Companies Migrating From SOX 'Myopia' To ERM

How’s this for an understatement: “There has developed what seems to be an overemphasis on certain additional or duplicative levels of documentation, with a declining value in terms of how much that additional documentation would add to the effectiveness of internal control.”

That’s according to Arnie Hanish, the chief accounting officer of Eli Lilly and Co., who testified before a U.S. Senate committee hearing in September on the impact of The Sarbanes-Oxley Act of 2002.

Hanish

And while Hanish’s comments weren’t exactly neutral—he also serves as vice chairman of a corporate reporting committee at the professional association and lobbyist Financial Executives International—they do reflect general corporate sentiments; namely, that the demands of Sarbanes-Oxley Section 404 are causing companies to focus excessively on the minutiae of financial systems and procedures, perhaps at the expense of enterprise-wide risk mitigation.

“The problem is not the level of documentation required to satisfy SOX Section 404 compliance,” Hanish recently told Compliance Week, “but the approach auditors are taking when they conduct a process review for auditing purposes.” According to Hanish, in some cases auditors want companies to document who was in a particular meeting, with little focus on the substance of the meeting.

Douglas Flint, the top financial officer of $56 billion UK banking company HSBC Holdings, echoed the comments of Hanish at the hearing.

Flint

According to Flint, the way Sarbanes-Oxley was being implemented by the accounting profession had become “meticulously prescriptive” and detailed.

Hoshi Printer, executive vice president and CFO of $88.9 million Autobytel, agrees that some of the minutiae associated with process documentation could bog companies down. “If companies focus on dotting the i’s and crossing the t’s but miss the bigger picture of why we are asked to do this,” he says, “it could turn out to be a burden rather than a wake-up call for process improvement.”

Or as Hanish at Eli Lilly said in his testimony: “Make no mistake about it, documentation for documentation’s sake will not deter financial fraud.”

Risk Myopia

The relentless focus on SOX 404’s finer points has led many to believe that companies are experiencing “risk myopia.” The condition could best be defined as a form of nearsightedness wherein distant objects—namely, events that could affect the company and its goals—become blurred as management over-scrutinizes one particular process: internal control over financial reporting. Few executives doubt the importance of internal control—the process is fundamentally important to ensuring the reliability of financial reporting, deterring fraud, maximizing operational efficiency, and complying with regulatory requirements. But internal control is only one component of a complex matrix of risks that companies face, from machinery breakdowns and credit losses to competition and foreign currency movement.

Unfortunately, many believe that the current risk myopia is caused in part by resource issues attributable to the internal control provisions of Sarbanes-Oxley. “There is a danger to some degree because companies are so focused on getting Section 404 compliance over the goal line,” says David Bradley, director of risk assessment with $1.1 billion Equitable Resources in Pittsburgh.

Others agree that the sheer scope of the 404 compliance effort is leaving little room for risk management issues. “I don’t think a lot of companies are focusing on overall risks, says Eli Lilly’s Hanish. “They are focused on getting documentation completed and the mechanics of documentation cleaned up in time for the audit review.” The result is that companies are unable to see the forest for the trees. “They haven’t stepped back and looked at the risk profile of the business,” adds Hanish.

But lack of resources may not be the only reason for the myopic risk vision. Kasey Reese, vice president of risk management and chief auditor at $5.5 billion Canadian telecommunications firm TELUS, argues that many companies are focusing too heavily on certain internal control components, particularly “control activities.”

According to the COSO Internal Control-Integrated Framework, which is the widely adopted standard for internal control that has been deemed “suitable” by both the Securities and Exchange Commission and the Public Company Accounting Oversight Board, “control activities” is one of five interrelated components that comprise internal control. According to Reese, some of the other components, like risk assessment and control environment—which sets the tone of the organization—have been neglected at the expense of control activities, which are the policies and procedures throughout the organization. “How many problems involving accounting and governance standards have been the result of poor control documentation?” asks Reese.

Adding to the problem is the fact that many of the individuals overseeing SOX 404 compliance programs do not have risk management backgrounds. Though the CEO and senior management are ultimately responsible for internal control, the threat of the November deadline forced many companies to assign teams or individuals responsible for overseeing documentation, testing, remediation, and implementation of policies and procedures.

In some cases, those executives are chief compliance officers who came from the legal side of the business—most often the general counsel or corporate secretary. Those executives often lack risk-management experience, and sometimes lack the motivation to go beyond the letter of the law to fully assess and measure enterprise risk.

In other cases, the SOX 404 leaders are internal audit executives. That would seem appropriate, as auditors are experts on controls; however, it often amplifies the myopia problem by addressing only financial controls.

The Starting Point

But risk myopia does not have to be a permanent condition, and many finance and risk management executives expect it to be a short-lived phenomenon that fades away once companies pass the first round of SOX 404 assessments and attestations.

Printer

“The risk myopia, in my judgment, will not continue over the long term,” says Printer at Autobytel, “but will exist in the very short term as a result of a company’s need to focus on getting certified for the current fiscal year.” In fact, Printer and others believe that the SOX 404 process is a good starting point for addressing enterprise risks. “If used properly, the process of 404 attestation strengthens the notion that the company will look at all its risks far more comprehensively,” he says. “I see a period of major process improvement for many companies in the early part of next year as we study, modify, and improve upon our current processes.”

Indeed, companies have the best chance of overcoming this myopia when executive management pushes for a greater focus on risk management and provides additional resources to broaden the scope of these efforts into “enterprise risk management.”

Talk of ERM, generally defined as the process a company uses to identify and manage events within its risk appetite, has become more prominent this fall, in part due to an integrated framework released by COSO in September.

In the works since 2001, the publication purports to provide companies with a principles-based framework for identifying “all the aspects that should be present in every company’s enterprise risk program and how they can be successfully implemented.”

Nardi

Indeed, companies are beginning to think about how to transition from SOX compliance to adoption of ERM strategies. “Section 404 compliance is just one slice of overall risk management, but it brings the entire issue of risk management to the forefront,” says Tom Nardi, CFO of $2.2 billion Peoples Energy Corp. in Chicago. “Our current ERM efforts are narrowly focused on specific risks rather than broader ERM,” he adds, noting the potential to expand the scope of ERM in the future.

Chagares

Boards of directors are also increasingly using ERM to understand risks, measure their potential impact, and take steps to manage or transfer those risks. (See Richard M. Steinberg column on Page 46). “When done properly, ERM is not a compliance activity but a better way to manage the business,” says Michael Chagares, senior vice president and practice leader for business risk consulting at Marsh Inc.

Everson

Miles Everson, a partner with PricewaterhouseCoopers in New York and one of the authors of the ERM framework, also sees compliance as a starting point for—and the foundation of—ERM. “No company can afford to get compliance wrong,” he says. “The consequences of failure are too high.”

Moreover, the principles of the COSO ERM framework include all of the principles in the COSO internal control framework. Therefore, to be effective in ERM, companies must also have strong internal controls. “This is not the only place to start ERM, but you have make sure there are no cracks in that foundation,” says Everson. After all, the events underlying a compliance failure may affect more than one risk management objective; for example, events creating compliance risks could also affect operational effectiveness and customer loyalty or broader business objectives.

Balanced View Of Risk

In many cases, SOX compliance work can strengthen enterprise risk management efforts by providing a more detailed process for managing one particular area of risk. That was the case at $17 billion Sun Life Financial, which maintains a comprehensive risk management framework to ensure it is tracking and monitoring threats throughout the company, and has appropriate processes in place to manage those risks.

According to Doug Brook, Sun Life’s vice president and chief risk officer, the company’s SOX 404 documentation work will strengthen its overall risk management efforts. “We can use the structured process and methodology for process documentation developed for SOX compliance and apply it to risk management,” he says. “It will be useful in improving the state of process documentation within the company and forcing a new discipline to keep that documentation up to date.” For example, Brook says that process documentation can reveal how changes to those processes can introduce risk. And understanding the number of processes in the organization can help individuals to understand the complexity of the organization.

Brook at Sun Life demonstrates how companies are increasingly looking at Sarbanes-Oxley as a very big first step to improving efficiency and managing risk for the organization. “The danger is that SOX compliance could become an expensive checklist in which companies do the minimum necessary to comply and move on to the next thing without generating value from the process,” says Brook. “It shouldn’t be a one-off exercise; it should fit into the overall process of managing risk in the organization.”

The same was the case at Eli Lilly and Co., where‹in mapping and documenting financial processes—the company was able to identify redundant controls and streamline processes. That reduces work—and rework—which in turn minimizes duplication and errors without undermining the control structure or putting the organization at risk. “People have to get things right the first time,” says CAO Hanish. “Companies spend too much time fixing mistakes and that would not be necessary if people did things right the first time. By following documented procedures, they will get it right the first time.”

However, Brook warns that SOX compliance can only take a company so far when it comes to risk management. Every organization has different risk management needs based on its organizational structure, business, risks, and management approach, and each needs to develop a risk management approach that reflects those needs. “SOX compliance often requires a specific cookie cutter approach and that may not be the best process for dealing with risk,” says Brook.

Integrating SOX with ERM

Once companies get beyond the initial SOX 404 compliance hurdles, they need to develop a management process for quarterly and year-end reporting and evaluations of any changes in internal controls. According to experts, this management process could provide an infrastructure to support ERM efforts as well.

“Once that management process has been developed as a sustainable function, it will be relatively easy to expand this to include operational and enterprise risk,” says Ted Senko, global leader of KPMG’s internal audit services practice. That type of ongoing risk assessment process has been notably absent within many companies. Instead, many companies conduct initial risk assessments, but have no way to maintain and update that assessment. SOX compliance could provide a much needed infrastructure to support ongoing risk management.

With this built-in process in place, a company could time risk assessments to coincide with quarterly internal control evaluations and annual disclosure requirements, thereby infusing the company’s culture with an ethic of disclosure, transparency and risk management.

It could also help to coordinate risk management efforts in other parts of the company. “Three to five functions within the company have some element of risk planning,” says Senko. A formal reporting infrastructure could provide a single process for assessing and monitoring risk, and could do so on a regular basis. “This can provide a consistent and up-to-date view of risk because the risk assessment process happens continually, not occasionally,” he says.

At TELUS, Risk Management VP and Chief Auditor Reese expects information gathered during Section 404 compliance to inform the company’s annual and quarterly risk assessments and vice versa. That’s because TELUS conducts continuous risk assessments that involve the board audit committee, business unit controllers, internal audit and other key executives. During this process, executives are asked to identify key risks to the business. “Things can change quickly so you have to look at risk management regularly,” says Reese. Once TELUS has identified its key risks, the CEO reviews them and identifies the best owners of those risks who are then responsible for developing 12-month risk mitigation plans for those risks. This way, the company’s management, not the internal audit department, owns those risks.

That being said, most note that internal audit should be involved in the process of integrating risk management and compliance. That’s because it’s critical that the information used by management be timely, complete and of the highest quality. “Risk management relies on good quality data,” says Paisley Consulting CEO Tim Welu, “so this is crucial.” In addition, close coordination can help improve the quality and timeliness of data in the long term. “This also opens the door to developing continuous audit capabilities that can help support ERM and create the ability to conduct spot audits as needed.”

Continuous auditing doesn’t need to be “phase one” of a company’s ERM strategy, but it does illustrate the potential for managing risk in a much more proactive fashion. So while Section 404 compliance is a start when it comes to ERM, “it is only the tip of the iceberg,” says Bradley, the risk assessment director at Equitable Resources. “There’s a long way to go from [SOX] 404 to looking at the company’s strategic risks. There is so much more out there and a lot of opportunity to improve strategic processes and controls.”