You may be as amazed as I in continuing to encounter intelligent, accomplished business people who still don’t understand what Sarbanes-Oxley’s internal control requirements are about. Let me share a recent experience.
I’ve been working with a large multi-national company’s board of directors to identify shortcomings in corporate governance and enhance practices and performance. This has involved spending some time with each of the directors individually to get to know how they approach their board roles and are carrying out their responsibilities. Of particular interest is a highly educated, nationally known and well-respected business advisor, with whom I got into a discussion involving the boards’ role in overseeing the company’s risk management.
His message was that since the company already complies with SOX 404, including auditor attestation, risk management is well addressed in the organization. There’s no need, he said, for the board to do much more in that area. Working hard to contain my disbelief, I asked whether he had considered that the SOX 404 rule focuses only on internal control over financial reporting, and while there is a risk identification/analysis element therein, it does not expand beyond financial reporting. After he reiterated his position, I explained, as tactfully as possible, that the company’s and auditor’s compliance with 404 provides little if any comfort regarding strategic, operational, or other business objectives and their related risks.
Interestingly, we’ve also seen numerous instances where CEOs truly believe their companies already have enterprise risk management processes in place when reality is that they have elements of risk assessment performed ad hoc in pockets within their organizations.
For anyone looking to encourage their company’s boards or senior managements to consider establishing a disciplined and effective risk management process, it’s important to be sure there is no misconception about what is – or is not – already in place. Too often misconceptions exist, and they must be dealt with in order to move forward with a constructive development plan.