When Countrywide Financial Corp. recently borrowed $11.5 billion from 40 banks, it may not have appeared to be fodder for a case study on effective enterprise risk management.

Nonetheless, if the mortgage lender survives its recent life-threatening spiral, the company's ERM credentials may enjoy some added luster. Analysts familiar with Countrywide's business are quick to observe that its subprime entanglements would have been nothing less than a death blow to a less risk-averse lender.

For its part, Countrywide had established an integrated-risk framework that had begun to be viewed as the next level of capability by companies that are today confronting a pivotal question as their Sarbanes-Oxley compliance processes mature: Is this the end or just the beginning?

Just ask Citigroup, which was taken to task in The New York Times earlier this year for a cost-cutting initiative that chopped legal and compliance positions three years after the financial services giant had bolstered those positions in the wake of several scandals. Citigroup characterized the cuts as a means of optimizing a compliance structure that may have been hindering the company's agility. The purpose of the cuts, a spokesperson emphasized, was to maximize efficiency while maintaining compliance effectiveness.

Citigroup is hardly alone. Stephen Wagner, Deloitte & Touche LLP's New York-based managing partner, U.S. center for corporate governance, witnessed one client organization reach a similar conclusion. The company concluded a "Herculean effort" to strengthen the effectiveness and efficiency of its control activities surrounding financial reporting. By doing so, the firm greatly reduced its reliance on external consultants assisting with Section 404 compliance, trimmed internal compliance positions, and returned the bulk of its internal auditing staff to focus on operational audits. "At this point, they've basically said, 'We're done,'" Wagner reports. "They are not looking to take it to the next level."

Greg Pitzer, national managing principal for Grant Thornton's business advisory services group in Los Angeles, reports that many companies are saying, "We're in our third or fourth year of Sarbanes compliance and we've cut our audit fees by 10 or 15 percent. Guess what? We're done." Executive teams at other companies, however, view the "we're done" conclusion as too much of a checklist mentality -- and a squandered opportunity for both cost reduction and process improvement.

These companies, whose ranks appear to be growing, intend to take Sarbanes-Oxley compliance to the next level -- either by leveraging these processes to build enterprise risk management (ERM) capabilities or to develop a more integrated approach to managing discrete governance, risk management, and compliance activities (GRC) throughout the enterprise. This was the case at Countrywide, where the lender had only recently expanded its sophisticated ERM program to cover Basel II and Sarbanes-Oxley compliance.

In a survey of 359 internal audit executives by Hastings, Minn.-based AuditTrends LLC, 76 percent of internal audit executives and managers reported that they intended to expand Sarbanes-Oxley compliance into enterprise risk management (ERM) or were already in the process of doing so. More than 90 percent of the 250 executives who responded to a July 2007 Open Compliance and Ethics Group (OCEG) survey indicated that their organizations should adopt a "consistent approach or methodology for similar activities in governance, risk, and compliance."

Making good on those intentions is challenging, of course. A large number of respondents to both surveys indicated that their organizations have yet to put their plans into practice. Only 25 percent of the IIA survey respondents were in the process of implementing ERM, and only 16 percent of the OCEG survey respondents characterized their current GRC processes as "integrated" or "highly integrated." Furthermore, even the most robust GRC or ERM structure does not guarantee a fail-safe defense against all risks, as Countrywide Financial Corporation -- an early leader in blending enterprise risk assessment and Sarbanes-Oxley compliance processes -- discovered when investor confidence plummeted as a result of faulty home loans.

However, the short- and long-term benefits of an integrated, program-based approach to governance, risk management, and compliance processes appear to outweigh implementation challenges and the immediate relief of post-Sarbanes fatigue. Another of Wagner's clients is in the process of applying its most effective Sarbanes-Oxley processes and lessons to other compliance initiatives. Doing so already has caused those responsible for governance within the company, Wagner says, "to breathe a bigger sigh of relief. They believe that they will truly have a handle on all of their compliance and risk management activities."

Progressing from Project to Program

More effective risk oversight represents one benefit: There are also more immediate opportunities for cost savings. Of the 91 percent of OCEG survey respondents whose companies intend to develop integrated GRC capabilities, 71 percent reported that the impetus for doing so was the increased cost of general operating expenses (associated with fragmented GRC processes), while 69 percent of respondents cited the high cost of reconciling disparate GRC information from throughout the organization.

These drivers are not new -- nor is the idea that Sarbanes-Oxley compliance processes and insights can be expanded to strengthen other GRC processes. Wagner and his team began discussing the importance of taking a more integrated approach to compliance three years ago. "Despite our urgings, the vast majority of companies really did not have the ability to do that because they were rushing toward the finish line in terms of SOX and, more specifically, Section 404," he reflects. "It just was impractical for them to embrace the notion of a program at that point."

Mitchell agrees. "When somebody is having a heart attack, it's not the best time to talk them about diet and health," he notes. "You wait until they've left the emergency room."

It appears that most accelerated filers have done so, albeit with a few complications, such as the Public Company Accounting Oversight Board's publication of Auditing Standard 5 (AS5) and the SEC's related guidance earlier this year.

While AS5 directs external auditors to use a risk-based approach in their review of financial reporting controls and empowers them to rely on the work of others (e.g., internal auditors, finance executives, and process owners within client companies), it remains to be seen exactly how external auditors will apply that direction in practice.

"Companies need to see how AS5 will create changes from an audit perspective," Pitzer reports. "And this impact will help companies determine the extent that they may want to move toward ERM or GRC in a given year."

This wrinkle notwithstanding, other enabling components appear to be falling into place to fuel more beyond-Sarbanes GRC and ERM developments.

For example, the latest benchmark survey from KPMG's 404 Institute suggests that a growing number of companies (among the 900 that participated in the survey) are embedding Sarbanes-Oxley compliance processes deeper into business units, taking a broader view of risk, fostering more effective collaboration between compliance functions and business units, and using internal audit more strategically (i.e., less on testing and more on assisting process owners with self-assessments).

A recent global IIA study on the internal audit profession indicates that internal auditors will be more involved in risk management and governance over the next three years. The IIA has provided guidance on the top-down, risk-based approach outlined in AS5 and has weighed in on the issue with outreach to the SEC and PCAOB regarding how SOX compliance could be modified while still efficiently serving its original intent. 

"Because these regulations aren't going away anytime soon, if ever, the IIA sees internal auditors increasingly leveraging their compliance work in order to ensure and add value to a robust ERM scope," notes IIA Chief Advocacy Officer Dominique Vincenti.

Distinguishing Characteristics

Although more companies are prepared to build upon existing compliance capabilities to develop more integrated GRC capabilities, not all of these companies will take advantage of the opportunity. Those that do, according to researchers and consultants familiar with these efforts, tend to possess the following characteristics:

Commitment at the top: AuditTrends LLC President James Roth believes that SOX has opened the door to ERM and GRC by raising the profile of governance, risk, and compliance among executives and their boards of directors. "When their interest is genuine, the organization can move forward [with developing GRC or ERM capabilities]," Roth explains. "If they see efforts in these areas as getting in the way of producing product and serving customers, then they will choose to pull back."

Highly regulated lineages: Companies in financial services, health care, energy, and other highly regulated industries tend to have more experience with compliance processes and a greater number of discrete compliance projects throughout the enterprise; both qualities represent significant drivers of a more integrated and standardized approach. Countrywide, for example, is regulated by nearly 40 state, federal, and international entities.

Track records as leaders: Wagner reports that the early adopters tend to dominate their sectors. "It's in their DNA to push the envelope to improve their approach to virtually everything they do," he notes. Mitchell reports that early adopters of GRC also were early adopters of business process improvement and performance measurement methodologies such as the balanced scorecard. "They are the companies that treated Sarbanes-Oxley as a wake-up call," he explains. "They said, 'Wait a minute, if we respond to this type of regulation by running around in circles and barely catching our breath, that's not a sustainable model. The chance of there being more rather than fewer of these regulations in the future is higher. Why shouldn't we take a look at the full portfolio of governance, risk management, and compliance issues that we may have to deal with?'"

Strategic finance functions: "Companies that get this," says Dallas-based Steven Hill, KPMG LLP national principal-in-charge of services, possess finance executives who "tend to look beyond the four walls of finance" for ways to make the closing process more effective and, especially, more efficient. These finance functions spend less time collecting, consolidating, testing, and cleansing data, and more time analyzing the information to sniff out ways to add value through better forecasts. These finance functions also tend to have developed more collaborative relationships with business units and other back-office functions and have more time and flexibility to allot to ERM and GRC initiatives.

Central intelligence, local execution: Early adopters of a more integrated approach to GRC also tend to possess internal audit departments that operate more strategically -- by focusing less on compliance testing and more on enabling various areas of the business to conduct their own monitoring and self-assessments. "They are not operating a huge police force, if you will, tasked with checking up on things and testing. They work to distribute their compliance program into the business and then standardize those processes. They maintain central [compliance and risk] intelligence but execute [compliance and risk management] locally. … When you look closely at these companies, you see more people involved in compliance discussions and activities, but those responsibilities consume less time," Hill says.

Internal controls advantages: Hill also reports that early adopters tend to have a higher percentage of automated controls than manual controls in their portfolio of internal controls. And, they tend have a greater percentage of preventative controls than their competitors (who rely to a greater degree on detective controls).

Perhaps most important, companies that have chosen to build upon existing compliance capabilities to strengthen processes throughout the enterprise ask a very specific question and then draw the same conclusion. "Imagine a company that one day woke up and discovered that their customer satisfaction in a single line of business was just abominable," says Mitchell. "It would probably force them to look at how they treat their customers across the board, not just in that business unit. They would ask: Is there some way that we can look across our enterprise at how we can handle customers better?"

Countrywide: Poses the question with a GRC twist

When Countrywide asked the risk-management equivalent of this question in 2002, the answer hatched an ERM program the financial services company, which focuses primarily on mortgage lending, describes as "enterprise risk assessment" or "ERA."

The program represents a comprehensive framework that combines people (an ERM division of experts, an executive strategy committee, and newly defined strategic risk management responsibilities at nearly every level of the organization), processes (risk assessment and reporting methodologies), and homegrown technology to constantly funnel crucial compliance, risk, and governance information up through the organization to the board of directors. Although Countrywide's effort did not "build off of" Sarbanes-Oxley compliance processes and insights (the ERA initiative's gestation predated Sarbanes), Sarbanes-related processes, risks, and controls are now monitored within the ERA technology -- the "Countrywide Organizational Risk Assessment Database (CORAD)" -- and additional ERA-Sarbanes (as well as ERA-Basel II) integration is proceeding.

The entire program is detailed in a 41-page chapter of James Roth's Four Approaches to Enterprise Risk Management … and Opportunities in Sarbanes-Oxley Compliance (IIA Research Foundation, 2007). When Roth, who has researched internal audit best practices for the past 13 years, set out two years ago to study companies that built upon existing compliance activities to develop ERM capabilities, he and his team came up empty.

However, he indicates that more companies are now considering progressing from Sarbanes compliance to GRC or ERM now that SEC and PCAOB have clarified the importance of risk-based Sarbanes compliance. Roth points to Countrywide's approach -- "developed separately from Sarbanes-Oxley but now coming together" -- as a worthy model for several reasons, including the fact that the company views enterprise risk management as a competitive advantage and the fact that the program has resulted in substantial premium reductions from the company's insurers.

"They've certainly been hurt by the current problems with subprime loans," Roth notes, "but not as much as you might expect, perhaps due to investor confidence that they are better able to manage the situation than others."

This management capability covers strategic, credit, operational, market, and credit risk -- which are identified, categorized, documented, monitored, and, in most cases, tested (the internal controls related to the risks) by managers throughout the organization. Risks are categorized in numerous ways: by impact and likelihood, as well as by the degree to which each risk relates to the achievement of strategic objectives, the complexity of the risk, and the potential material impact of the risk (if it were to occur). This information is collected at the point in the business where the risk resides and fed into CORAD, where it is stored in a centralized fashion (and available in a dashboard interface for reporting purposes), in much the same way that financial data is consolidated in a company.

"Central to strategic risk management is the alignment of objectives top-down and across the organization to support the strategic plan," Roth notes.

Countrywide achieved this alignment through a series of major changes to roles, processes, and technology. While each of these categories contains useful insights for companies intent on developing ERM (or GRC) programs, the organizational structural changes best illustrate the enterprise-wide coordination these programs require. This three-year effort included a review of more than 100 governance-related committees within the organization. The analysis included a simultaneous benchmarking of the governance structures at 10 peer companies, which helped to restructure the company's entire governance structure from the board down to the executive level to the operational level. New committees were formed; for example, the finance and credit committee of the board, which previously existed as a single entity, was split into two committees to help the company focus more on credit risk.

Sarbanes-Oxley compliance integrates with ERA in the CORAD application. Roth reports that the system can upload all Sarbanes-Oxley-related processes (and their related risks and internal controls). Process owners can also identify whether the control is a key control and whether a test plan exists for the key control.

Countrywide integrated Sarbanes compliance with its ERA program after the fact. Other companies still in the GRC or ERM planning stages may soon find that their Sarbanes-Oxley compliance processes are better starting points thanks to AS5, which formally replaces the "all-controls-are-equal" mind-set that initially dominated Sarbanes compliance efforts and external audits with the risk-based approach that defines ERM and GRC. In other words, no matter what Countrywide's fate may be, a new era of integrated, cost-efficient, effective, and strategic compliance and risk management may be just beginning.

Now hear Eric Krell talk to Jack Sweeney, editor-in-chief of Business Finance about how companies are charting the world beyond SOX. www.bfmag.com (Sept. 20, 2007)