I. The Challenge: Extracting the Most Value from Sarbanes - Oxley Compliance

As the June 2004 deadline for complying with the most significant aspects of the Sarbanes-Oxley Act of 2002 (SOX) approaches, executive support for SOX has fallen dramatically. In a PricewaterhouseCoopers survey, only 30 percent of 136 chief financial officers of large global companies had a favorable opinion of the law in June 2003 (one year after its passage), down from 42% the previous October.

The reasons are simple. Complying with SOX mandates can be costly and time-consuming. Some global companies have estimated that it will cost between $10-$20 million to create the framework needed to fulfill SOX requirements on an annual basis. One CEO said that the law is akin to tossing “buckets of sand into the gears of the market economy,” and another was quoted as saying that, “As a general rule of thumb, any bill that passes the United States Senate 97-0 is probably a horrible idea.” In fact, some companies decided to de-list off of public stock exchanges and forego access to the public debt market rather than submit to the detailed requirements of SOX.

Yet, for those companies determined to parlay the information gleaned from SOX into a competitive advantage, an important silver lining beckons. The information that companies gather while complying with SOX, particularly concerning internal controls and risk identification processes, can open up entirely new windows into the long-term health of the business. To put it another way: public companies are being mandated to look under the hood and tick off a checklist of items; why not check the heart of the engine?

Indeed, some forward-thinking CEOs have determined to make the most of the risk management opportunity that SOX offers. According to one, “It’s bitter medicine, but the patient, at the end of the day, will be better.” By combining efforts to comply with SOX with an enterprise risk management program, the patient can, in fact, improve dramatically.

II. The Background: Corporate Governance as an Issue

In mid-2002, legislation addressing corporate governance reform languished in Congress. Arthur Andersen’s June 15 obstruction of justice conviction stemming from the firm’s audit of Enron seemed to mollify public outrage over a series of corporate governance debacles, from Enron’s implosion to Global Crossing’s misstatement of revenues. Then, on June 25, telecom giant WorldCom announced that it had uncovered more than $3.8 billion in accounting irregularities (the company eventually announced it had overstated revenues for a three-year period by more than $9 billion). Overnight, Congress was inundated with demands for tough new anti-fraud legislation aimed at corporate malfeasance.

The result was SOX, signed into law by President Bush on July 30, 2002. SOX is the most comprehensive corporate anti-crime law in American history, addressing a broad range of wrongdoing, from altering financial statements to misleading auditors, to intimidating whistle-blowers. The passage of SOX marked a watershed in the evolution of the corporate governance issue. Corporate governance has moved on and off CEOs’ radar screens since it first emerged as an issue in the late 1960s. That was a time when huge conglomerates, holding companies with unrelated assets, were being criticized for failing to run their corporations more efficiently.

Corporate governance as an issue took a back seat in the 1980s, when the S&L crisis and third-world debt issues sparked concerns over markets and credit risk. In the mid-1990s, operational risk issues and the subsequent trend toward corporate “reengineering” were all the rage. In the late 1990s and 2000, CEO concerns centered on New Economy demands: new technologies, becoming a “dot-com,” and hiring the most tech-savvy employees.

That, as they say, was then. Corporate governance, through the prism of Sarbanes-Oxley, is today not only a “C” level issue, but perhaps the primary issue at the board level as well. Managers and board members now see governance risk everywhere: rogue offices (Andersen), out-of-control entrepreneurism (Enron), the financial statements (WorldCom and Fannie Mae), and conflicts among different businesses (Citigroup and Merrill Lynch). Given that compliance with SOX is mandatory for public companies, how can they use the information gathered through SOX compliance to proactively address these corporate governance risks?

III. The Solution: Marrying SOX Compliance to Enterprise-Wide Risk Management

An enterprise-wide risk management (ERM) program looks at risks facing a company holistically: how they affect one another, if they have similar root causes, what their long-term effects on the whole company could potentially be, and the cost of mitigating certain risks over others. Managing enterprise-wide risk is in stark contrast to traditional piecemeal risk management techniques, which, for example, might consider the cost of insurance without really measuring how much enterprise-wide risk that insurance really deflects.

In a way, an ERM program and SOX compliance are two sides of the same coin. SOX is externally-driven, focuses on the details, demands annual compliance, carries the risks of criminal punishment for corporate officers and directors, and requires documentation and confirmation that hundreds of built-in internal controls are appropriate and functioning as expected. ERM is internally driven, focuses on the big-picture risks on the horizon, and requires vision to see what the company will look like tomorrow. But SOX compliance and an ERM plan share a critical similarity; both cast their nets across an entire organization. SOX takes corporate governance risk out of the internal audit department and brings it across every functional area, while ERM takes risks out of isolated departments and analyzes them in an interrelated way throughout the organization. SOX requires that managers train their sights low enough to look for the hundreds of ways to ensure that investors don’t get blindsided, while ERM tends to look at broader, thematic risks in addition to the more granular variety.

Because both look for information across the organization, the information about a company’s controls that are gathered under SOX compliance can provide important clues regarding potential risks in the business. For example, had Arthur Andersen been mandated to compile information about its document retention policies, an ERM plan might have helped reduce the odds of running afoul with the Securities and Exchange Commission (SEC), an agency typically suspicious of massive disposal of documents. If Enron had documented its predilection for special purpose entities (SPEs), an ERM program might have helped point out just how such cutting-edge financial instruments potentially could be abused, especially in the face of a volatile energy market. The point is that nuggets of information systematically and vigorously gathered in an organization can be evaluated for long-term risk implications.

IV. Not Just a One - Way Avenue

The information gleaned from SOX compliance can shed light on long-neglected areas of the controls and help identify heretofore-unseen enterprise-wide risks. At the same time, information unearthed by an ERM program can facilitate efforts to comply with SOX. By understanding long-term business risks facing the company, managers and directors can better comply with both the letter and spirit of SOX and be much more confident that they are fulfilling their duties in this highly litigious environment. The CEO and CFO need all possible information about the business when they affix their signatures to the financial statements, misrepresentation of which is now punishable by up to 20 years in jail and $5 million in fines. If company management understands enterprise-wide threats to the business, it will also know where to invest the most employee-hours meeting SOX demands to monitor internal controls.

Directors, for their part, need information about threats facing the company in order to challenge management decisions both in the financial reporting realm, such as choosing among various accounting treatments, and in more controversial areas, such as protecting whistleblowers or deciding on a management succession plan. Directors also need information about operational, strategic, and other enterprise-wide risks to fulfill a number of good governance duties, such as fairly setting CEO compensation and approving non-audit activities by the company’s accounting firm.

A strategic ERM plan is also the most effective means of gathering, prioritizing, and communicating knowledge about corporate governance risk to stakeholders. For investors and insurance underwriters, there is improved transparency and reliable disclosure of risks, the elimination of surprises, and perhaps, the mitigation of the rising cost of insurance.

Directors and officers must realize that despite the enormous costs involved with doing the minimum, simple compliance with SOX will not create a competitive advantage or even remove the company from close regulatory observation. The SEC has broad powers to investigate even those companies that, ostensibly, are doing everything in their power to comply with SOX. This is particularly true for companies in industries that recently have been in the news, including the energy and financial service sectors. To reap any real tangible value from SOX, a company must do more than the minimum. Implementing an ERM program is much less costly (for the typical organization) than undertaking those steps necessary to merely comply with SOX. In addition, the better forecasting and transparency capabilities that result will likely be rewarded by the marketplace, justifying the cost of the entire SOX response effort.

V. Telling Your Story Through SOX and ERM

Meeting SOX guidelines produces reams of information about a company’s internal control structure. But it doesn’t provide any direction for how to use the information, other than to present it to the SEC. An ERM plan uses this information to initiate and direct risk mitigation efforts as well as giving management the critical data to both communicate competitive advantages to Wall Street, investors, and other stakeholders, as well as buttress a company’s position in times of crisis.

Think about it for a moment. Through SOX compliance, a company may compile data on financial risks, M&A integration issues, supply chain problems, demand shortfalls, inventory overloads, unusual accounting treatments, and offshore entities, among other things. Couple that mountain of information with recent research findings indicating that the short-term response to a crisis has an immediate impact on shareholder value and a long-term impact on brand and market share, and it’s clear that this data can be a powerful weapon when used to shape a company’s response to a crisis.

In one Oxford University study that measured the impact of various crises on shareholder value 10 days after the event, companies that responded effectively experienced a seven- percent increase in shareholder value. Companies that responded ineffectively experienced a 15 percent decrease in shareholder value (and never recovered relative to the rest of the market). Companies with detailed information exposing their risk vulnerabilities will likely have a much better response when a crisis occurs. In fact, a recent trend among some companies is to “war game” certain risk scenarios in an effort to find out what kinds of unexpected events would occur. But you can’t effectively prepare for a crisis without knowing where the next likely crisis lies, and the report on internal controls that SOX demands can blaze a trail for an ERM team to follow.

Another way in which information elicited from SOX compliance can – when interpreted in the context of enterprise-wide risks – improve shareholder value is through more accurate quarterly and annual forecasts. In the past, when a company felt it was being over-valued by the market, there was little incentive to correct that impression. Today, as the marketplace rewards only those companies it perceives as publishing wholly transparent financials, there is a premium on accurate forecasting, met with numbers that have not been managed or massaged. Using information gathered during SOX can help a company make a more accurate financial forecast. Many Japanese companies effectively used this candid approach of forecasting to build consensus in order to create a competitive advantage.

VI. The Process: How SOX and ERM Can be Implemented Concurrently

An effective ERM plan delivers a proven, sustainable framework that continuously challenges management to think of risks beyond the here and now. If designed correctly, an ERM plan can be a perfect complement to the compliance-oriented efforts of SOX.

The plan should be cross-functional, company-wide, and look at all risks – tangible and intangible, existing and emerging. One of the benefits of launching an ERM program concurrently with building a structure to comply with SOX on a long-term basis is that the information-gathering goals of both initiatives are similar. Both must gather information enterprise-wide and provide a communications plan linking the board of directors, management, internal auditors, external auditors, and external stakeholders. Also, many of the control techniques that companies are using to comply with Sarbanes-Oxley – like documenting the flow of accounting information, setting up systems to ensure that financial managers are not in a position to check their own work, holding more frequent board meetings to communicate non-audit projects to the board – are some of the same techniques needed to implement enterprise risk mitigation strategies.

To best support the SOX initiative, an ERM plan should help answer these questions specifically related to SOX compliance:

• Which risks effect governance of the corporation?
• How should we manage those risks?
• How do we implement the plan?
• What metrics should be put in place to ensure we are implementing the plan?