Risk Disclosure Troubles Grow

The June 1st WSJ story "Ohio Sues Five Drugmakers, Saying They Fueled Opioid Crisis" highlights a recurring pattern in the ever growing importance, management, and oversight of risks—organizations are more and more getting into trouble over risk disclosures. Below is a summary of three separate lawsuits/investigations around risk disclosures.

1) In the Common Pleas Court of Ross County, Ohio Civil Division

The suit is about the opioid crisis and the role of certain drug companies. The suit alleges, among other things, that the defendants

- used third parties to spread inaccurate statements about risks, and

- used marketing schemes that misrepresented the risks and failed to disclose the known risk (and continue to disclose this incorrectly).

2) Chipotle: Alleged Inaccurate Statements (about the level of risk) 

After numerous food poisoning outbreaks, a civil suit was filed that alleged Chipotle made untrue statements or omitted statements (in public filings) about the level of risks (my word) in their food delivery process. Negative and related impacts included dramatic drops in their stock price and the board lowering the CEO's pay. Although the suit was dismissed [per Reuters 3/8/17] one takeaway is clear—public filings about the risk in business process are being watched and must be vetted. 

3) Dwolla: Level of Risk Disclosed About Data Security Was Inaccurate

The CFPB alleged that Dwolla had inaccurate disclosures about the level of IT/data risk. Dwolla had to pay a civil penalty and was ordered to do risk assessments. The order included language addressed to the board to "ensure adherence" which I interpret to mean "make management fix this problem."

Key ERM Lesson

Critical enterprise risks identified and assessed by management are probably biased and should be both benchmarked against others and supported with assessments beyond opinions. Risk assessments increasingly need to be more than management and employee opinions about probability and impact. A guide could be used on when to do a deeper risk assessment to verify the assessed level of risk.

Four Key Questions Board Members Should Ask About Risk Disclosures:

- How do we know we have the right risks disclosed?

- What has the organization done to ensure the level of risk disclosed is accurate?

- How do risk disclosures compare to other organizations?

- How do the risk disclosures compare to other statements and publications put out by the organization?