Is your corporate or personal reputation at risk? It's a question more executives are pondering these days, especially in light of recent business scandals and litigation. Managers worry that any misstep in their internal controls or public reporting, regardless of their best intentions, will trigger adverse market reactions. They justifiably fear that even in the absence of personal wrongdoing, they may be held accountable for inappropriate conduct or bad outcomes occurring on their watch.
PricewaterhouseCoopers recently released a global risk-assessment survey of nearly 1,400 CEOs, a third of whom manage companies with more than 5,000 employees and revenue exceeding $1 billion. When asked to prioritize the risks facing their organizations, these executives ranked regulatory noncompliance second—above terrorism, and surpassed only by the prospect of losing to competitors.
To be sure, there are plenty of regulations to be concerned about, particularly those pertaining to Sarbanes-Oxley—not to mention Basel II, the Office of Foreign Assets Control (OFAC), and the Patriot Act. But rather than view these requirements as drags on productivity, companies should regard them as opportunities for reducing reputation risk through strengthened processes, improved clarity of business operations, and greater transparency of financial performance. By reducing reputation risk, organizations can differentiate themselves as highly competent enterprises and more attractive business partners.
Risk mitigation is costly, however, and organizations are already expending significant resources to meet regulatory requirements. For instance, 48% of public companies expect to spend more than $500,000 annually on Sarbox compliance activities, excluding capital investments in technology and other assets, according to CFO Magazine. Many large enterprises will lay out well over $1 million for internal and external resources applied to regulatory compliance.
According to the 2004 PricewaterhouseCoopers Management Barometer Survey, companies expect their compliance spending to increase an average of 9.9% in the next two years. In keeping with that trend, 90% of all survey respondents plan improvements to their companies' compliance efforts, with an eye to increasing cost efficiency. Such measures include improving risk-management methodologies and implementing processes and technologies that control compliance costs.
Companies must address compliance issues the same way they do other risks. The thinking and processes that go into managing competition, adverse market conditions, disaster recovery, and supply-chain problems are no less applicable to regulatory compliance and reputation risk.
Businesses are shifting from plain-vanilla to risk-based compliance, says iGate Global Solutions consultant Anupama Agarwal, whose firm helps Fortune 100 clients fulfill Sarbox requirements. In her view, the new approach will lead to sustained processes, operational efficiencies, and higher ROIs.
Others agree. The Securities and Exchange Commission (SEC), for example, noted earlier this year that in the course of complying with Sarbox Section 404, companies have already uncovered and rectified deficiencies in their accounts receivable, inventory management, and information technology, thereby improving their operational performance.
Companies and the SEC also learned that Sarbox compliance is more than just tightening up financial processes, records, and reporting. Their experience taught them two essential lessons:
When overly focused on excessive detail, compliance activities can divert and exhaust critical business resources.
IT must play a major role in compliance—bigger than originally anticipated—because financial processes and data collection rely so heavily on technology.
In 2004, most companies responded to Sarbox by instituting manual controls over critical business processes, information systems, and reporting mechanisms. In many cases, these companies were managing the controls with complex spreadsheets and desktop databases. Compounding this phenomenon were the demands of audit firms conducting AS-2 reviews that examined every step and action in every applicable process. Businesses accountable to report in 2004 were generally successful in meeting their responsibilities, but at great cost in terms of staffing, services fees, business and technology infrastructure investments, and management attention.
The IT implications for what was supposed to be a financial-controls process should have come as no surprise. In most companies with revenue exceeding $500 million, information technology in one form or another is integral to every function of the organization. No function is more dependent upon electronically stored data and automated manipulation and reporting of data than finance.
The SEC and Public Company Accounting Oversight Board (PCAOB) responded to 2004's lessons learned just a few months ago, encouraging companies and their audit firms to take a different approach in 2005. Worried that the extreme focus on detail was impeding truly effective internal controls and reliable financial reporting, the SEC suggested that the intense concentration of businesses and their audit firms on a bottom-up, checklist approach to satisfying the requirements of the regulations ran counter to the commission's intent.
