Legislators and regulators can affect the ERM approach of manyorganizations, either through requirements to establish riskmanagement mechanisms or systems of internal controls (forexample, the U.S. Sarbanes-Oxley Act of 2002) or throughexaminations of particular entities (for example, by federal and statebank examiners). Legislators and regulators may establish rules thatprovide the impetus for management to ensure that risk managementand control systems meet certain minimum statutory and regulatoryrequirements. Also, they may conduct regulatory examinations thatprovide information useful to the organization in applying ERM, andrecommendations to management regarding needed improvements.9. Other external parties. Finally, other outside stakeholders may impact an organization’s ERMactivities:Customers, vendors, business partners, and others who conductbusiness with an organization are an important source of informationused in ERM. * *Creditors can provide oversight or direction influencing howorganizations achieve their objectives. For example, debt covenantsmay require organizaitionFinancial analysts, rating agencies, news media, and other externalparties can influence risk management activities. Their investigativeand monitoring activities can provide insights on how others perceivethe organization’s performance, industry and economic risks,innovative operating or financing strategies, and industry trends.Management must consider the insights and observations of theseparties and, if necessary, adjust the corresponding risk managementactivities.Providers of outsourced services are becoming a more prevalent wayfor organizations to delegate their day-to-day management of certainnoncore functions. The external parties discussed above may directlyinfluence an organization’s ERM activities; however, using outsideservice providers may result in a different set of risks and responsesthan if the organization did not outsource any functions. Althoughexternal parties may execute activities on behalf of the organization,management cannot abdicate its responsibility to manage the
associated risks and should establish a program to monitoroutsourced activities.