The stage is set for enterprise risk management. Sarbanes-Oxley forced companies to spend a great deal of time and money demonstrating oversight of financial risk—often to the point of overkill. Now, with new guidance from the Securities and Exchange Commission and the Public Company Accounting Oversight Board’s Accounting Standard No. 5, the tectonic shift from bottom-up, cover-your-tail, control-based SOX compliance to top-down, risk-based, strategic compliance officially has been blessed.

At this early stage, companies employing aggressive, fully formed enterprise risk management strategies are few—and most are wary of discussing their programs in detail. The rest might have something to learn from firms like Centerline Capital Group and Aquila, which—from very different starting points—are well along in the quest for making enterprise risk management real.

Enterprise risk management aims to nail down a company’s diverse risks—financial, operational, reputational, you name it—and to get that information in front of executives and managers who are in a position to make better business decisions based on that knowledge.

In its 2004 “Enterprise Risk Management: An Integrated Framework,” the Committee of Sponsoring Organizations of the Treadway Commission lists ERM benefits including improving the deployment of capital, aligning corporate strategy with the organization’s taste for risk, and nipping operational surprises and losses in the bud. The result, in theory, should be greater profitability.

Because companies have to comply with Sarbanes-Oxley anyway, leveraging SOX efforts into a more strategic ERM should be the equivalent of turning lemons into lemonade.

Wagner

Stephen Wagner, managing partner of Deloitte’s U.S. Center for Corporate Governance, said the comprehensiveness of many companies’ SOX control-documentation efforts could bear unexpected fruit.

“They were documenting all kinds of controls—strategic, operational—that had nothing to do with financial controls but did address risk,” Wagner said. “I think a lot of that activity could potentially be leveraged if looked at again.”

But Wagner said he felt that most companies have been overwhelmed with the cost of compliance and the uncertainty of the regulatory regime. Most, he said, are rationalizing existing controls, figuring out their approach to the latest guidance, and working with their auditors on AS5.

“They don’t have the resources,” Wagner said. “They’re still adapting.”

And the data back him up. Of 359 responses to an Institute of Internal Auditors survey published earlier this year, 76 percent of SOX-compliant organizations intended to expand SOX-related risk management into a broader ERM function, with 25 percent already doing so and eight percent “well along or fully implemented.”

But the study found that those who said they were at least “well along” had not in fact linked SOX Section 404 compliance with ERM efforts; rather, the companies were using entirely different processes.

Assessments and Accountability

Real estate finance firm Centerline Capital Group is among those using SOX as a means to ERM. The 550-employee company viewed Sarbanes-Oxley as “a great leveraging tool in identifying risks and controls that are not financial-related,” says Domenick Claudio, senior vice president of corporate compliance for the Centerline Capital Group.

To achieve that leverage, Claudio presented the idea of establishing an enterprise risk management regime to the audit committee. His team developed risk questionnaires for senior management, senior staff, and managers, asking them to contemplate such things as reputation, credit risk, and value to shareholders in addition to more traditional fraud and financial risks. The results, he said, have been fed into an enterprise risk assessment model that provides a purview to risk at the entity level. It identifies risks, the probabilities of their occurring, and the financial impact of them becoming a reality.

Centerline is also creating the new position of Assistant Vice President of Enterprise Risk Management, Claudio said; SOX compliance will fall under the new VP’s aegis, but the job is to identify key risks—financial and otherwise—and help management mitigate them.

Given the strategic nature of such an ERM effort, it made sense to bring the effort in-house, which has so far saved $1 million in outside consulting fees related to SOX compliance, Claudio said. That doesn’t include the benefit of cultivating risk management-related knowledge in-house, he said.

“Management has embraced this because it reduces the cost of external resources and it makes people more accountable,” Claudio said.

Unlike Centerline, which used SOX as entrée into ERM, Aquila was doing ERM before Sarbanes.

“They were documenting all kinds of controls that had nothing to do with financial controls but did address risk. I think a lot of that activity could potentially be leveraged if looked at again.”

— Stephen Wagner,

Managing Partner,

Deloitte & Touche

The electric and natural gas utility began thinking about enterprise risk management more than five years ago and was well along when Sarbanes-Oxley struck. Key to Aquila’s ERM effort was establishing a company-wide foundation for understanding and assessing risks, said Lynn Fountain, Aquilia’s vice president of risk assessment and audit services. To help educate everyone on the process, Fountain’s group held risk-management workshops with top managers in the field, she said.

By the time SOX became a factor, Aquila’s audit group already viewed compliance through a risk-based lens. However, Fountain says, the company still approached SOX from a bottom-up perspective “because we were trying to cover ourselves like everyone else.”

Still, Fountain’s group developed an accounting risk-assessment process from an overall business perspective. It developed into a financial statement risk-assessment process that prioritized risks based on susceptibility to fraud, transaction volume, and several other factors.

Because successful ERM requires buy-in from the far corners of an organization, Fountain’s focus has been on the “people” aspects of risk management, she said. She visits business units and gives talks on both SOX and ERM compliance efforts. To companies considering ERM, she suggests avoiding the appearance of a new initiative such as SOX.

The Institute of Internal Auditors would applaud her approach. That’s because the organization has acknowledged that SOX compliance was perceived as a “project,” not an ongoing process that adds value to an enterprise. In a report published by the IIA, operating managers said they viewed SOX as “an exercise in minutiae,” and “correctly perceive that most of this work has been a waste of their valuable time.”

DeRose

Centerline and Aquila may soon have more company, as other enterprises take steps to become sophisticated ERM practitioners. Jeff DeRose, technology evangelist at risk and compliance software firm OpenPages, claims his firm has seen a spike in organizations wanting to expand SOX, IT governance, and other risk-management platforms into more comprehensive ERM systems. In fact, he argues that the push from boards, shareholders, and top managers to more thoroughly understand a company’s full portfolio of risks will continue to drive interest in ERM.

“The trend is irreversible,” DeRose said. “There’s no going back.”