When ERM Meets SOX

Companies can turn their Sarbanes-Oxley compliance effort into a competitive weapon by merging it with an enterprisewide approach to risk management.

As companies scramble to meet the next round of deadlines for compliance with the Sarbanes-Oxley Act, perhaps the last thing on most CFOs' mind is their organization's enterprise risk management (ERM) program. And that's unfortunate, for a simple reason: By leveraging their compliance efforts and investments to enhance ERM, finance executives can wrest considerable value from a complex, expensive and mandatory process that many companies have resented ever since the act was signed into law.

When you think about it, Sarbanes-Oxley compliance initiatives and ERM are natural allies. Compliance is all about documenting, testing and strengthening internal controls -- in essence, creating procedures to identify and mitigate corporate governance-related risk.

"About 35 percent of Sarbanes-Oxley compliance is ERM," observes Phil Strand, global strategist and program director, corporate governance and financial intelligence, with SAS Institute, an enterprise software provider based in Cary, N.C. "Companies need to be able to measure risks that are material to the business." Dean Gardner, a Portland, Ore.-based partner with professional services provider Tatum Partners, agrees. "Many of the controls being documented and tested for compliance fall under the ERM umbrella," he says.

Gardner points out another reason Sarbanes-Oxley compliance should be considered in light of the organization's ERM framework. "Everyone is treating Sarbanes-Oxley compliance as a project," he notes, "when, in fact, Sarbanes-Oxley compliance must stop being a project and become part of a company's day-to-day activities." Integrating their compliance effort with an enterprisewide approach to risk management helps organizations embed compliance activities within their core business processes.

This approach also enables finance executives to manage risks more effectively and make more informed strategic risk decisions. The data that compliance activities generate is an invaluable resource for an ERM program. By leveraging that information, companies can identify areas in which taking on additional risk makes sense -- and those in which their current exposure yields no competitive advantage.