Debunking SOX Theories One Misconception at a Time

Having worked with many boards of directors, it’s clear that most directors now understand what Sarbanes-Oxley is all about. They’ve spent the last few years dealing with many of its provisions, with audit committees spending significant time on Section 404's internal control requirements. Some initially lost sight of other important responsibilities, although generally boards have returned to a more balanced approach of providing effective advice, counsel, and direction on strategic business issues in addition to their compliance monitoring roles.

Some directors and advisers out there, however, still simply misunderstand what the board’s role is with respect to SOX and risk management—to a point where, in this day, it’s absolutely amazing to see. And I’m not talking about people on the fringes, but rather supposedly knowledgeable individuals whose views are published in respected journals.

SOX and Risk Management

Recently I came across an article in a journal geared for corporate board members, which I was scanning in my usual fashion for any new, valuable insights or perspectives. I didn’t get far when the following brought me up short:

One need only view the organizational wreckage left in the wake of the sub-prime mortgage crisis to agree that regulatory-based risk management is both fatally flawed and a specific example of the weaknesses of the Sarbanes-Oxley Act. Anecdotal examples of the cause and effect currently fail to explain why so many audit committees, which are required by SOX to engage in the assessment of risk, do not appear to be doing so. If there are ever a series of risks that should be identified, quantified, and communicated to stakeholders, it seems that credit-related risks should be considered garden variety.

Are the article’s authors—one a professional engineer and lead independent director, the other the senior vice president of a consulting company—really trying to get me to agree that SOX requires audit committees to engage in risk assessments that, if done as required, would have averted the sub-prime mortgage crisis? I reread the assertions again, and each time I wondered why the writers would ask me and other readers to agree to such a conclusion. More importantly, I wonder how many readers are being misled by this stuff.

Those of you familiar with SOX know full well that it calls for a number of management reports and certifications, including on a company’s internal control over financial reporting and its disclosure controls and procedures. And indeed SOX places significant responsibilities on a company’s audit committee. But where does SOX require assessing risks of the type dealing with events like the sub-prime mortgage debacle?

Certainly there is a required focus on risk stemming from SOX, but it deals with internal control over financial reporting—that is, risks related to bad financial reporting, and related internal controls to prevent or detect material misstatements. Interestingly, this requirement to consider these risks actually comes from the standard companies use to measure their internal control systems against: COSO’s Internal Control—Integrated Framework. It includes risk assessment as one of the required components of effective internal control.

But to suggest that effectively identifying risks related to financial reporting would have prevented the massive losses resulting from collateralized debt obligations is absurd. Financial reporting controls deal with properly reporting such losses when they occur and do not deal directly with preventing them. At precisely what point financial statements should have started to reflect diminution in value of CDOs is subject to debate. But we should not suggest that financial reporting controls—which relate to reporting a company’s financial position and results of operations—include operational controls that deal with making business decisions driving a company’s financial success. From a pragmatic standpoint, overlaps do often occur, but a clear distinction can and must be made when it comes to compliance with SOX’s requirements.

Audit Committee, Board Responsibilities

As for a SOX requirement that audit committees assess risk, I wondered whether my memory might be completely shot and went back to the original language of the Act and searched on the term “risk.” Well, I’m pleased to report that my mind’s memory card is still working reasonably well.

Yes, audit committees are required to “discuss policies with respect to risk assessment and risk management”—but this is a rule not of SOX but of the New York Stock Exchange. This rule and related commentary, by the way, are not entirely clear as to whether the requirement relates solely to financial reporting risk or risk more broadly—and many boards and audit committees tend to view the rule narrowly. In any event, while many public companies’ boards of directors look to the NYSE rules as best practice, only companies listed on the Big Board are required to follow them.

To suggest that effectively identifying risks related to financial reporting would have prevented the massive losses resulting from collateralized debt obligations is absurd.

And of course there are other rules relating to risk, including Securities and Exchange Commission requirements for extensive disclosures regarding risks, the U.S. Sentencing Guidelines dealing with periodic assessment of the risk of criminal conduct, and recent court cases addressing boards’ responsibilities. Of particular significance is the 2006 ruling of the Delaware Supreme Court upholding the Chancery Court’s decision in Stone v. Ritter. In so doing, the Court upheld the landmark Caremark decision, and added important wording. It said that board liability would exist if “the director failed to implement any reporting or information system or controls,” or “having implemented such a system or controls, consciously failed to monitor or oversee its operation, thus disabling themselves from being informed of risks or problems requiring their attention.”

What should boards of directors be doing about risk management? Looking to the few rules out there, as well as legal decisions, we can say that best practice calls for a board to be informed and engaged in risk management oversight. Please keep a sharp focus on the word “oversight.” Boards are not directly responsible for doing risk assessments or for risk management; a company’s management has that responsibility. The board needs to see that management is doing that element of its job well, and bringing the right information to the boardroom.

So, in summary, a board needs to be comfortable that management is managing risk, with an effective process in place to identify, manage, and assess risks; that the company’s risk appetite is appropriate; and that the board is receiving relevant information on significant risks and steps management is taking to manage those risks. This is reasonably straightforward in concept, although can be challenging to effect properly in practice, requiring experience, insight, seasoned judgment, and diligence.

An Engineer on Every Board!

Getting back to the subject article, the writers continue:

Generally speaking, most directors understand and appreciate the importance of incorporating risk in any decision-making process. Unfortunately, few corporate boards have the ability to take a comprehensive approach to an assessment of risk. Worse yet, those same corporate boards are missing the tools needed to establish a practical understanding of the comparative relationship of risk, strategy, and the ongoing health of the organization that they are tasked with serving.

It’s not clear what is meant by “a comprehensive approach to an assessment of risk,” but if this means a board should be comprehensively assessing risk, this would be holding boards to an untenable standard. I’ve outlined above in broad terms what a board should see as its responsibilities. Conducting comprehensive risk assessments is not one of them.

More telling to what’s really behind the article is the writers’ thrust that there is a need for an engineer on a board of directors. After the aforementioned reference to “missing the tools,” they say: “[A]necdotal evidence suggests that there is a shortage of the much-needed discipline that engineers bring to the table.” They then go on at great length outlining the qualities engineers bring.

The thrust of the message is that the make-up and qualifications of most boards are deficient because they don’t include a professional engineer among their members. I, by the way, have absolutely nothing against engineers and have worked with a number of engineers doing a fine job serving as members of boards of directors. Indeed, my grandfather was an accomplished professional engineer for whom I’ve always had the deepest respect. And many boards have (or could well use) a member with the qualifications and skill sets engineers bring to the table. But to try to make the case that as a general rule boards need to include a professional engineer is absurd.

I guess this just goes to demonstrate that we all need to maintain a healthy level of skepticism in what we read. Does that go for my columns as well? I’ll leave you readers to decide!