Back in 2002 the Sarbanes Oxley Act was enacted as a response to the shock collapse of Enron and as a result, a sudden awareness that there aren’t really enough legal controls on accurate financial reporting for shareholders. I say ‘shock’ collapse, as none of their shareholders had any idea that the company was in trouble, and in fact, not even their external auditors, Arthur Anderson, who collapsed shortly afterwards due to unrecoverable reputational fallout, had any idea that the company was in trouble. There were other organizations also involved in corporate and accounting scandals around the same time as Enron, such as Adelphia, Peregrine Systems, Tyco International, and WorldCom. Simply speaking, Sarbanes Oxley Act of 2002 was enacted as a way to legally enforce minimum standards to ensure the financial statements are reasonably accurate for companies that publically trade in the US stock markets. Key sections of the Act include:
- 302: Disclosure controls
- 303: Improper influence on conduct of audits
- 401: Disclosures in periodic reports
- 404: Assessment of internal controls relating to the compilation of financial statements
- 802: Criminal penalties for influencing US Agency investigation
- 906: Criminal penalties for CEO/CFO financial statement certification
- 1107: Criminal penalties for retaliation against whilste blowers
In concept, I think this Act is absolutely necessary. Shareholders have a right to know what they’re buying. There is some criticism about the cost of compliance with the Act. I personally find these criticisms shocking. All companies with shareholders should be complying with these basic principles anyway! The Act simply asks you to prove it. The cost should be relatively insignificant, and considered part of the cost of public trading, much like food manufacturers accept the fact that a nutritional breakdown of their food is supplied to their buyers – it is necessary information for the potential buyer. Companies that say it’s very expensive clearly didn’t have any of these controls in place and if I were a shareholder of one of these companies, I would be very very unhappy.
I noticed an interesting side-effect to the introduction of the Act over the years. A large number of companies that I have had discussions with, who probably had nothing in place before Sarbanes Oxley, thought that it might be a good idea to kill two birds with one stone and use the Act to guide a new Enterprise Risk Management capability in their organization. Some of them had no Risk Management capability in their organization previously (again, shocking), or if they did, it wasn’t as mature as what the Act required of them, so they took a major direction change with their existing Risk Management capability, and based it all on Sarbanes Oxley principles.
The trouble with this decision is that Sarbanes Oxley has nothing to do with managing your enterprise risks. It is about telling shareholders the state of the organization so that they can make educated decisions on what price to buy/sell the shares. Risk Management is about understanding probability and impacts of events to exploit or reduce/manage to improve the performance of the organization and to reduce the damage caused by negative events. Sarbanes Oxley doesn’t care if your organization thrives or collapses and does nothing to influence business success. Sure, there is an overlap, but a small overlap. There are some events that could cause a material misstatement to the financial statements AND damage the organization. But there are many events that could cause material misstatement to the financial statements (Sarbanes Oxley), but not really a lot of damage to the organization (Enterprise Risk Management), and even more the converse – there are a lot of events that may cause significant and unrecoverable damage to the organization (Enterprise Risk Management), but not cause a material misstatement to the financial statements at all (Sarbanes Oxley). Ironically, Arthur Anderson, the external auditors whose failures triggered the development of the Act, collapsed due to a risk event that had nothing to do with the accuracy of their financial statements.
So, does this mean that basing an Enterprise Risk Management function on Sarbanes Oxley is not ideal, but is better than nothing? I.e., some risks will be detected, but not all? My answer is NO. Basing an Enterprise Risk Management function on Sarbanes Oxley is worse than nothing, in my opinion. I’ve seen some organizations with Sarbanes Oxley-based Enterprise Risk Management functions be over-confident in their ability to manage their risks. They made decisions based on this over-confidence, and now some of these organizations no longer exist. Some of these organizations were not able to analyse and respond to the impacts of the Global Financial Crisis on time, because their risk assessments were always made in context of financial statement accuracy.
I am currently working with a large mining organization, and they have it right. We are working on bringing together their Governance, Risk (Enterprise Risk Management), and Compliance (eg, Sarbanes Oxley) functions with a holistic system of people, process, and technology. We are identifying their risks that have a potential inherent material impact on their organization (Enterprise Risk Management) including financial, reputational, and health and safety risk impacts, and we’re identifying risks that have a potential material impact on the accuracy of their financial statements (Sarbanes Oxley), amongst other risks of course. We’re integrating what is otherwise a very good, yet silo’d approach to their risk management and compliance. We can test a control that relates to material risk and Sarbanes Oxley once, and it flows up to their Enterprise Risk Management reporting and their Sarbanes Oxley compliance. The expected value to their organization is huge. More value than almost anything else they can do right now.
If you think that your organization is using Sarbanes Oxley compliance to drive Enterprise Risk Management, please contact me or anyone else at IncQ Consulting or your Risk Management trusted advisor for help as soon as possible! You really need to start focusing on the risks to your business, not just your risks to your financial reporting. Time, is not on the side of organizations with Sarbanes Oxley-based Risk Management unfortunately, and nothing is too big to fail.