Editor’s note: Ann Elizabeth Robinson, Ph.D., and a partner in Visage Solutions, LLC, provides an in-depth view of how companies can manage risks and better position themselves in today’s environment in the first of a three part series.The mere mention of Sarbanes-Oxley can have the effect of dampening one’s spirit when considering the expenditures of time, money, and resources to comply…at least if a company has taken a serious look at the act and believes it to require a holistic look at the enterprise and an active approach to compliance.

This is also the silver lining: compliance can get a company into the “ERM frame of mind.” That means the possibility of increased competitiveness and success, if the challenge is met.

The Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission created the report “Internal Control…Integrated Framework” (1992) which is the de facto standard for Sarbanes-Oxley compliance per the Securities and Exchange Commission (SEC). COSO has also released the draft for its “Enterprise Risk Management Framework” (i.e., ERM Framework) for public commentary, which is now closed. The final document is expected to be released in mid 2004. While the Internal Control…Integrated Framework is a guideline for documenting the control activities over three categories (reliability of financial reporting; effectiveness and efficiency of operations, and compliance with applicable laws and regulations), the new ERM Framework incorporates the entirety of the Internal Control…Integrated Framework and includes internal control as an integral part of enterprise risk management.

Enterprise Risk Management is defined by COSO as “a process, effected by an entity’s board of directors, management and other personnel, applied in a [sic] strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The key concepts are that ERM is a process; it involves people at all levels of an organization; it is applied in a strategy setting; it is applied across the enterprise and takes a “portfolio” view of risks; it permits management to set its risk appetite and to identity events that could affect the company; it provides reasonable assurance that strategic and operational objectives are being met, that corporate reporting is reliable, and that the corporation is in compliance with applicable laws and regulations; and it “is geared to the achievement of objectives in one or more separate but overlapping categories.”

Achievement of objectives

With regard to the achievement of objectives, which is rather vague in its initial definition, COSO explains that reasonable assurance of achieving objectives related to reporting reliability and compliance with laws and regulations can be expected. However, the corporation may not have control over the achievement of strategic and operational objectives, due to external forces, such as those in the marketplace. In this case, the reasonable assurance is in providing management and the Board of Directors timely information about the progress, or lack thereof, of the company in achieving its strategic and operational objectives.

This aspect of ERM is supported by Sections 404 and 409 of Sarbanes-Oxley, requiring adequate disclosures of information that could have a material effect on the company and doing so in “real time” (yet to be officially defined.)

A distinction is also made in the ERM Framework between ERM and the management process itself. An example is provided: ” the process of establishing objectives is a critical component of enterprise risk management, but the particular objectives selected by management, while an important management responsibility and an important link to an entity’s strategy, is not part of enterprise risk management.”

Similarly, the assessment of risk response is part of the process of ERM, but the selection of specific risks is not. (See Exhibit 2.3, ERM Framework, p. 18, for a representative chart comparing areas of management activity to that of enterprise risk management.)

The COSO matrix

Returning to finding the silver lining: How can compliance with its focus on internal controls (vis-à-vis COSO’s Internal Control…Integrated Framework) put a company in the ERM frame of mind? One way of looking at turning compliance into creating a streamlined, strategic directional process for one’s company is to see how the internal control framework is incorporated into the ERM rubric. Many of the following ideas can also be found in “Appendix B: Relationship Between Enterprise Risk Management Framework and Internal Control…Integrated Framework,” (ERM Framework…draft, 2003).

As a starting point, one can visualize a matrix for the COSO Internal Controls Framework (ICF) and a similar matrix for the ERM Framework. For internal controls, five components, which are interrelated and mutually supportive, with three sets of objectives, are identified. The five components are: Control Environment; Risk Assessment; Control Activities; Information and Communication; and Monitoring. The three sets of objectives are Operations, Financial Reporting, and Compliance. For enterprise risk management, eight components, also interrelated and mutually supportive, with four sets of objectives are identified (the objectives will be discussed below).

The ERM eight components are: Internal Environment (tracks with ICF Control Environment); Objective Setting (could fall within ICF Control Environment or ICF Risk Assessment); Event Identification (tracks with ICF Risk Assessment); Risk Assessment (tracks with ICF Risk Assessment); Risk Response (tracks with ICF Risk Assessment and is initiating point for ICF and ERM Control Activities); Control Activities (tracks with ICF Control Activities); and Monitoring (tracks with ICF Monitoring).

Given the similarities, where do the differences lay? The most obvious is that the ERM Framework differs in how the objectives are defined. Both the ICF and ERM have three similar objectives…operations, reporting and compliance…however, the reporting category is defined differently for the ERM Framework. The ERM framework expands the reporting category significantly, from that related to the reliability of the published financial statements, to “all reports disseminated both internally and externally.”

Such reports include regulatory filings and reports to stockholders. Also, reported information includes non-financial information as well as financial statements…i.e., the scope of reporting is expanded.

Strategic objectives

Additionally, another set of objectives is added in the ERM Framework…strategic objectives.
The strategic objectives associated with ERM are an integrating, higher order of objections to which the other three sets of objective…operations, reporting, and compliance…should be aligned. The strategic objectives emanate from a company’s mission or vision. Enterprise risk management is applied in both strategy setting and in achieving the objectives of the other three categories. Therefore, one can see that a company can begin a process of ERM that will focus and align a company’s mission, strategy, and operations by initiating, and then expanding upon the Sarbanes-Oxley imposed compliance.

In conclusion, the silver lining is the synergistic effect of using compliance for finding the resources necessary to initiate the “ERM frame of mind”…and reap the rewards of a more competitive enterprise. The enterprise will not necessarily be the same. In fact, it should be changed and constantly changing. Using a process that continues to redefine itself based on historical data, current information, and monitoring trends, a company will create a “dynamic standardized process,” or more appropriately stated, a “dynamic intelligent process.”

An enterprise can take the “ouch” out of SarbOx compliance and put the “dynamo” back into business by using compliance to get into the ERM frame of mind.

:Part II: In-depth Comparison of COSO ICF and ERM by Components)

(Part III: Applying ERM to the Compliance Process)

Visage Solutions are results-focused operation assessment and risk management consultants who offer extensive real-world executive management experience. Visage Solutions offers a suite of services that provide a strategic approach to operations to improve business processes that affect the bottom line. Sarbanes-Oxley related services include OpsAudi and Compliance Process Improvement Services supporting Sections 302, 404, 406, 409, 802 and 806.