Editor’s note: Ann Elizabeth Robinson, Ph.D, is a partner with Visage Solutions, LLC. This is the second in a series of articles.The Sarbanes-Oxley Act of 2002 is beginning to have an effect that can be seen in the news headlines, in the boardrooms, and on C-level executives who are getting subpoenaed and some who are landing in jail.

The November 24th edition of Fortune magazine describes business as having become “a real mob scene.”

Senior Editor Geoffrey Colvin raises the following questions: “Does your company manage earnings, and do you participate in any way? Are you thus failing to represent your company’s financial condition fully and fairly…defrauding investors…in the context of the Sarbanes-Oxley era?”

The same issue of Fortune contains articles about the long arm of the law finally having Enron’s Jeff Skilling and Key Lay within reach (“First: They’re Getting Close,” by Bethany McLean and Peter Elkind, co-authors of The Smartest Guys in the Room about the rise and fall of Enron, pp. 37-38) and the 85-count fraud indictment against former HealthSouth CEO Richard Scrushy (“Reborn Free?” by John Helyar, Fortune, p.46).

Debra Logan, Research Director for Gartner Research, admonishes businesses to take Sarbanes-Oxley seriously…and offers a website to view 443 suits brought before the Securities and Exchange Act of 1934 and the Sarbanes-Oxley legislation over a period of nine months, mostly in 2003 (Gartner’s weblog, Aug. 7, 2003. See sox.weblog.gartner.com ).

The listing shows there have been 25 CEO convictions out of 250 corporate prosecutions.

What are benefits?

In the first part of this article, in spite of all the bad press and the cost in terms of time and money to comply, we talked about the silver lining for complying with Sarbanes-Oxley was discussed. The silver lining is that a company can use these efforts as a springboard to initiate Enterprise Risk Management (ERM) and become a more competitive enterprise.

Here, in Part II, the threads of that silver lining are unraveled…showing how the steps of the COSO (Committee of Sponsoring Organizations) Internal Controls Framework (ICF) are part and parcel of the COSO Enterprise Risk Management (ERM) Framework. [See Enterprise Risk Management Framework (Exposure Draft for Public Comment), Committee of Sponsoring Organizations of the Treadway Commission, 2003…referred to as “ERM Framework” in this document] As one will see, the ERM frame of mind is that of using a process that continues to redefine the company based on historical data, current information, and monitoring trends…in essence, a “dynamic intelligent process.” One might speculate that is the ICF had been issued today, instead of 1992, then it might have looked more like the ERM framework, with its four sets of objectives (instead of three), eight components (instead of five), and a more proactive stance (instead of looking at current or past events and activities).

ERM Framework is distinguished from the ICF Framework in its objectives by the addition of an overarching set of strategic objectives that align and integrate all aspects of the entity and objectives in the three categories of operations, financial reporting, and compliance with laws and regulations. Additionally, the scope of reporting is expanded in the ERM Framework to include all reports, internally and externally, and both financial and non-financial documents.

With these distinctions in mind, each of the following components of the ERM Framework (and its respective ICF component, as noted in parentheses) will be examined: Internal Environment (ICF Control Environment); Objective Setting (could fall within ICF Control Environment or ICF Risk Assessment); Event Identification (ICF Risk Assessment); Risk Assessment (ICF Risk Assessment); Risk Response (ICF Risk Assessment and initiating point for ICF and ERM Control Activities); Control Activities (ICF Control Activities); Information and Communication (ICF Information and Communication) and Monitoring (ICF Monitoring).

Internal Environment (ICF Control Environment)

This component of the ERM Framework is the culture of the entity…its values, ethics, mores, and beliefs, specifically as it relates to a company’s view of, and behavior with regard to, risk. This includes the company’s risk management philosophy; risk appetite and risk culture; the role played by the board of directors; the integrity, ethics, and competence of personnel; and management operating style, encompassing the assignment of roles and responsibilities and the organization and development of its people. Risk management philosophy is a company’s belief about risk and how it chooses to deal with risk. Risk appetite is “the amount of risk an entity is willing to accept in pursuit of value,” and a company’s strategies should be in alignment with its risk appetite (See ERM Framework, p. 20.) Risk culture is “the set of shared attitudes, values and practices that characterize how an entity considers risk in its day-to-day activities.” However, this risk culture can either be haphazardly formed, due to lack of guidance by management or lack of strong strategic objectives, or it may be firmly imbued in the daily activities of personnel throughout the organization. The Internal Environment is similar to the Control Environment of the Internal Control Framework, where the ethics and culture of the organization set the tone at the top for the whole organization.

Objective Setting (ICF Control Environment or ICF Risk Assessment)

Objective Setting has its own category in the ERM Framework. It not only includes specific objectives for operations, financial reporting, and compliance, but also entity-wide strategic objectives. The view of risk is an aggregate or “portfolio view,” taking into consideration a range of tolerances for risk, depending on the business activity or nature of a business unit. Different risk tolerances could be acceptable for different objectives, as long as the combined portfolio does not violate the aggregate risk appetite…i.e., ” the broad-based conceptualization of the amount of risk it is willing to accept to achieve its goals.” (ERM Framework, Appendix B, p. 2). Objective setting within the context of the Internal Control Framework is discussed specifically in the ICF Risk Assessment component relative to the three categories of internal control objectives (operations, financial reporting, and compliance). However, the context and foundation for such objectives would have been determined by the culture of the organization (Control Environment). In this case, the tracking of the Internal Control Framework and the Enterprise Risk Management Framework is less precise.

Given this perspective, one could say that four categories of the ERM Framework expand and deliberate on the category of Risk Assessment as found in the ICF: Objective Setting, Event Identification, Risk Assessment, and Risk Response. The other three categories are discussed below. For contextual understanding, it should be mentioned that Risk Assessment under the Internal Control Framework is focused on the “individual” risks involved in achieving entity objectives on an individual basis…not on the aggregate or portfolio view.

Next Wednesday: Event Identification and other parts of the ‘silver lining.’

Part One: www.localtechwire.com/article.cfm?u=6112