James Roth
AS COMPANIES AROUND THE WORLD STRUGGLE TO COMPLY with the U.S. Sarbanes-Oxley Act of 2002 or one of the growing list of regulations modeled after the law, they want to make sure that the resources they're expending benefit the business. Many of these companies are talking about expanding Sarbanes-Oxley compliance into enterprise risk management (ERM). On the surface, this seems like a natural progression. After all, Sarbanes-Oxley deals with financial reporting risks and controls; ERM deals with all risks and controls.
A recent IIA Research Foundation study, Four Approaches to Enterprise Risk Management ... and Opportunities in Sarbanes-Oxley Compliance, draws some surprising conclusions about the current state of ERM. The expansion from Sarbanes-Oxley to ERM is not happening--at least not yet. But companies that have implemented ERM have proven that the transition does not have to be the resource-intensive, somewhat academic exercise it is often presented to be.
The research consisted of an online survey, focus group discussions, and in-depth case studies. It began with three assumptions:
* Companies that are complying with Sarbanes-Oxley Section 404 have developed risk assessment tools that can support an ERM program.
* Companies with ERM in place have been able to integrate compliance with Section 404 or similar regulations into their existing ERM process.
* Organizations that want to expand Section 404 compliance into ERM will get professional guidance from The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management-Integrated Framework.
The results of the research suggest that these assumptions, while not entirely wrong, were not exactly correct either. Sarbanes-Oxley compliance can be a stepping stone to ERM, but not in the way, or to the extent, anticipated. Instead, the findings indicate that there are myths and realities regarding Sarbanes-Oxley compliance and ERM. At the same time, the study reveals that companies are taking a variety of approaches to implementing ERM.
MYTHS AND REALITIES
The ERM study's assumptions were based on what researchers were hearing from seminar participants, professional colleagues, and consulting firms. Although there may be organizations whose experience fully supports these assumptions, the fact that the study could not identify any such organizations strongly suggests that, if they exist, they are the exception, not the rule.
MYTH NO. 1: THE SARBANES-OXLEY SECTION 404 COMPLIANCE PROCESS AND TOOLS CAN BE EXPANDED INTO ERM. This assumption seems logical. If an organization has implemented all five components of COSO's Internal Control-Integrated Framework--control environment, risk assessment, control activities, information and communication, and monitoring--toward financial reporting objectives, risks, and controls, it should be able to apply the same process and tools to the other ERM objectives. All that remains is to ensure that objectives are aligned and aggregate the results of the detailed analyses into a portfolio view of risk. In fact, the most important component--the control environment--is the same for all objectives, so it should already be fully in place. Also, the process used to aggregate Section 404 testing results into the overall assertion on internal control over financial reporting should be a sound basis for the ERM aggregation process.
The 359 responses to the online survey confirmed that this assumption is a widely held belief. Of respondents whose organizations are Sarbanes-Oxley compliant, 76 percent at least intend to expand their efforts into ERM, including 25 percent who say they are in the process of doing so and 8 percent who say they are well along or fully implemented.
REALITY: ORGANIZATIONS HAVE NOT YET LINKED SARBANES-OXLEY COMPLIANCE AND ERM. A closer look at the organizations that reported they were well along or had fully implemented ERM revealed that some were using entirely different processes for the two efforts. It was only in the third year of Sarbanes-Oxley compliance that they were looking at ways to integrate the two.
According to the research, the main reason organizations haven't linked Section 404 compliance with ERM is that compliance has not been risk-based for most companies during the first two years. Instead, their driving motivation has been satisfying their external auditors that the organization's process for evaluating financial reporting controls is sound. Early on, the audit firms were not in a position to give their clients guidance on what would satisfy them because they had not received any guidance from the U.S. Public Company Accounting Oversight Board (PCAOB). The situation did not improve when the PCAOB produced that guidance in Auditing Standard No. 2 ([AS.sub.2]), because [AS.sub.2] focused so heavily on documenting and testing control procedures that it tended to discourage, rather than encourage, a risk-based approach. Also, external audit firms were concerned that PCAOB examiners would find their work deficient if they did not do enough testing, which drove up audit fees and resulted in their clients doing more testing.
It was only after reviewing first-year compliance efforts that the U.S. Securities and Exchange Commission (SEC) and PCAOB in May 2005 made it clear that they intended a top-down, risk-based approach. By then, companies were already well into their 2005 work and found it more expedient to use the same process as previous years, rather than try to develop a fundamentally different approach. It was not until December 2006 that the SEC and PCAOB began to clarify what this meant in practice. At this time, the SEC produced a draft of guidance for management, and the PCAOB proposed a new standard to replace AS2. Both are in the public exposure process at the time of this writing.
MYTH NO. 2: ORGANIZATIONS WITH ERM IN PLACE HAVE BEEN ABLE TO INTEGRATE SARBANES-OXLEY SECTION 404 COMPLIANCE WITH RELATIVE EASE. This assumption might have been correct if companies had taken a top-down, risk-based approach to Section 404 compliance from the beginning. Even then, most companies with ERM would have had to go into more detail with financial reporting controls than they had with other controls, but the risk assessment would have been completed and the number of "key controls" reasonable.
REALITY: ORGANIZATIONS WITH ERM IN PLACE HAVE APPROACHED SECTION 404 AS A SEPARATE PROJECT. Countrywide Financial Corp. is an example of a company that has taken ERM to a level of detail sufficient for Sarbanes-Oxley compliance. At Countrywide, Section 404 compliance is separate from the company's enterprise risk assessment structure. Countrywide decided that Sarbanes-Oxley compliance should be driven by its finance function, which makes sense for a variety of reasons, whereas enterprise risk assessment is a separate, more holistic function. The company is planning to integrate Section 404 compliance into its enterprise risk assessment program. Countrywide's experience suggests that other companies should be able to integrate compliance and ERM as the initiatives mature.
MYTH NO. 3: THE COSO FRAMEWORKS ARE GUIDES FOR EXPANDING SARBANES-OXLEY SECTION 404 COMPLIANCE INTO ERM. COSO developed the ERM framework by applying the principles and concepts from its internal control framework to ERM. The COSO ERM framework incorporates the control framework--it does not replace it. Thus, companies using the control framework for Sarbanes-Oxley compliance should be able to incorporate the additional items from the ERM framework to implement ERM.
REALITY: A CONCEPTUAL FRAMEWORK IS NOT A "HOW TO" GUIDE. In fact, a 1997 IIA Research Foundation study, Control Model Implementation: Best Practices, found that no two organizations were implementing the COSO control framework in exactly the same way, and that many of the best implementations did not look much like the framework. The recent study found this to be true of the ERM framework as well.
The correct way to implement a conceptual framework is to internalize the key concepts, translate them into the organization's language, and apply them in a way that fits the organization's culture. The research posits that an organization has implemented ERM if three central concepts of the ERM framework are operative:
1. Risk management must be embedded in the corporate culture. Everyone in the organization must have the same understanding of what risk is and how much risk they should accept when making decisions.
2. ERM must be applied throughout the organization and include all categories of objectives and risks. ERM cannot be implemented in silos by specialists who focus on well-known risks.
3. ERM must provide an entity-level portfolio view of risk that is compared to the organization's overall risk appetite and used in strategic planning. Risk assessments must be aggregated from lower levels so upper management can understand the total risk of the organization, see where the greatest risk lies, and make strategic decisions based on this understanding.
To integrate Sarbanes-Oxley compliance with ERM, companies should find the most cost-effective method that fits their culture and management style. Companies can then compare their practices to the COSO ERM framework to determine how each element has been implemented. They can also use the framework to demonstrate to stakeholders that they are practicing ERM effectively.
A VARIETY OF APPROACHES
Although Sarbanes-Oxley Section 404 compliance and ERM may not be linked in most organizations, there are real opportunities for moving ahead with ERM. For example, audit committees of companies listed on the New York Stock Exchange are now responsible for overseeing the companies' major risks and the risk management process. They will want to see a robust, formalized ERM process.
The three key ERM concepts can be integrated into an organization without a lot of effort if they have already implemented some ERM elements. The Research Foundation study uncovered a variety of approaches that organizations are taking to implement ERM.
COUNTRYWIDE The largest independent originator and servicer of mortgage loans in the United States, Countrywide has the most comprehensive ERM program of the organizations in the study. Under the leadership of Senior Managing Director Walter Smiechewicz, Countrywide is currently building Sarbanes-Oxley functionality into an internally developed enterprise risk assessment software application. The Countrywide Organizational Risk Assessment Database (CORAD) includes about 530 risk matrices, 9,500 risks, and 27,000 controls. The software guides risk matrix owners through a detailed analysis and assessment of each risk and aggregates risks to higher levels through risk dashboards and other reporting features. Managers at each level review the risk information for the areas they oversee and determine whether it is within their risk appetite. At the highest level, an enterprise risk assessment map presents the portfolio view of risk used by Countrywide's executives and the board of directors in strategic planning.
In addition to CORAD, Countrywide's Enterprise Risk Assessment division has 45 professionals with risk assessment responsibilities. They are supplemented by 112 internal auditors within the Enterprise Risk Assessment division and the risk management specialists in another division who manage credit and market risk for Countrywide.
Enterprise risk assessment at Countrywide has both a bottom-up and top-down governance structure. It has led to a major restructuring of committees from the board level down through operating units. This restructuring has improved the flow of risk information throughout the organization.
ABC CO. Countrywide's program is truly "best practice," but it may not be the best ERM approach for everyone. ABC, a Fortune 500 manufacturing firm that asked not to be identified by its real name, has taken a "minimalist" approach to ERM. This approach is possible because of the company's unusually integrated business model and pre-existing strategic planning and risk management practices that together addressed all major risk categories.
ABC's ERM framework is based on a matrix of seven areas and 32 risk categories. In the beginning, the company's business unit leaders used the matrix to ensure all categories of risk were adequately managed by taking inventory of the risk management activities that were in place. They found that all major ongoing risks were covered. They realized, though, that the changing business environment was creating risks not yet covered by their normal management processes. The leaders identified and assessed about a dozen of these "enterprise risks." The company now monitors and regularly reports on the management and status of these risks and periodically updates the list of enterprise risks. Beyond that, the board has approved a formal risk management policy that includes an expanded version of the risk matrix.
Unlike most companies, ABC used a risk-based approach to Section 404 from the beginning. ABC integrated Section 404 compliance into ERM simply by including it in the company's inventory of risk management practices and presenting it as such in the risk management policy. Because ABC's approach to ERM meets its needs with minimal cost, it may be a good alternative for organizations that do not need, or are not likely to support, a more robust ERM program.
AQUILA INC. Although energy company Aquila has taken longer to implement ERM, its journey may be more typical than those of Countrywide or ABC. The company's experience was led by internal auditing, which put several ERM building blocks in place, with management's support, and eventually formalized an ERM implementation plan that transferred leadership to a cross-functional ERM advisory team.
As internal auditing facilitated risk management workshops, it found that the theoretically correct way of assessing risk did not always work well in the company. Auditors made several practical adaptations to their technique. For example, beginning at the theoretically correct starting point of assessing inherent likelihood--the likelihood of a risk event occurring in the absence of controls--did not work well at Aquila because managers had trouble abstracting from the controls they knew were in place. Auditors switched to having workshop attendees assess the actual likelihood that "controls are currently in place." They also have attendees assess impact based on a reasonable worst-case scenario. Their thinking is that the likelihood of some catastrophic events is so remote that it is not realistic to make decisions based on them. Therefore, the practical question to ask about impact is, "What is the worst thing that could realistically happen?"
In addition, workshop attendees assess how tolerant Aquila should be of each risk area. Their desired tolerance levels incorporate the four risk responses in COSO's ERM framework--avoid, reduce, share, and accept--translated into terms that Aquila managers can easily understand:
9 VERY TOLERANT -- Will accept occurrence (no action).
7 TOLERANT -- Will accept occurrence, but will react promptly to manage the impact (reactive).
5 LIMITED TOLERANCE -- Will take proactive measures to reduce the frequency of risks and partially mitigate the impact (controls).
3 MINIMAL TOLERANCE -- Will transfer or substantially mitigate risk (insure, hedge, or outsource).
1 AVOID -- Cannot tolerate occurrence; will divest risk (sell or exit).
Although workshop attendees vote on a nine-point scale, the auditors only define five of the tolerance levels. This approach is more efficient because individual participants don't waste time deliberating whether the tolerance should be one level or the next, such as limited or minimal tolerance. If it's in between, they simply vote the even number and their vote factors into the group's overall rating.
Aquila provides the most explicit examples in the study of integrating Section 404 compliance efforts into ERM, although these were initially considered separate activities. In the first year of compliance, internal auditing facilitated a six-hour workshop with executive management to assess companywide financial reporting risks using the COSO ERM framework. Two years later, internal auditing facilitated executive workshops to assess all risks, using an internally developed set of 45 categories. This process identified the five biggest risks facing Aquila. Two of these risks were financial reporting and fraud--not because of any specific concerns at Aquila but because of the heightened concern created by Sarbanes-Oxley. To address financial reporting risk, auditors used a risk-based approach that substantially reduced the number of key controls and amount of testing. Internal auditors addressed fraud risk by working with employees in 16 areas of the company to identify 144 possible fraud scenarios. They reviewed the company's Sarbanes-Oxley documentation for controls that would prevent or detect each fraud scenario and mitigated gaps as needed.
EXPANDING COMPLIANCE INTO ERM
Although the Research Foundation study did not produce a "how to" guide for expanding Sarbanes-Oxley into ERM, the experience of the case study companies presents valuable lessons learned for organizations that want to move into ERM.
* The existing Sarbanes-Oxley Section 404 process and tools in most organizations are not a good starting point for ERM. The real opportunities that Sarbanes-Oxley presents for ERM are the heightened interest in risk management by executives and stakeholders, and operating management's increased awareness of risks and controls. Overtly linking ERM to Sarbanes-Oxley should help with the first two groups but may be counterproductive with operating management if they believe Section 404 compliance has been a waste of their time.
* There is an opportunity to take a truly top-down, risk-based approach to Sarbanes-Oxley Section 404 as part of ERM implementation. A risk-based approach can make Sarbanes-Oxley compliance dramatically more efficient. It can also integrate Sarbanes-Oxley compliance into the normal management process--making compliance efforts sustainable--as well as point the way toward integrating all other compliance functions into a single, meaningful ERM process.
* Organizations should internalize the concepts in the COSO ERM framework, rather than use it as an implementation guide. The ERM process should incorporate the key COSO concepts and fit the organization's industry, culture, and management style.
* The COSO ERM framework can provide a basis for seeing if the organization is missing anything essential. While building ERM, internal auditors can compare what the organization is doing to the framework to see if anything essential is missing. When the process is relatively mature, internal auditors can document what is in place for each of the eight COSO ERM components. This documentation can provide assurance to internal and external stakeholders that the ERM process is sound.
* Internal auditors should look for specific opportunities to foster ERM in their organization. Sponsorship by a senior executive, ideally the chief executive, can help ERM efforts. Auditors can also highlight benefits to be gained with regulators, insurers, lenders, rating agencies, and investors. They can also use existing risk management or self-assessment practices to ease the burden of implementing ERM.
* The starting point for ERM can be either top-down or bottom-up. A common top-down starting point, illustrated by Aquila, is to have executive management identify the top 10 risks for the organization as a whole, then drill down into those risks and expand from there. A good bottom-up starting point, illustrated by ABC, is to inventory existing risk management practices, identify gaps, and fill the gaps with practices that are consistent with what already exists.
Sarbanes-Oxley and similar regulations have created a climate in which audit committees, executives, regulators, rating agencies, and other stakeholders want to see a formal ERM process in place. Internal auditors who internalize the key concepts of ERM and find practical, cost-effective ways to implement them can make a major contribution to improving risk management, control, and governance in their organizations.
To comment on this article, e-mail the author at james.roth@theiia.org.
JAMES ROTH, PHD, CIA, CCSA
PRESIDENT, AUDITTRENDS
COPYRIGHT 2007 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning
2 comments:
Super...... comparison i liked your blog post.
Online Accounting Software
It has been simply incredibly generous with you to provide openly what exactly many individuals would’ve marketed for an eBook to end up making some cash for their end, primarily given that you could have tried it in the event you wanted.
fire and safety courses in chennai
Post a Comment