Risk & Compliance

Risk Management

Although the term itself risks overuse and confusion, ''risk management'' may provide a way to improve internal controls.
John VerityJanuary 28, 2004

CFOs and thrill-seekers may be the only people whose ears actually perk up at the word risk. Understanding, preparing for, and responding to risk are key elements of the job, and now, thanks largely to current events, technology is being brought to bear in the still rather hazily defined area of risk management.

“There’s a mad scramble going on,” says John Van Decker, a vice president at Meta Group. “Sarbanes-Oxley is going to be with us for the long haul, and you have to show you have the right internal controls in place. Spreadsheets and rudimentary databases will ultimately need to be replaced by industrial-strength software to show how documents move from A to B and how workflows move through the maze of homegrown systems you have today.”

That is, while risk can mean many things—and even a more-focused term like enterprise risk management (ERM) can be applied to everything from computer security to financial modeling—thanks to the Sarbanes-Oxley Act of 2002, risk management has become nearly synonymous with compliance, or, more accurately, the internal controls that satisfy compliance requirements.

Sarbanes-Oxley has had the sort of catalytic effect normally associated with cries of “Fire!” in a crowded theater, and the stampede of vendors claiming to help corporate clients install various forms of “internal controls” smacks of desperation. And yet there are new requirements to be met, and IT seems likely to play some role. As with Y2K, which (if any) of these newer technologies companies buy may depend on whether they opt for a quick fix or decide to overhaul systems and processes beyond what the letter of the law requires.

Take Compli, for instance, a company that provides a Web-based system for managing employee awareness regarding workplace policies. Until recently, the form of risk most relevant to Compli’s sales pitch was that of lawsuits stemming from, say, sexual harassment or workplace discrimination. Its training and accompanying audit trail offer proof of good-faith efforts in these matters, something companies could bring to court. But now, Compli says its services are just as useful in bringing something to the Securities and Exchange Commission or to boards that want to make sure audit processes are in place, understood, and being followed scrupulously.

In a similar vein, Movaris provides a Web-based system that documents, monitors, tests, and reports on all internal financial controls and control activities, and can proactively remind individuals of every regulatory task they’re required to perform and alert them to any time schedules they must adhere to. Nth Orbit is another firm providing software that monitors compliance activities in real time, enforcing corporate procedures and recording evidence that they’ve been followed.

A Bigger Picture

But companies should be careful not to let riskand compliancebecome synonymous—or, more to the point, to allow IT products and services companies to co-opt the term for a narrow set of applications. Next year the Enterprise Risk Management Framework being developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is a private-sector initiative to improve financial reporting, will be released, having completed a public-comments phase last month. The framework is an ambitious attempt to clarify a process by which a company’s board, senior executives, and other stakeholders can identify and manage all types of risks in the context of a company’s risk appetite and overall business objectives.

While COSO stresses that in this regard ERM is much broader than regulatory compliance, it does acknowledge the critical role that effective internal controls will play. That will no doubt inspire IT companies to emphasize the efficacy of their products in assessing risks beyond noncompliance. Watch for ERM, therefore, to generate even more buzz—and confusion.

Enterprise Risk Management: Toward a Definition

  • Makes each area manager responsible for documenting and evaluating financial controls in his or her own area. People closest to each business unit manage the data, which improves accuracy and completeness.
  • Identifies areas with inadequate control measures so action plans can be initiated to resolve problems.
  • Tracks the progress of outstanding action plans, describes who is responsible for those actions, and sets the expected time for resolution.
  • Protects against fraud with systematic data management that ensures multiple reviews and verification.
  • Raises the level and precision of reporting to management.
  • Puts “localized knowledge” to work. Area managers become empowered to understand the impact of their roles on corporate results.