Companies can turn their Sarbanes-Oxley compliance effort into a competitive weapon by merging it with an enterprisewide approach to risk management.
As companies scramble to meet the next round of deadlines for compliance with the Sarbanes-Oxley Act, perhaps the last thing on most CFOs' mind is their organization's enterprise risk management (ERM) program. And that's unfortunate, for a simple reason: By leveraging their compliance efforts and investments to enhance ERM, finance executives can wrest considerable value from a complex, expensive and mandatory process that many companies have resented ever since the act was signed into law.
When you think about it, Sarbanes-Oxley compliance initiatives and ERM are natural allies. Compliance is all about documenting, testing and strengthening internal controls -- in essence, creating procedures to identify and mitigate corporate governance-related risk.
"About 35 percent of Sarbanes-Oxley compliance is ERM," observes Phil Strand, global strategist and program director, corporate governance and financial intelligence, with SAS Institute, an enterprise software provider based in Cary, N.C. "Companies need to be able to measure risks that are material to the business." Dean Gardner, a Portland, Ore.-based partner with professional services provider Tatum Partners, agrees. "Many of the controls being documented and tested for compliance fall under the ERM umbrella," he says.
Gardner points out another reason Sarbanes-Oxley compliance should be considered in light of the organization's ERM framework. "Everyone is treating Sarbanes-Oxley compliance as a project," he notes, "when, in fact, Sarbanes-Oxley compliance must stop being a project and become part of a company's day-to-day activities." Integrating their compliance effort with an enterprisewide approach to risk management helps organizations embed compliance activities within their core business processes.
This approach also enables finance executives to manage risks more effectively and make more informed strategic risk decisions. The data that compliance activities generate is an invaluable resource for an ERM program. By leveraging that information, companies can identify areas in which taking on additional risk makes sense -- and those in which their current exposure yields no competitive advantage.
The People Element
Most companies are responding to the Sarbanes-Oxley compliance challenge by extending risk-related responsibilities to managers and employees throughout the organization. "Because of Sarbanes-Oxley compliance, companies are showing more willingness to budget people into the risk umbrella," says Christopher Hamilton, senior vice president and a managing director with BearingPoint Inc. in New York City. "New people are being assigned to the line -- or geographically -- to be responsible for risk."
Sarbanes-Oxley requires companies to examine their business subprocesses in granular detail, so "many of the people involved [in compliance activities] are not financial people," Gardner points out. "This is a companywide project, not a finance project." He notes that "process owners must test their controls and report their findings on a quarterly basis." Workers in a wide range of functions -- internal controls, production controls, sales and marketing, engineering, and purchasing, to name a few -- are gaining valuable experience in key aspects of compliance.
That growing body of expertise is a robust risk management resource. "These people have great insight into data collection in the organization," says Bill Spinard, Washington, D.C.-based senior vice president of Marsh Inc. "They know what pieces of information exist about risk because they have been intimately involved in Sarbanes-Oxley compliance." They can help companies improve an array of ERM processes, from developing risk definitions to determining an appropriate level of exposure in specific operations.
The key to harnessing employees' compliance expertise lies in clearly defining responsibilities for monitoring risk. That's true even at the highest levels of the organization. In many companies, the buck for Sarbanes-Oxley compliance and ERM stops on the CFO's desk. However, many risks are technology-driven, and the CIO -- whose job it is to implement data controls and monitor the company's technology infrastructure -- often develops valuable insights into critical exposures. That makes the CIO a key player in the organization's compliance and ERM programs.
The same is true of other senior executives. Says Hamilton: "The best practice is to have broader risk committees that include the chief administrative officer, chief security officer and chief marketing officer to ensure that all aspects of the business are represented during this process and to make sure all risk activities are coordinated."
An Overarching Framework
Coordinating risk activities enterprisewide is a key goal at TriQuint Semiconductor Inc., a Hillsboro, Ore.-based supplier of communications components and modules. The company is working hard to extend its risk management capabilities and to integrate its ERM program with its Sarbanes-Oxley compliance initiative. As part of its compliance effort, TriQuint is conducting a risk assessment of all the business processes that affect its balance sheet and income statement. That evaluation is helping the company uncover hidden exposures and establish control points for risk across its five divisions.
TriQuint sees its Sarbanes-Oxley compliance program as an opportunity to document its business practices and establish a consistent, enterprisewide risk management culture and terminology. Those activities are essential components of a successful ERM program.
Before the company launched its compliance drive, its risk management efforts were functionally driven and lacked an overarching framework. For example, TriQuint had separate programs to ensure compliance with International Organization for Standardization (ISO) requirements, environmental health and safety laws, HR and tax legislation, and SEC regulations. The company also lacked an integrated view of its insurance programs. As its Sarbanes-Oxley compliance effort progresses, however, TriQuint is combining these functions and creating a more comprehensive, more coordinated risk management system.
"Meshing compliance with ERM really involves communication," says Stephanie Welty, vice president of finance. "Our compliance work is largely a matter of understanding what we are currently doing in all of these areas and documenting those efforts in a central database. We are using a Web-based tool that allows us to use hyperlinks to existing systems."
Working toward combined compliance and risk management goals has not disrupted TriQuint's day-to-day business procedures. The most visible change is a new internal audit function that focuses on areas not covered by the company's ISO program. (TriQuint has conducted internal audits for ISO compliance for many years.)
The company is also taking steps to tie its risk management practices more closely to its financial reporting. "The individuals driving various risk management efforts are gaining a better understanding of how their efforts relate to financial reporting and the health of the organization," says Welty. "Sarbanes-Oxley compliance has brought a sense of urgency to getting certain issues resolved that we were working on anyway."
Holistic View of Global Risks
Perhaps the most prominent bene-fit of TriQuint's combined Sarbanes-Oxley and ERM efforts is the new insight the company has into risks in the businesses it acquires. TriQuint has made several acquisitions in recent years, and some of those businesses have operations outside the United States. The company views its compliance program as an outstanding opportunity to identify and discuss the risks those operations face, including exposures related to specific cultural and regulatory environments. "Sarbanes-Oxley compliance has been a boon because it has given us a reason and the urgency to talk about these issues," says Welty.
Effective ERM requires companies to adopt a consistent approach to key risk factors across the enterprise portfolio. That's often a challenging task, particularly when, in the wake of multi-ple acquisitions, an organization takes over a variety of new -- and perhaps unfamiliar -- business processes. For example, the operations, logistics and administrative expertise of TriQuint's recently acquired optoelectronics enterprise are very different from those of the company's core semiconductor manufacturing operation.
TriQuint's compliance effort has enabled it to integrate its acquisitions more fully, according to Welty. "Sarbanes-Oxley compliance is really a vehicle to integrate process and culture, which we were unable to do during the first round of effort," she explains. "Because we made several acquisitions in a series, we handled them in a minimalistic way to get them going. But now we are looking at business process and cultural issues."
That includes looking at ways to make ERM more effective. It also involves identifying best practices in the newly acquired operations to determine whether those procedures can profitably be transferred to other parts of the business.
Once TriQuint's Sarbanes-Oxley compliance regime is finalized, Welty expects to look back at these efforts and see that they have made the company more efficient. "We have already demonstrat-ed that [increased efficiency] with some of our initial operational reviews, by streamlining processes and eliminating unnecessary or redundant steps," she reports.
The Competitive Advantage
As ERM delivers a comprehensive view into more and more companies' most critical exposures, TriQuint's approach to merging risk management and compliance becomes increasingly appealing.
Organizations are pouring enormous amounts of money into their compliance programs, and "CFOs are under tremendous pressure to get something more out of all this than a Sarbanes-Oxley compliance report," notes Marsh's Spinard. "By using the information resulting from Sarbanes-Oxley compliance to take smarter risks, companies can begin to use Sarbanes-Oxley compliance as a competitive weap-on. Companies see the financial stake they have in Sarbanes-Oxley compliance and realize that they would be foolish not to leverage this."
In addition to capitalizing on their employees' knowledge and experience, companies can call on the full spectrum of their Sarbanes-Oxley compliance investments -- including data collection systems, survey tools, scenario assessments and software assets -- to enhance their ERM program. They can use these resources to aggregate data, identify key risk indicators and evaluate risk management processes.
"This is a different twist to existing data," notes Spinard. "Most companies will have an enormously rich database that can be mined to support [their ERM] efforts."
As they capitalize on these assets, organizations should also exploit the opportunity to review their risk categories and specify a consistent terminology to describe and communicate risk. The human resources risk category, for example, breaks down into at least 100 subcategories, each of which should be clearly distinguished from the others. Establishing a companywide risk vocabulary clarifies and enhances the organization's risk management best practices efforts.
Companies that leverage their compliance investments to boost their ERM capabilities will have much more to show for their hard work than just a rubber stamp from the SEC. But if compliance efforts enhance ERM, the reverse is true, too. BearingPoint's Hamilton points out that, in general, "regulation causes reactive control rather than proactive management of the business." Perhaps ERM's most important contribution to Sarbanes-Oxley compliance programs lies in helping organizations take a proactive approach to the issues that the law targets.
How To Integrate Compliance With ERM
By integrating their Sarbanes-Oxley compliance effort with their enterprise risk management (ERM) program, companies can squeeze more value out of compliance activities and investments. They can achieve that goal by taking the following five steps: