Ever wonder what the risk is that you’ve wrongly assessed how you’re supposed to do risk assessments?
Sarbanes-Oxley has certainly put the concept of analyzing risks at the forefront of most compliance executives’ minds. But many companies often conflate the idea of a risk assessment under SOX (or under the U.S. Sentencing Guidelines, for that matter) with enterprise risk management. If you’re in compliance with SOX risk assessments, this thinking goes, you’re “doing ERM,” and vice-versa.
In fact, experts tell Compliance Week, the two terms are very different.
Stielau
“The phrase ‘ERM’ is being used for more than what it is,” says Kristina Stielau, a compliance manager at Teleflex, a $1.9 billion industrial parts manufacturer. “ERM is coined as a best practice, but I don’t know a large percentage of companies out there that actually perform true ERM.”
David Richards, president of the Institute for Internal Auditors, surmises that the reason stems from the amount of time and energy it takes to establish a well-defined ERM program. “I know from having gone through one, it is a long-term initiative, and anyone who’s gone down the path of establishing an enterprise-wide risk management program knows that you’re not talking about something that you’re going to put in place within a year.”
But Richards is also quick to add: “That does not mean that companies that don’t have an enterprise-wide risk management program do not have risk-management philosophies in place. It may just be less formal, and it could be incomplete.”
That less formal, incomplete view of what a risk assessment is may come from the advent of SOX and the U.S. Sentencing Guidelines. Both regulations require companies to assess their risks annually, with potentially severe consequences for the ones that don’t. That has driven companies to focus only on their compliance risks (since those are the most immediate worries), “which is only one component of the overall risk profile that a business may be incurring,” says Richards.
Cellini
Richard Cellini, head of marketing at compliance software firm Integrity Interactive, agrees. In fact, he stresses, SOX only dwells on assessing financial reporting risks, an even narrower focus than the U.S. Sentencing Guidelines. “A lot of people think Sarbanes-Oxley is sort of a tremendously vast statute. It really isn’t,” he says.
The primary focus of SOX is on material misstatements in financial reports, plus any information that readers of a financial statement might find “incomplete, inaccurate, or in some way distorted,” Richards says. And unlike the Sentencing Guidelines, which only address criminal conduct, SOX focuses on violations that are both civil and criminal in nature.
An ERM program, on the other hand, is “more far-reaching than a true ethics and compliance risk assessment,” says Stielau. “It delves deeper into strategic planning, operational, and internal controls, as well.”
Shawn Tebben, of the consulting firm Protiviti, describes risk assessments as a funnel: the broad ERM risk assessment is information at the top of the funnel, which eventually narrows down to the financial reporting risks associated with SOX.
“Basically, a proper ERM program is a perfect marriage of the Sentencing Guidelines and Sarbanes-Oxley,” Integrity’s Cellini says. It requires companies to assess risks that are both criminal and civil, within a broad range of categories both financial and non-financial, he says.
Another major difference is that while an ethics and compliance risk assessment can be an annual process under Sarbanes-Oxley, ERM should be a constant process since organizations change and new risks are always evolving, Richards says. “It’s not necessarily clear-cut, and that’s why it needs to be reviewed on an ongoing basis,” he says.
SOX as ERM Framework
But while a SOX risk assessment may be limited in scope, the elements that make it up can be used as a framework to apply more rigor to other areas of risk management within a company, Tebben says. For example, other than a risk assessment, SOX also requires that organizations evaluate the design of their internal controls to ensure effectiveness and that they can validate that those controls operate effectively, she says.
Tebben
“So, when you think about those elements that companies had to focus on to get and stay compliant, they are the same kinds of things you would want to think through and mature in your other risk areas,” Tebben says. “Using those lessons learned would definitely be a best practice.”
“Basically, a proper ERM program is a perfect marriage of the Sentencing Guidelines and Sarbanes-Oxley.”
—Richard Cellini,
Head of Marketing,
Integrity Interactive
Another best practice when thinking about ERM is to consider compliance with SOX Sections 302 and 404 as a single component of continuous reporting, “because the two are inextricably linked,” Tebben says. Section 404 governs internal controls over financial reporting, while Section 302 addresses “disclosure controls” to ensure that all corporate data that should be disclosed does get captured in company filings. But, Tebben says, “Internal controls over financial reporting are a subset of the disclosure controls.”
Basically, Cellini says, internal controls are “a set of controls the company uses to direct its own employees and officers in the proper handling and distribution of financial resources.” This includes how money is spent, how funds are accounted for, and how accounting is done internally.
Disclosure controls, on the other hand, apply more broadly to material, non-financial, and financial information that a company needs to disclose, Tebben says. “You’re involving more your operational, your legal, and your compliance folks in a broader context than their involvement in internal control over financial reporting,” she says.
Sections 302 and 404 “are the yin and yang to each other,” Cellini says. “They should dovetail completely and entirely; what you’re saying externally should be consistent to what you’re doing internally, and what you’re doing internally should be consistent with what you’re saying externally.”
An additional element common to both SOX and ERM is the involvement of senior management, even though disagreements can arise over who should oversee the process. “It’s definitely not a one-solution-fits-every-company kind of a thing,” Tebben says.
In general, best practice for large corporations is to establish a risk department and appoint a chief risk officer, Richards says; smaller organizations often can appoint one key person in charge of the whole process.
That key person, Tebben says, should have a good understanding of “what makes the company work and what’s effective for the organization so they can help bring risk information to the decision-making process,” she says. “It’s more about the person being culturally astute and being very action-orientated and having the ear and trust of the executive team that really makes for a more successful oversight.”
Agreed, but a good risk-management program involves several years of intense effort. “To even embark on that process, there is a lot of work that needs to be done upfront,” Stielau of Teleflex says. “For instance, you really need to have a well-defined structure of objectives and expectations of what’s needed for an ERM. You need the appropriate staffing, you need the funding, and the buy-in from all levels of the organization from top-down.”
“So having that commitment at management level is going to take some work, not only resource wise, but time wise to accomplish it and to make the necessary adjustments,” Richards says.
By continuously monitoring and improving your organization’s ERM activities, Tebben says, senior management “can have greater confidence in taking on new or increased risk, because they’re comfortable that their capabilities to manage those new risks are in place and, therefore, are able to position the company to create enterprise value that will be for the benefit of all stakeholders.”
No comments yet