When SOX meets ERM

When Deborah F. Kretchmar, audit director of Horace Mann Cos., flipped through the introduction of Four Approaches to Enterprise Risk Management ... and Opportunities in Sarbanes-Oxley Compliance, she knew she had to have it."I bought the book because my company is looking at enterprise risk management and thinking about developing a more formal process for it," Kretchmar said. "We have informal processes, but S&P and Moody's are very interested in seeing us move toward a more formal process that they can place more reliance on."

What impressed Kretchmar was the book's promise that developing an ERM process did not have to be hugely expensive. By identifying how ERM works and what its best practices are, a company can take a cost-effective approach based on what's best for the company.

"It doesn't have to be a huge outlay of money," Kretchmar said. "More important is the thought process behind it and how it's ultimately used."

Dr. James P. Roth, president of consulting concern Audit Trends and the author of Four Approaches, as well as an earlier research study on implementing the internal control framework for the Committee of Sponsoring Organizations of the Treadway Commission, said that when he began his research, he was looking for clear and direct ways to use the process and tools of SOX Section 404 on internal controls to develop ERM processes.

But as he began to talk with companies that had developed ERM, he found that they were complying with Section 404 in one way, but developing ERM in another.

"What we found is not exactly what we expected to find," Roth explained. "We still believe that compliance can be a stepping stone to ERM, but not in the way or to the extent we anticipated."

The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders as it enables management to deal with uncertainty and associated risk and opportunity, thereby enhancing the capacity to build value.

COSO's Enterprise Risk Management Integrated Framework has become the de facto benchmark for internal control. Management accountants, internal auditors and external auditors have all been struggling to meet its criteria to comply with Section 404.

Michelle Scott, director of research and analysis at the Institute of Internal Auditors Research Foundation, which published the book, said that the topic was high on their priority list. "The marketplace was calling for practical ways to implement the COSO ERM framework," Scott said. "We thought it was very important to give practitioners information on how they can actually apply the ERM framework, because it is very conceptual."

As Roth tried to "reverse engineer" the development of ERM programs to see how they had been expanded from COSO compliance, he found out how different the two processes actually are.

"If you try to follow the COSO framework as a how-to guide, you're going to put a lot of resources into a project where people don't realize why they're doing what they're doing, and they do it just to comply," Roth said. "The important thing about ERM is that it has to be embedded in the corporate culture. Every manager has to think like a risk manager, take risk into consideration for every decision they make, and somehow get a handle on the bigger picture and pull it all together. But you don't have to go into a ridiculous amount of detail to do that."

Roth also found that COSO implies that internal control is just a matter of policies and procedures. ERM, on the other hand, should deal more broadly with the control environment, the corporate culture, the ethical climate, and such "soft controls" as intangibles, leadership and the "tone at the top."

According to the book, the right way to implement a conceptual framework is to internalize the key concepts, translate them into your organization's language, and apply them in a way that fits your organization's culture.

The key concepts, according to the book, are that risk management must be embedded in the corporate culture, must be applied throughout an organization and include all categories of objectives and risks, and must provide an entity-level portfolio view of risk that is compared to the organization's overall risk appetite and used in strategic planning.

The book points out some of the ERM opportunities that SOX has created. Essentially, they are all the same - that the law has inspired widespread concern about internal control. The book warned, however, that since "operating managers correctly perceive that [much of the compliance process] has been a waste of their valuable time," any linking of ERM with Section 404 "will not generate enthusiasm for ERM."

Copies of Four Approaches to Enterprise Risk Management ... and Opportunities in Sarbanes-Oxley Compliance are available online through the IIA at www.theiia.org.

For reprint and licensing requests for this article, click here.
Audit Regulatory actions and programs
MORE FROM ACCOUNTING TODAY