CFOs Seek Sarbox Triage

The CFO finds it interesting that the biggest risks didn't end up being financial ones. The most-often-cited threats include impairment of the company's brand image and breeches of customers' privacy. Nolop says that executives were already made aware of financial risks through the company's routine business activities; for example, during efforts to obtain financing for customers, they learned a great deal about the effects of interest-rate fluctuations. Hedging and other mitigation techniques are already in place at the company for such exposures, he says.

In comparison to a "procedural" approach to regulatory compliance, which tends to treat risks as stemming from isolated business units, the ERM approach looks at the ripple effect throughout the entire company and beyond, according to Nolop. Concerning supply-chain risk, for instance, executives first consider what they would do if the company ran out of certain parts, then address how they'd respond if the parts suppliers ran out themselves.

Ironically, ERM can be a less efficient process than simple Sarbox compliance. For Sarbanes-Oxley — as CFOS know all too well — regulators and auditors have provided pages and pages of implementation guidance. On the other hand, says Nolop, an enterprisewide approach to risk "means you flounder a little bit to come up with the best processes and procedures. But in the end," he adds, "you are able to go where the analysis takes you, and you come up with better understanding."

• « previous
• 1
• 2