Few risk managers join SOX compliance efforts

When Congress passed the Sarbanes-Oxley Act in 2002 as a means to prevent accounting scandals, it was seen by some as an opportunity for risk managers to get involved in new compliance regulations, but five years later, a recent report and observers say risk managers have largely stayed on the sidelines of Section 404 compliance processes.

Some observers say risk managers have failed to seize the opportunity, especially when it comes to enterprise risk management for which 404 compliance is seen as springboard.

Others, though, point out that while there was an initial link between Section 404 and risk management, the focus over time really narrowed to that of proper controls over accurate financial statements rather than risk assessment, which falls more to the purview of auditors and accountants.

And while Section 404 compliance can be a catalyst for an ERM program, the fact that risk managers are not involved in the 404 compliance process does not stymie those efforts, they note.

According to a report issued last week by New York-based Advisen Ltd., a survey of 302 risk managers found that of those who said their companies had a team or committee overseeing the Sarbanes-Oxley Section 404 compliance, the risk management department was represented on only 23% of the panels.

In addition, only 18.5% said the risk management department had a role in auditing, monitoring or collecting information for Section 404 compliance from other units of the company.

Risk managers who have taken an active role in Section 404 compliance activities, however, report that the impact has been significant both in terms of the influence of the risk management department on the design and implementation of a program and in raising the visibility and influence of the risk management department within the organization, the report said.

David Bradford, the editor-in-chief of Advisen who wrote the report, attributed the lack of risk management involvement to a lack of assertiveness.

"Unless they step up to the plate and say 'Hey, we've got something to contribute here,' the natural inclination (among companies) may not be to even consider risk management as a valuable part of the information collecting and analyzing process" of 404 compliance, Mr. Bradford said.

While there are risk managers who clearly view 404 compliance as an opportunity and "injected" themselves into the process, there are others "who either didn't understand that this represented an opportunity for them or weren't interested in expanding their roles and responsibilities, so they weren't particularly aggressive about getting themselves involved," he said.

"It's disappointing that more risk managers are not intimately involved, because...it represents an efficient and effective way for risk management to begin implementing an ERM program," said Fred Travis, a principal with Risk Management Consulting in St. Louis.

Up until 2005, Mr. Travis was director of corporate safety and risk management for St. Louis-based Anheuser-Busch Cos. Inc., where he was actively involved in the company's 404 compliance project. "We were seen as a really good team player and contributor and more than just the insurance buyer and workers compensation claims manager," he said. "Whether or not that furthers ERM at the company remains to be seen."

Overall, though, "by showing how SOX 404 compliance can fit into a more useful, less invasive ERM framework, risk managers have the opportunity to enhance the standing of risk management," he said. "Failure to take advantage of this opportunity, I believe, is a sign that risk management is not prepared to fulfill its responsibilities."

Pam Rogers, a Minneapolis-based senior vp with Marsh Risk Consulting, however, said she does not view Section 404 compliance and ERM as one in the same.

"Taken to its (potential), SOX would become a catalyst for an enterprise risk effort within a corporation. (But) to draw a parallel and say because risk managers are not involved in SOX compliance efforts means they're not taking the opportunity to be involved in ERM is not a fair statement," she said. "They are two separate things."

Section 404 compliance is "really an internal audit and external audit and accounting firm effort," she said. So the fact that most risk managers are not on the 404 compliance committee "does not surprise me."

"I'm not seeing many risk managers involved in 404 and SOX work generally, and quite honestly, I'm pleased with that," said Mark Charron, a principal and national actuarial and insurance solutions leader for Deloitte Consulting L.L.P. in Hartford, Conn., noting the general trend among companies to ratchet back the amount of resources and commitment to 404 compliance.

Section 404 is "very much a strong controls exercise," Mr. Charron said. "My personal belief is that the risk managers, while they certainly need to continue to monitor what's going on with 404 and do need open communications with that part of the operation, they're better focused on their core mission of risk identification, risk mitigation, risk transfer and risk financing."

Carol Fox, senior director of risk management for Cincinnati-based Covergys Corp., said she monitored her company's Section 404 compliance activities, but did not actively participate in the 404 compliance process.

"We knew it was going on, we were concerned about it and we kept in touch with the folks driving it, which tended to be the accountants," but risk management's concern revolved more around the risks of noncompliance, she said. "So we saw compliance as a risk itself."

Ms. Fox said she doesn't think risk managers are missing out on opportunities by not being actively involved in 404 compliance and isn't surprised that few risk managers are involved.

And while Section 404 compliance may be a springboard for an ERM program, Ms. Fox sees them as two separate initiatives.

"We are very tightly linked with our internal audit department. We partner with them on ERM," she said. "While we drive the process, the monitoring piece is what internal audit has picked up and we've incorporated our findings for ERM in the audit plan, which has been very well received by our board of directors."

"ERM for most companies, including ours, it is seen as a separate initiative and a separate program," said Ms. Fox who chairs the Risk & Insurance Management Society Inc.'s ERM committee.