that lags in the identification and mitigation of risks. In the SEC’s view, management, the board of directors, and other key players in a public company’s overall corporate governance structure have direct responsibility for the management of risks facing that enterprise. The SEC’s role lags or overlays that front line defense with the goal of preserving and enhancing the capital markets system in the U.S. and to protect all participants in that marketplace.
Role of Office of Risk Analysis
The SEC’s Office of Risk Analysis (ORA) is designed to help other parts of the SEC reduce barriers related to what they do. The role of the ORA is to innovate around constraints for effective risk management in each of the SEC’s core functional areas. Over the last two years, ORA has concentrated on two risk activities: Managing operational risks and extension subject matter expert capabilities. ORA helps to address operational risks through continuity planning, evaluation of risk metrics, and risk mapping. By design, ORA is relatively small as it seeks to be complimentary to other risk management functions within the SEC. It seeks to serve across SEC division efforts in conjunction with division leadership who ultimately have the lead responsibility for risk management activities within those divisions. ORA cross-functionally assists by improving information sharing across divisions, with the goal of ORA to help divisions accomplish their goals.
SEC’s Multi-Layered Approach to Risk Management
The SEC’s structure is built to identify and mitigate risks. The SEC has identified top-level activities that may create risks for capital markets. Risk categories center around (1) what is being traded, (2) how it is being traded, and (3) the behavior of particular intermediaries, agents, or fiduciaries. Risks arise as a result of inaccurate or incomplete information on the securities and underlying firms, inefficient, disorderly, or unfair behavior of market intermediaries, and harm to retail investors through inaccurate disclosure of costs or risks and through conflicts of interest.
To address these risk areas threatening U.S. capital markets, the SEC is organized along four major SEC divisions:
- Corporation Finance
- Market Regulation
- Investment Management
- Enforcement
Based on the view that markets are efficient when market participants are well informed, the SEC assigns each division key responsibility for implementation of specific risk mitigation strategies to manage risks threatening U.S. capital markets to acceptable levels. For example, the Division of Corporation Finance reviews documents filed by registrants with the SEC to ensure the completeness and quality of required disclosures used by market participants to make investment decisions. The Division of Market Regulation regulates behavior and activities of the major market participants, including broker-dealer firms, stock exchanges, transfer agents, and securities information processes. The Division of Investment Management oversees and regulates the investment management industry, including the administration of laws affecting investment companies and investment advisers. The Division of Enforcement investigates possible violations of securities laws and recommends SEC civil actions in federal courts. Thus, each of these divisions are designed to manage specific risks that arise from (1) what is being traded, (2) how it is being traded, and (3) the behavior of intermediaries involved in the process.
Reducing Risk Management Barriers at the SEC
All four divisions face information constraints, which impact each division’s management of risks. One of the core constraints relates to the overwhelming volume of information that the SEC receives from each of the approximately 13,000 public companies and 11,000 investment companies related to the 4900 securities that trade over seven registered exchanges. Thus, the information overload is massive and there are bounds on information computational capacity. Even if information received can be consumed, the process of pinpointing risk signals embedded within that information is enormously difficult.
The SEC has responded to these risk management challenges in several ways. First, the SEC makes extensive use of subject matter experts through the engagement of lawyers, accountants and other experts with industry knowledge. Second, the SEC has invested extensively in information technologies, including the application of analytic techniques to public and non-public information. Third, the SEC has created information sharing networks through senior staff coordination and intra-agency referrals and division liaisons. Finally, the SEC created the ORA to reduce these information constraints by assisting each division in risk identification and mapping, including the development of more advanced risk metrics. The ORA also assists in improving information sharing across divisions, as risk management activities in one division often affect risk information and management in the other divisions. ORA seeks to improve cross division information sharing.
Example of ORA Activities: ORA Accounting Fraud Initiative
Over the last two years, the ORA has concentrated on (1) strategies to address operational risks and (2) extending the reach of subject matter experts. One of ORA’s activities centered on risks management related to accounting fraud. ORA chose to focus on risk mitigation strategies related to accounting fraud given the significant public policy concerns surrounding financial reporting fraud and the fact that fraud mitigation activities consume large portions of the SEC’s resources through Corporation Finance review and Enforcement activities. Also, there is an extraordinary large set of potentially relevant data that is a rich target for quantitative analysis.
To be helpful to the Division of Enforcement, the ORA sought to better understand the detailed processes performed by Enforcement personnel. ORA examined the discovery process flow and sought to get inside the process by talking to people within that process to understand their constraints. ORA worked with subject matter experts to understand the constraints they face and the Enforcement work flow process. They also focused on identifying issues that members of the Enforcement division wanted to solve. One technique they used was a case walkthrough where subject matter experts identified what types of information would help them do their jobs more effectively. ORA also worked with external experts, such quantitative modeling researchers at the National Academies of Science.
One of the identified constraints tied to the overload of information. A need was quickly identified to help Enforcement sort important information from non-important information. ORA worked with internal and external experts to develop a quantitative modeling strategy that would assist subject matter experts in quantitatively mining data to provide fraud predictive indicators for further Enforcement investigation. While these models can produce puzzling results, their use has helped Enforcement personnel better deploy subject matter experts to higher risk areas. ORA has worked with Enforcement personnel in the implementation and use of these models, with the goal of shifting full responsibility for model oversight to Enforcement.
ORA’s Primary Role: Constraint Reduction
This case example illustrates ORA’s approach to risk management at the SEC. ORA seeks to partner with leaders of the SEC’s core divisions by helping them identify risk management constraints and design and implement solutions to reduce those constraints. Once constraint solutions are identified and implemented, responsibility for risk management shifts to the core division (not to ORA). At the end of the day, ORA works within the SEC’s risk management framework (i.e., its core divisions) to innovate around risk management constraints. Thus, ORA value is the reduction of risk management constraints that affect how well SEC functions achieve their objectives.