IN THIS ISSUE
Compliance Overload Drives Interest in ERM
Regulatory scrutiny and mounting compliance costs are motivating some business leaders to consider whether ERM can reduce compliance costs over time, improve operational performance, enhance corporate governance, and deliver greater shareholder value.
By Rick Julien, CIA, CPA, and Larry Rieger, CPA
Crowe Chizek and Co. LLC
Enterprise risk management (ERM) has been widely discussed by organizations' management, boards, and auditors for more than a decade, but implementation has been embraced sporadically, at best. In the past 10 years, corporate interest in ERM was often driven by intellectual curiosity or internal audit experimentation. Many corporations now realize ERM provides a solid foundation upon which they can enhance corporate governance and deliver greater shareholder value. Few attempts at implementation, however, have come close to fully achieving these objectives.
Many organizations that launched ERM initiatives began by assessing and roughly quantifying risks across their enterprises. Unfortunately, most of these earlier efforts did not progress to aggregating risks, creating formal strategies, or implementing plans to address the risks. Even fewer went on to develop frameworks to test for risk or take corrective action. However, now that publicly held companies in the United States must comply with heightened corporate governance legislation, some business executives have begun to push their organizations to solve problems and derive greater value from the substantial investments in compliance and control activities.
The more visionary corporations understand that ERM is a logical and strategic step to reducing total compliance costs over time. By focusing on the hindrances that hamstring a company's ability to achieve its business objectives, ERM provides a framework for managing risks to improve performance. It, therefore, serves as an essential building block to strengthen corporate governance and deliver greater shareholder value.
Interest in ERM has built slowly since the mid-1990s, when the Economist Intelligence Unit — a business research and advisory firm — created its extensive ERM framework. After the new millennium ushered in a wave of corporate scandals and large-scale business failures, the U.S. Sarbanes-Oxley Act of 2002 was enacted to improve the accuracy of financial reporting, strengthen internal accounting and reporting controls, and upgrade corporate governance. More importantly, although Sarbanes-Oxley did not mandate ERM, it validated its value and elevated its prominence in business planning.
Section 404 of Sarbanes-Oxley requires that companies use a suitable, recognized control framework for evaluating the effectiveness of internal controls. Currently, most U.S. companies use the internal control framework developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Although COSO's model has been around for the past 15 years, it has only recently become more than a buzzword in boardrooms.
The COSO internal control model (Figure 1) looks like a cube, with five rows: Monitoring, Information and Communication, Control Activities, Risk Assessment, and Control Environment. On the top side of the cube are three rows: Operations, Financial Reporting, and Compliance. On another side are two Activity columns and two Unit columns.
Figure 1: COSO Internal Control Framework
The draft of an emerging ERM cube (Figure 2) adds a fourth category, Strategy, to the top three rows of the internal control cube, then rotates the cube to rest on a different side. On the other side of the cube are three additional rows: Risk Response, Event Identification, and Objective Setting — sandwiched between Risk Assessment and Control Environment.
Figure 2: COSO ERM Framework
NOT A QUICK FIX
The COSO cube is not a simple concept to grasp or implement. The problem for new ERM recruits becomes the perceived lack of a common point of focus and understanding about the different compliance costs and their interrelationships. All of the components, rows, and columns seem equally important. Where does an organization start? How does the process flow? Because the ERM framework adds more rows and columns, even more puzzling questions naturally arise.
Coming up with a plan for how ERM will be kneaded into an organization's processes can be as daunting as creating a visual model. However, both of these steps are critical in the initial stages of ERM delivery. A comprehensive management approach that covers the entire organization's ERM strategy is not a quick fix and cannot become another item in management's checklist. Just as quality must be assured at each step in manufacturing an excellent automobile, risk management must be intrinsically woven into each business process in order for ERM to add value.
Similarly, in the same way automobile manufacturers realize it is not cost-efficient to inspect their products at the end of the line and then recall, repair, and reinspect them, shrewd companies understand it is not prudent to treat risk management as an afterthought — considered at the end of each quarter or, worse, each year. Risk management, like manufacturing quality, must be built into every day business processes.
EVOLUTION OF ERM
Organizations often experience an evolutionary process as they progress along their ERM journey. This process consists of five levels:
- Level One: basic compliance with governing regulations using checklists
- Level Two: control focus in which a set of internal audit checklists act as oversight for various departments
- Level Three: process approach to risk management that breaks through a narrow silo view of risk and encourages activity mapping across departments
- Level Four: a common risk language and prioritization of internal audit and compliance efforts based on risk
- Level Five: holistic approach to risk that ties risk review to strategy and builds risk management into daily business processes
Many organizations plateau at Level Three because Sarbanes-Oxley doesn't mandate greater scrutiny over operational or legal-compliance controls. The focus of Section 404 is narrow and confined to internal controls over financial reporting. Even though Sarbanes-Oxley does not require firms to do more, risk-savvy firms are turning their attention more and more to the business processes that support the financials and are using this knowledge to improve many of their risk-management initiatives. Level Five, of course, represents an entitywide, fully mature integration of ERM.
Every company sits at a different position along the curve moving upward toward Level Five. Few firms have reached this pinnacle level of implementation. Even so, all companies complying with Section 404 should begin to consider going beyond simple compliance to answer the question, "How do we turn compliance costs into a competitive advantage?" Companies that plan strategically can leverage the required Sarbanes-Oxley compliance costs to become stronger competitively.
Consider a simple example in which ERM is applied to corporate governance: the systems and processes an organization uses to protect the interests of its diverse shareholders. The ideal form of corporate governance addresses the needs of all stakeholders — shareholders, employees, customers, lenders, vendors, and the community — because all share a common interest in the successful perpetuation of the entity. Astute business leaders recognize that satisfying stakeholders' interests is vital to sustaining the organization in the long run and enabling it to prosper over time.
ERM enters the picture because good corporate governance requires judicious risk-taking, which would include:
- Establishing the proper infrastructure to identify, source, and measure risks using common risk frameworks.
- Monitoring risks with the right processes.
- Ensuring management has a comprehensive understanding of how to manage those risks.
- Learning to take intelligent risk because without risk, there is no reward.
Many companies are still doing the minimum to manage the additional costs of compliance mandated by Sarbanes Oxley. However, by thinking strategically about risk management and managing their overall costs of compliance, company leaders can maximize the value of their compliance investments. Initiatives to implement ERM and strengthen corporate governance help set the tone at the top in organizations — one that is frequently reflected in the bottom line.
Rick Julien, CIA, CPA , and Lawrence A. Rieger, CPA, are executive in Crowe Chizek and Company LLC’s corporate governance and internal auditing practice, based in Oak Brook, Ill.
Julien has more than 25 years' experience in operational and information technology auditing, working with the Arthur Andersen accounting firm and as internal audit manager for Carolina Power and Light. Julien, who currently works with clients on Sarbanes-Oxley requirements, has authored several articles and has spoken at conferences on corporate governance, Sarbanes-Oxley requirements, strategic outsourcing, and internal audit benchmarking and best practices.
Reiger has more than 30 years of public accounting experience, working primarily with financial markets, energy, telecommunications, and manufacturing industries. Formerly the head of internal audit services at Arthur Andersen, Rieger has led internal audit projects for both start-up and Fortune 500 companies. He is an active member, and a former board of governor's member, of The IIA's Detroit chapter.