We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Smart Companies Integrating ERM with SOX

Vote 0 Votes

reputational riskIn Malcolm Gladwell's "Blink," he examines a hospital whose team had learned that to diagnose heart attacks, it's more beneficial to gather a few key indicators than to try and take every measure into account. I've found that to judge the health of ERM programs, there are also a subset of characteristics that seem to immediately indicate success.

  1. Does the ERM program engage the front lines?
  2. Can the program analyze information across silos?
  3. Has the program engaged, or integrated, with at least one other governance function?

If I'm developing a three question test of ERM effectiveness, that's where I'd start. This blog will focus on the third question, especially when it comes to matter of financial reporting compliance.

A Brief History

Financial Reporting Compliance and its many iterations (SOX, JSOX, NAIC Model Audit Rule, etc.) has been adopted by more than just large public institutions, as effects of SOX implementation have been shown to improve internal processes, streamline testing, and has even reduced the uncertainty in the pricing of IPOs.

The evolution of SOX compliance, from industry fear that the mandate would reduce levels of risk taking and suppress investment, to a recognition that the mandate provides value when implemented effectively, mimics the emergence of ERM as a core business discipline. It's ironic that of successful ERM programs, many turn to SOX teams when beginning to standardize risk management across an enterprise.

How SOX is integrated with ERM

Internal Controls over Financial Reporting has many overlays with ERM, as it's simply the management of the risk of misstatement. Analysis by process and sub-process, documentation of controls and objectives, and testing required to validate controls are all subsets of ERM practices. While an automated tool can assist in testing documentation and data management, ERM offers the additional capability of prioritizing and streamlining the SOX process by pointing organizations to their area of greatest vulnerability.

How is that accomplished? In 2002, SOX gained a horrible reputation for wasting time and resources. That reputation started to change in 2007, when the concept of ERM, or more specifically what is called a Top Down Risk Assessment (TDRA), was introduced as a way to prioritize an organizations key controls and tests by linking them to risk. TDRAs are a formalized recognition that a risk-based SOX approach is more valuable and more cost effective. Risk Management Software can assist in this process by integrating these types of assessments with the current ERM risk assessment process. Instead of adding work for your process owners, they're simply accomplishing multiple goals with the same consolidated assessment, and allowing the financial controls analysts to prioritize their work to only material risks.

Similar to Internal Controls over Financial Reporting, other governance functions can benefit with cost savings and efficiency by adoption risk management practices. Integration of this kind is how organizations are able to turn ERM from another compliance activity to a framework for overall governance. Just as ERM can prioritize SOX controls for Finance teams, it can similarly prioritize vendorsIT assetsregulatory compliance and a whole host of otherwise costly governance activity. And moreover, this prioritization can be done across silos, providing value not just for front line managers, but the business as a whole.

Interesting in adding value to your ERM program? Download our eBook on Integrating Governance with ERM for more information.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives