Editor’s note: Ann Elizabeth Robinson, Ph.D, is a partner with Visage Solutions, LLC. This is the second in a series of articles.One can conclude that conducting the time-consuming, resource expending…and legally mandated…Sarbanes-Oxley compliance activities, can be silver threads that, once unraveled and resewn in the garment of Enterprise Risk Management, can lead to gold.

A company cannot only avoid the risk of being out of compliance, the possibility of fines and/or imprisonment of key executives and other management, bad publicity and an erosion of corporate good will, but also can increase the potential for revenue gain due to sound business practices and a laser-focused strategy, supported enterprise-wise. The threads of enterprise risk management can reveal the silver lining of Sarbanes-Oxley compliance…that the resources spent are worth their value in gold.

What follows are more of the “threads” of silver lining that we began discussing last week.

Event Identification (ICF Risk Assessment)

Both frameworks acknowledge that risk can occur at every level of an organization, from both external and internal factors, and that risks that hinder the achievement of objectives should be identified. This aspect highlights a major difference in the Internal Control Framework and the Enterprise Risk Management Framework: the ERM Framework is a more proactive management methodology and approach to risk. The ICF records what has happened in the past as well as current activities– and methods to control activities to keep corporate processes within acceptable limits (i.e., those that are accountable to its various stakeholders) for past and present activities. The ERM, however, tries to anticipate and ward off the creation of potential risk through event identification, assessment, and response.

Event identification could be analogous to looking for the “root cause” of an operational problem…but, in this case, one is looking for the potential “root causes” of risk. The enterprise is challenged to see what is emerging…not just controlling for, or reporting on, past and present activities. The ERM Framework discusses the concept of potential events, without labeling them as positive (possible opportunities for the company) or negative (hindering achievement of objectives and requiring a management response). An “event” is defined in the ERM Framework as “an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives.” (p. 38)

The ERM Framework elaborates on the interrelationship of events and impact on the entity; methods for identifying events (See Exhibit 5.1, p. 41); event categories (See Exhibit 5.2, p. 44, categories listed by external and internal factors); and distinguishing between risk and opportunity. The methodologies for identifying events are critical to companies looking for solutions. They include Event Inventories, Internal Analysis, Threshold Triggers, Facilitated Workshops or Interviews, Leading Event Indicators, Loss Event Methodologies, and Process Flow Analysis (pp. 41-42.).

This anticipatory characteristic is most closely apparent in the ICF in the Monitoring component, which includes looking at the emerging business environment. However, since the emphasis in on reporting, disclosure, and control, the ICF does not emphasize the forward focus, as does the ERM Framework.

Risk Assessment (ICF Risk Assessment)

Risk Assessment was separated from Event Identification in the ERM Framework in order to avoid overlooking relevant events. The assessment of the likelihood of an event occurring is the focus of Risk Assessment. (ERM Framework, p. 38). The concepts of “inherent risk” and “residual risk” are introduced. Inherent risk is the risk without any management action to either alter the likelihood or impact of the risk; residual risk is the risk that remains after management response. The likelihood (i.e., probability of occurring) and degree of impact (severity of hindrance from achieving objectives) are measured by various qualitative and/or quantitative means (such as benchmarking, probabilitistc models, and non-probabilistic models).

Time horizons become important, ensuring that not only short-term and medium-term risks are exposed, but also those with longer timeframes. Risk assessment also includes the correlation of events and determining what sequencing of events could combine to significantly impact the organization. The concluding statement in this section of the ERM Framework is a telling one:

“Effective enterprise risk management requires that risk assessment be done with respect to both inherent risk, and risk following risk response–” (ERM Framework, p. 51).

Risk Response (ICF Risk Assessment and initiating point for ICF and ERM Control Activities)

Once again, this category is not explicitly stated in the Internal Control Framework as it is in the ERM Framework. The ICF does require monitoring and controlling for activities and processes so that stakeholders are protected…and management, boards of directors, audit committees and C-level executives are held accountable under Sarbanes-Oxley.

The ICF advocates having a consistent control and reporting system to track, process, and record corporate accomplishments and actions…but it is not fundamentally proactive. The ERM Framework, as Visage Solutions colleague Glenn Conway comments, “incorporates these elements of ‘past-tense control,’ but also extends into virgin territory to anticipate issues and identify response guidelines for issues that have not yet come to pass.” (Commenting on the ERM, November 2003.)

The goal of Risk Response is to achieve residual risk alignment with the entity’s risk tolerance…i.e., after the management response to potential risks to the organization, the remaining risk should be within the overall (entity-wide) tolerance range and in alignment with its risk appetite and its strategic objectives. Management responses to risk are to avoid, reduce, share, or accept risk. Definitions and examples are provided within the ERM Framework; for example, to accept a risk is to take no action that would affect the likelihood or impact of that risk…e.g., foregoing flood insurance is the likelihood is very low.

Risk responses are evaluated in terms of the costs and benefits to the entity; some responses may affect multiple risks, so that some individual risks may not need to be addressed. Once a response is selected, management may choose to implement a plan to execute the response, requiring certain procedures. These procedures are, in effect, the Control Activities. So, one can see that Risk Response is the initiating point for the category of Control Activities, whether under the ICF or the ERM Framework.

Under the ERM Framework, the response to risk can create new risks; therefore, an iterative process may be needed (a good example is that of environmental problems that can result from the placement of a new dam, intended to supply water or power needs). Finally, the portfolio perspective allows the consideration of any offsets…”events representing opportunities or events that would mitigate the negative effect of other events”…across the entity as well as the cumulative effect of all risk responses. (ERM Framework, p. 58.)

Control Activities (ICF Control Activities)

The area of Control Activities tracks closely for both the Internal Control and Enterprise Risk Management Frameworks, though the ERM focuses on risk, strategic and enterprise wide objectives, and an integration of objectives, risk response, and controls. Control activities are designed to help an entity achieve its objectives and can include management controls, information processing controls (both general and application), physical controls, and performance indicators.

Control activities involve policies that establish what should be done and procedures that state how the policy should be implemented. Issues surrounding information controls are integral, penetrating, and a part of virtually all aspects of the enterprise and its management…and therefore, risk response. Companies looking for solutions will need to examine areas such as information technology management, information technology infrastructure, security management (such as identity management), software management (i.e., acquisition, development, and maintenance) as well as applications related areas to ensure the completeness, accuracy, authorization and validity of data capture and processing. These elements are essential to the reliability and accuracy of reporting, whether for Internal Control or for Enterprise Risk Management.

Information and Communication (ICF Information and Communication)

Under the Internal Control Framework, information and communication are focused on the manual and automated distribution of information to appropriate stakeholders, internally and externally, in a timely manner. The ICF addresses the need for appropriate content that is timely, current, accurate, and accessible and the importance of both internal and external sources. The goal is consistency and synergistic decisions and actions by management for the benefit of the stakeholders.

The ERM Framework expands upon this mandate to consider “data derived from past, present, and potential future events” to ensure that “the information infrastructure sources and captures data in a timeframe and at a depth of detail consistent with [the] entity’s need to identify, assess, and respond to risks and remain within its risk appetite.” (ERM Framework, Appendix B, p. 3.)

Monitoring (ICF Monitoring)

The ICF calls for a periodic review and recording of the effectiveness of the control system in place. In essence, it is a feedback process that allows management to make changes, as needed, in an informed way. The main objective of this component is to find out if the control elements are working together effectively, keeping the organization within its three objectives (operations, financial reporting, compliance).

It tracks the implementation and progress toward the achievement of the entity’s goals, records this progress or lack of progress, and shows where course corrections are necessary in each of the four previously discussed components of the ICF. It may also elucidate areas of emerging concern in…i.e., new risks to individual objectives.

The ERM Framework expands upon this component in a grand way…by extending the monitoring to the future and to the whole enterprise. Both frameworks discuss the roles and responsibilities of various parties “that are a part of, or provide important information to, internal control and enterprise risk management.” (ERM Framework, Appendix B, p. 3). In addition, the ERM Framework discusses the roles and responsibilities of risk officers and the board of directors.

Next week: Solutions

Visage Solutions are results-focused operation assessment and risk management consultants who offer extensive real-world executive management experience. Visage Solutions offers a suite of services that provide a strategic approach to operations to improve business processes that affect the bottom line. Sarbanes-Oxley related services include OpsAudit• and Compliance Process Improvement Services supporting Sections 302, 404, 406, 409, 802 and 806.

Part Two: www.localtechwire.com/article.cfm?u=6196

Part One: www.localtechwire.com/article.cfm?u=6112