Editor’s note: This is part of a series of articles about the impact of Sarbanes-Oxley legislation on businesses . Ann Elizabeth Robinson is a partner with Visage Solutions, LLC.Flexibility, agility, and reliability are the new buzzwords not only for Sarbanes-Oxley compliance, but also for achieving Enterprise Risk Management.

Flexibility is critical in relation to the who, what, when, where, and how of accessing information, communicating, and monitoring…both in terms of content (the knowledge) and in terms of structure (the IT component).

Flexibility may mean integration of multiple types of software and databases, across the enterprise, with partners, and with suppliers.

Agility is needed with regard to on-demand access, regardless of time of day or location.

Reliability is key to presenting a consistent and single view of financial and non-financial reports as well as being compliant with appropriate rules and regulations.

New Information Needs for Enterprise Sustainability

By expanding the focus from SarbOx compliance, with the emphasis on internal control, to enterprise risk management, the corporate focus changes from current operations to enterprise sustainability. Such sustainability is based on long-term indicators and non-financial measures, according to Debra Logan and Frank Buytendijk of Gartner Research.

Such measures could include the measurement of the value of intangible assets such as human capital output, intellectual property, rate of creation of intellectual property, and the outcome of employee retention. Some of the tools used to measure quantitative and qualitative performance more proactively are Six Sigma and the Balanced Scorecard.

Expanding the scope of SarbOx compliance to include the larger concept of Enterprise Risk Management increases the likelihood of future growth and being a competitive player in the marketplace. The Internal Control Framework (ICF) requires the assessment of risk and trends that could impact the firm (i.e., “emerging risks”)…but the view is toward controlling and recording past and present events as well as making disclosures in a “timely fashion.” The Enterprise Risk Management Framework (ERM) goes a step further, mandating a proactive approach to anticipate and ward off potential risk. This approach endorses looking for the “root causes” of risk across the enterprise– rather than just capturing their existence…and taking action to align risk within corporate risk tolerance ranges. This means that information needs to travel faster throughout the enterprise and discrepancies need to be resolved quickly…i.e., controls must identify and promote mitigation of emerging risk in near real-time.

Social and Technological Support Systems

The Risk Response component of ERM and the Risk Assessment of the ICF are the starting points for both ERM and ICF Control Activities. ERM integrates corporate objectives, risk response and controls to match residual risk with enterprise risk appetite and risk tolerance. Control Activities consist of such activities as management controls, information processing controls, physical controls and performance indicators (e.g., metrics and budgets).

The business environment is constantly changing and information rich, requiring flexible information and communication systems. According to Brett MacIntyre, Vice President of IBM, several trends have had a major impact on companies:

  • 1. The volume of data companies use and store has exploded

  • 2. The rules that govern what companies must keep have changed dramatically

  • 3. Information now needs to be shared across the enterprise as well as with customers, suppliers, and other partners.

  • 4. About 80 percent of business information is in new formats such as email, graphics, audio and video–and “buried deep inside the organization, where it can be managed.”

    This buried information needs to be scanned, digitized, stored, and readily accessible, bringing new importance to records management tasks and document storage and retrieval,.

    Data needs to be shared across the enterprise, often integrating many operating systems, many of which are Web-based.

    Given the new SarbOx compliance environment, new information or knowledge management systems and software will be more in demand. Many of these can also be used for enterprise risk management, with added effect. Some different types include: Business Process Management/Workflow Management, Business Intelligence/Business Performance Management, Electronic Records Management, Executive Dashboards, Document Management, Data Mining, and Data Reconciliation. In addition, there will be additional needs for data storage and for data recovery.

    We will discuss applications and tools next week.