CFOs and thrill-seekers may be the only people whose ears actually perk up at the word risk. Understanding, preparing for, and responding to risk are key elements of the job, and now, thanks largely to current events, technology is being brought to bear in the still rather hazily defined area of risk management.
“There’s a mad scramble going on,” says John Van Decker, a vice president at Meta Group. “Sarbanes-Oxley is going to be with us for the long haul, and you have to show you have the right internal controls in place. Spreadsheets and rudimentary databases will ultimately need to be replaced by industrial-strength software to show how documents move from A to B and how workflows move through the maze of homegrown systems you have today.”
That is, while risk can mean many things—and even a more-focused term like enterprise risk management (ERM) can be applied to everything from computer security to financial modeling—thanks to the Sarbanes-Oxley Act of 2002, risk management has become nearly synonymous with compliance, or, more accurately, the internal controls that satisfy compliance requirements.
Sarbanes-Oxley has had the sort of catalytic effect normally associated with cries of “Fire!” in a crowded theater, and the stampede of vendors claiming to help corporate clients install various forms of “internal controls” smacks of desperation. And yet there are new requirements to be met, and IT seems likely to play some role. As with Y2K, which (if any) of these newer technologies companies buy may depend on whether they opt for a quick fix or decide to overhaul systems and processes beyond what the letter of the law requires.
Take Compli, for instance, a company that provides a Web-based system for managing employee awareness regarding workplace policies. Until recently, the form of risk most relevant to Compli’s sales pitch was that of lawsuits stemming from, say, sexual harassment or workplace discrimination. Its training and accompanying audit trail offer proof of good-faith efforts in these matters, something companies could bring to court. But now, Compli says its services are just as useful in bringing something to the Securities and Exchange Commission or to boards that want to make sure audit processes are in place, understood, and being followed scrupulously.
In a similar vein, Movaris provides a Web-based system that documents, monitors, tests, and reports on all internal financial controls and control activities, and can proactively remind individuals of every regulatory task they’re required to perform and alert them to any time schedules they must adhere to. Nth Orbit is another firm providing software that monitors compliance activities in real time, enforcing corporate procedures and recording evidence that they’ve been followed.
A Bigger Picture
But companies should be careful not to let riskand compliancebecome synonymous—or, more to the point, to allow IT products and services companies to co-opt the term for a narrow set of applications. Next year the Enterprise Risk Management Framework being developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which is a private-sector initiative to improve financial reporting, will be released, having completed a public-comments phase last month. The framework is an ambitious attempt to clarify a process by which a company’s board, senior executives, and other stakeholders can identify and manage all types of risks in the context of a company’s risk appetite and overall business objectives.
While COSO stresses that in this regard ERM is much broader than regulatory compliance, it does acknowledge the critical role that effective internal controls will play. That will no doubt inspire IT companies to emphasize the efficacy of their products in assessing risks beyond noncompliance. Watch for ERM, therefore, to generate even more buzz—and confusion.
Enterprise Risk Management: Toward a Definition