ERM: Life Beyond Sarbanes Oxley

George Matyjewicz, PhD

As presented to the Institute of Internal Auditors, Syracuse, NY October, 2004

“Internal auditing has received renewed attention since the recent corporate governance and accounting scandals here in the U.S. and in the 1990s in the U.K. The measures put in place to monitor corporate governance, i.e., monitoring financial controls have now expanded to include total Enterprise Risk Management (ERM). This now empowers Internal Audit (IA) to be more effective – to provide assurance and perhaps consulting roles for ERM-Based Auditing without risking their independence and objectiveness.” This was the message to the Central New York chapter of The Institute of Internal Auditors given by George Matyjewicz, PhD, Chief Global Strategist, GAP Enterprises, LLC and Managing Director, Consulting, D'Arcangelo & Co., LLP.

“These scandals resulted in the Sarbanes-Oxley Act of 2002, from which organizations have gained some positive results,” said Matyjewicz. “We learned the importance of an organization of internal controls into a dynamic repository. And C-level officers learned the importance of a disciplined, risk based approach of establishing objectives, identifying risks that will prevent them from meeting those objectives and establishing controls that will mitigate those risks.”

Organizations learned that checklists of internal controls no longer work, since this is a dynamic exercise. Many organizations struggled to get SOX done fast, which meant they have to pay later.

C-Level officers first looked at SOX as an expense. The more intelligent leaders learned that it is a much needed exercise in efficiency. These organizations are now focusing on Enterprise Risk Management (ERM). A risk is a set of circumstances that hinder the achievement of objectives. ERM is a process in place to mitigate those risks, not only financial risks, but operational, strategic, reporting and compliance – the four objectives of the new COSO ERM framework.

The COSO ERM Framework, which builds on the COSO Internal Control–Integrated Framework (IC-IF), emphasizes the importance of identifying and managing risks across the enterprise. The objective of COSO ERM is to aggregate and view risks from the top down in an organization. ERM is defined as “a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

ERM enables management to deal effectively with future events that create uncertainty; respond in a manner that reduces the likelihood of downside outcomes and increases the upside; and maximize value by balancing strategy and objectives within the entity’s risk appetite. ERM helps an enterprise to align risk appetite and strategy; enhance risk response decisions; reduce operational surprises and losses; identify and manage enterprise-wide risks; seize opportunities; and improve deployment of capital.

Matyjewicz also gave the attendees successful strategies for driving the implementation of ERM and for facilitating buy-in from management and staff. “ERM is a journey, as much as a destination. Build it in stages and let it evolve over time,” advised Matyjewicz.

For further information, or to arrange a speaker for your event, contact George Matyjewicz 
 

###