Integrating SOX and ERM- Truths and Myths
Originally Published: April 01, 2007
Currently, the majority of businesses deal with compliance and ERM management as separate processes. One reason for separation is because organizations were not initially using a risk-based approach to meet compliance issues. Management was more concerned with transparency of financial reports and the appeasement of external auditors. The PCAOB's initial focus on testing and documenting control procedures steered management away from using a risk-based approach. At the end of 2006, the SEC and PCAOB issued proposals that would replace Standard No. 2 which many argued discouraged a risk-based approach for compliance.
Because of the disconnection mentioned above, SOX Section 404 and ERM were treated as separate projects. In order to be more efficient, companies such as Countrywide Financial Corporation and Aquila began merging compliance and ERM management. Countrywide is presently integrating SOX functionality into their internal ERM software. The risk management software allows managers at every level to review risk data for their area to determine if it meets their risk appetite. Executive managers, in turn, use the software to develop a strategic plan for Countrywide's entire risk portfolio. They use a top-down and bottom-up approach to effectively communicate risks at all levels.
Another anonymous company uses a minimalist approach because of their pre-existing strategic plan inclusive of all large risk factors. Since they already use a risk-based approach, they took their existing SOX Section 404 compliance plan and simply added ERM into their current inventory of risk practices.
Aquila took longer initiating their ERM processes than the organizations mentioned above, but they used a unique approach to risk management that can be considered a benchmark for others. Internal auditors initiated their risk management plan and later transferred the responsibility to an ERM advisory group. Managers at Aquila had difficulty thinking about possible risks without controls because of the obvious known controls in place. ERM workshop attendees were then used to assess the potential impact associated with a worst-case scenario. The attendees then determine the risk appetite for Aquila based on the following risk responses:
• If the risk
response is to avoid, risk appetite is 1 - avoid on Aquila's 9-point
• If the risk response is to reduce, risk appetite is 3 - minimal tolerance on Aquila's 9-point risk scale.
• If the risk response is to share, risk appetite is 5 - limited tolerance on Aquila's 9-point risk scale.
• If the risk response is to accept, risk appetite is 7 - tolerant or 9 - very tolerant, no action on Aquila's 9-point risk scale.
At first, Aquila only observed the financial reporting risks using the COSO ERM framework. Within a few years, internal auditors used the workshops and the procedures listed above to manage enterprise-wide risks.
The COSO ERM framework does not replace the control framework, but organizations should be able to easily use their existing control framework to integrate ERM processes. Many times the frameworks look different from one company to the next, but the following main concepts should be found in all ERM frameworks:
All people in the organization should follow the same guidelines for
• ERM needs to be consistent throughout the company and not individualized by the creation of silos.
• Total risks from top to bottom must be understood so proper strategic decisions can be made.
Opportunities for linking SOX Section 404 and ERM are available and should be utilized. Many audit committees are now involved in the risk management process and will encourage and expect a more formal ERM process in the future.
Even though there is no guide to instruct organizations on how to integrate Sarbanes-Oxley into ERM, the procedures used at Countrywide and Aquila can provide assistance. As companies look ahead to integrate compliance with risk management programs, they should consider the following facts:
• SOX has
heightened interest in risk management including greater awareness of
risk and controls.
• SOX Section 404 risk-based approach can be much more efficient when trying to integrate compliance functions into the ERM process.
• Companies should use the concepts in the COSO ERM framework to develop their own unique risk management style.
• COSO's ERM framework can help fill missing gaps in an organization's risk management processes.
• Internal auditors can help integrate the compliance functions with ERM processes.
• ERM can begin with top management identifying the organization's risks as a whole and then drilling down or by using existing risk processes and filling the gaps when appropriate.