Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Risk Management

A Tale of Two Companies


By Kimberly Getgen
Kimberly Getgen

Reconnex
It was the best of times. It was the worst of times. This is a tale of two publicly-traded companies competing in the post-Enron era governed under the Sarbanes-Oxley Act of 2002 (S-OX), mandating higher standards of corporate governance, auditor independence, internal assessment of internal controls, and accuracy of the company?s financial reporting.

Steven Bochner, a partner at law firm Wilson Sonsini Goodrich & Rosati who has more than two decades of experience in practicing corporate and securities law, says, ?A critical provision of the Sarbanes-Oxley legislation for public companies is Section 404, which requires management to certify and auditors to attest as to the adequacy of a company?s internal controls. In addition, as required under other provisions of Sarbanes-Oxley, SEC rules now require a company?s CEO and CFO to certify as to the adequacy of internal and disclosure controls.?

Striving to meet these new requirements, each competitor followed a different path.

Company A?s strategy was to build a compliance program that started with a formal assessment of their corporate enterprise risk. They then conducted a formal enterprise risk assessment that gave them visibility into the risks which were actually occurring. Quickly, they began to realize:
  • They had significant risks that had previously gone undetected.
  • These risks jeopardized the ?accuracy? of their financial reporting.
  • The risks were material and must be communicated to their board and shareholders.
The capability to see such risks gave them the necessary information to build along-term compliance strategy that aligned to the company?s actual risk index. Management received daily reports that enabled them to track and monitor the operational risks. They standardized these reports to match the company?s actual risk profile allowing it to more effectively communicate the seriousness, duration, and frequency of misconduct events, and execute remedial actions as needed.

Company A made a top down decision for compliance spending focused on remediating problems, benchmarking metrics to report corporate governance standards within the company, and training employees. Employees adopted a positive culture of exceeding corporate governance standards. One year later, Company A?s corporate governance ratings improved. Its credit rating went up; insurance premiums went down. The cost of ?doing business? ?the cost of capital, for example ? went way down. It reclaimed lost market share, and its stock price improved. By the end of the year management noticed there were fewer competitors in their industry and they were the market leader.

Company B?s management sent each department a compliance check list to complete by a specific deadline. Each department was measured by how fast it could check off the boxes and get on with ?business as usual.? No formal assessment or identification of risk was completed. If misconduct was reported it was sent to management and fell into a ?black hole.? No one knew what action was taken to remediate the misconduct or for that matter the actual risks that may be impacting each department.

In that year, Company B experienced a series of insider trading incidents and rumors of fraud ? all of which made front page news. The independent auditors investigating the root causes of these events were fired by the CEO. No auditor wanted Company B as a client. ?Whistleblowers? inside the company leaked information to the SEC and press. The SEC began to investigate and found that the executive management team had covered up or ignored misconduct of employees and failed to monitor material risks that had been identified and reported by their internal and external auditors. This bad publicity caused shareholder confidence to plummet along with the stock price. No one wanted to invest capital in Company B, and its insurance rates and the ?cost of doing business? went up. One year later, a class action lawsuit ensued where directors settled multimillion-dollar lawsuits with shareholders. Company B lost its competitive edge and by the end of the year was on the verge of bankruptcy.

Pulp Fiction?
Company A and Company B are fictional representations of the ?best case? and ?worst case? scenario in this challenging era of compliance. But, are the outcomes of these scenarios complete fantasy?

At the time of writing this article, 10 of 12 WorldCom Directors and 10 Enron Directors agreed to settle class action lawsuits at a combined cost of $31M. These settlements are being paid from the Director?s own personal assets ? their company?s Directors and Officer?s insurance is not covering the damage. It is estimated that the WorldCom directors are losing an estimated one fifth of their aggregate net worth just in the settlement. Still not known is the additional millions each lost in the collapse of WorldCom, but early estimates suggest this to be around $250M. Did the directors know about the fraud going on inside WorldCom and Enron? Probably not. Are they paying for it? Yes, dearly. The Wall Street Journal writes:

Outside Directors at the former WorldCom Inc. didn?t participate in the company?s accounting fraud, and they lost millions in the wreckage. But they failed to properly oversee the company? In short, the company said in its June 2003 report, ?the board and its committees did not function in a way that made it likely they would notice red flags.?

The WorldCom director?s pact? creates no legal precedent. But the insistence by the lawsuits lead plaintiff, the New York State Common Retirement Fund, that the former directors pay a significant portion of the settlement from their personal assets could mark a sea of change in the prevailing new view of when personal liability applies to corporate boards? outside directors. (WSJ 1/07/05 C1 ?WorldCom?s Steep Price?)

While the full affect of SOX on corporate America continues to unfold, one affect is perfectly clear - the role and responsibility of a Director, CEO or CFO of publicly traded companies is forever changed.

What Company A Did Right: Seven Steps of Highly Effective Risk Management
Company A?s secret weapon was its proactive compliance strategy that enabled it to identify, monitor, report, and manage corporate risks.

Be like Company A. Follow these seven steps to get the most out of your risk assessment:
  1. Identify all your perceived risks.
  2. Gather data on the actual risks occurring within your enterprise.
  3. Correlate information about risks (frequency, type, patterns) and look for the trends to understand why they are happening.
  4. Prioritize the severity of your risks so you know where to spend resources and align this to your business processes.
  5. Spend money only on the solutions that allow you to take action to remediate real risks.
  6. Standardize employee training and risk reporting to management and auditors so you can show due diligence in your efforts to combat risk and misconduct.
  7. Understand your risk well enough so that through continuous monitoring you understand ?unusual? trends and can investigate and remediate misconduct.
What Happens if You are Investigated?
The critical factors in evaluating any compliance program are whether the program is adequately designed for maximum effectiveness in deterring misconduct and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.

If investigated today, there are two fundamental questions you would be required to answer:
  1. Is your corporation?s compliance program well designed?
  2. Does your corporation?s compliance program work?
When a court of law asks these questions, it may consider the following factors in establishing judgment:
  • Comprehensiveness of the compliance program (is it meeting industry best practice; is it aligned to the company?s risk factors; does it work?).
  • Effectiveness of the compliance program ? it cannot simply be a ?paper program? but must be tested and ?signed-off? by independent auditors.
  • Was there a formal assessment of risk?
  • Did the company continuously monitor and assess risk with effective risk management programs?
  • Staffing expertise and numbers for auditing, documenting, analyzing, and executing compliance initiatives. Did their activities align to the corporation?s risk?
  • What was the company?s commitment to a formal compliance-training program?
  • Extent and pervasiveness of criminal conduct.
  • Number and level of the corporate employees involved.
  • Seriousness, duration, and frequency of misconduct.
  • Remedial actions taken by the corporation, including restitution, disciplinary action, and revisions to corporate compliance programs.
  • Promptness of any disclosure of wrongdoing to the government and the corporation?s cooperation in the government?s investigation.
  • Existence of corporate governance mechanisms for effectively detecting and deterring misconduct.
Think of this in light of Company A and Company B. How would you grade their performance if you were an investigator?

Don?t Wait for the First Conviction ? Get Started with an Enterprise Risk Assessment There have been no ?legal? convictions under SOX to date. However, existing statutes and sentencing guidelines have been amended with tougher penalties giving the SEC and Department of Justice new enforcement authority.

For example, since 2002 the SEC has used increased powers to:
  • File over 199 financial fraud and reporting cases in fiscal 2003.
  • Suspend 32 companies from trading.
  • Seek asset freezes against individuals and companies in 36 cases.
  • Seek to bar 110 corporate executives and directors from again serving in publicly traded companies.
Justice Department prosecutors are using their increased powers to:
  • Obtain over 500 corporate fraud convictions or guilty pleas.
  • Charge over 900 defendants and over 60 corporate CEOs and presidents with some type of corporate fraud crime in connection with over 400 filed cases.
  • Obtained the convictions of 11 Enron defendants, including its former CFO and treasurer, and seized over $161 million for the benefit of victims of the frauds at Enron.
Don?t wait for the first SOX conviction to begin evaluating your enterprise risk.

?There are networking solutions available today, such as Reconnex?s enterprise risk management platform, that enable companies to demonstrate adequate controls with respect to the safeguarding of company and third party confidential information that could be compromised by either intentional or careless disclosure,? says Bochner of Wilson Sonsini Goodrich & Rosati.

Enterprise risk management solutions are now available that can show you ? in less than 48 hours ? whether or not the fears that keep management up at night are actually occurring within your organization. These solutions can be quickly and painlessly deployed because they use technologies that have the capability to assess risk and misconduct where you are most exposed: your company?s IT infrastructure.

Look for solutions that rapidly assess your risks and can provide evidentiary support in the form of reports that will allow you to prove due-diligence if investigated. The best long-term solutions offer forensic capabilities and report generation that help you to quickly investigate the unusual trends and keep secure electronic records of misconduct to show investigators, auditors, or senior management. Look for solutions that offer ?out of the box? automated reporting templates that correlate to your operational risks so they can be effectively communicated to senior management and auditors without a lot of explanation or expensive, customized development.

By following the seven steps to effective risk management with solutions that offer continuous corporate risk monitoring, you can avoid paying too much for compliance efforts that yield few results. Instead, you?ll find that your compliance strategies will actually be paying off ? and a lot quicker than you ever imagined.



Kimberly Getgen

Reconnex
 Kimberly Getgen
Kimberly Getgen is VP of Strategy and Marketing and a founder of Reconnex Corporation, an information security company building products capable of detecting breaches of intellectual property. Getgen is a well-recognized spokesperson for raising the awareness of information security, speaking at many international security conferences including the RSA Conference and Internet World in US, Europe and Asia, and writing a column on security for IBM. After completing a master?s degree from Oxford University, Getgen worked at Compaq Federal as a consultant to the federal government. Getgen currently runs corporate marketing at Reconnex.

Prior to joining Reconnex, Getgen was the president and founder of Power Marketing Services, a marketing consulting firm which specialized in developing content and strategic marketing positioning for security technology companies. Previously, Getgen was product marketing manager at RSA security, where she managed worldwide product launches, developed the company's wireless security product strategy and created new marketing programs to raise the visibility of the RSA BSAFE product line. Prior to RSA Security, Getgen worked for Compaq Computer Corporation, where she developed a business plan to launch Compaq Federal LLC security services offering to the Federal Government.

Paul Reymann
Paul Reymann is the CEO of ReymannGroup, Inc., which has emerged as a national leader in providing knowledge, services, and software that help clients across multiple industries successfully navigate emerging regulatory, business, technology, and information security challenges.

Mr. Reymann is one of the nation's leading financial institutions regulatory experts and co-author of Section 501 of the Gramm-Leach-Bliley Act Data Protection regulation. Mr. Reymann has more than eighteen years experience in the financial services industry, including thirteen years with the Department of Treasury's Office of Thrift Supervision (OTS) in Washington D.C. There he guided the regulatory agency's Technology Risk management activities and authored several key regulatory directives and advisories on emerging risk management issues, including the industry's first regulatory directive on "Transactional Internet Banking."



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY