How Compliance Became an ERM Trigger

James Roth, president of AuditTrends, LLC in Hastings, Minn., has spent the past 13 years researching internal audit best practices. His findings appear in several Institute of Internal Auditors (IIA) publications, including, most recently, "Four Approaches to Enterprise Risk Management ... and Opportunities in Sarbanes-Oxley Compliance" (IIA Research Foundation, 2007).

Business Finance recently caught up with Roth to hear his insights on the degree to which U.S. publicly listed companies are building upon existing compliance efforts to achieve greater benefits.

Business Finance: Are U.S. companies, mainly accelerated filers, seeking to use their Sarbanes-Oxley compliance efforts as a stepping stone to implement enterprise risk management (ERM) or formal governance, risk management and compliance (GRC) programs?

Roth: In the survey [of internal audit executives] we did for "Four Approaches," 76 percent of respondents said they either intend to expand SOX compliance into ERM or are in some stage of implementation. However, when we talked with a few who said they had fully implemented this expansion, we found that SOX and ERM were totally separate initiatives. We didn't find anyone [two years ago] that had actually expanded SOX into ERM. I think this is because the non-risk based approach to SOX that has generally been taken to date is not really consistent with ERM or GRC. I believe, though, that SOX has opened the door to ERM and GRC by raising the profile of governance, risk, and compliance with boards and executives.

BF: What steps do companies take when opting to do so?

Roth: I've seen a couple of good plans, although we couldn't find an organization that had really done it yet. These plans were developed by researching the topic. Several consulting firms have written good theoretical overviews on how to go about doing this. None of these will fit an organization perfectly, but they are good sources of ideas. ... An organization has to identify one person who will devote a good deal of time to this research, then work with management to develop a concrete picture of what ERM or GRC will be and how it will work within their organization. Then go back to the SOX work and see what you can draw from it. There may, however, be risk management, compliance, self-assessment, or other activities in place that turn out to be more helpful in getting you where you want to go than SOX compliance. And a related tip: If SOX compliance is used as a foundation for ERM or GRC, it might be wise not to emphasize the link with middle management. In most organizations, SOX compliance is viewed as a waste of time (and it has largely been that, due to the mistaken way it has been implemented).

BF: Does technology aid these companies in their quest to strengthen GRC and/or ERM capabilities?

Roth: Technology will be essential to pull everything done throughout the organization together into a meaningful whole that creates a clear picture for top management and the Board (i.e., the portfolio view of risk). This means a single, integrated software package... One caveat, though: I had a good CRO in a seminar once who said when he took the job he thought his first decision would be selecting the software. "I now realize it's my last decision," he told me. Don't let the software drive how you do risk management. Do it with Word and Excel until you find the terminology and analytical techniques that your managers understand intuitively. Once you've got the process down, then find the software that most closely fits your process and can be modified to fit it well.