Make risk management and internal control work for you: by tailoring an integrated, business-process-based template solution, small companies can address risks and controls in a cost-effective manner, whether or not SOX compliance is mandated

Strategic Finance, Dec, 2006 by R. Malcolm Schwartz

Smaller companies are avoiding risk management and internal control efforts because they hope that the Securities & Exchange Commission (SEC) won't require them to comply with the Sarbanes-Oxley Act (SOX). They are frightened by reports of the high cost of compliance activities, such as more than 2% of revenue reported for a $25-million revenue company.

But the reality is that SOX compliance doesn't have to cost a lot, as I'll demonstrate in the following guidance on how to do risk and controls management at a reasonable cost. This guidance is important to smaller companies, which generally have limited skills, experience, and tools for operating cost-effective internal control and risk management programs. A second reality is that risk and controls management is good for you and can provide substantial benefits whether SOX compliance is required or not. So, don't make controls and risk management dependent on whether you are obligated to comply.

For its cost, which can be reasonable, good risk and controls management has a pretty direct correlation with good performance. For example, several years ago, before SOX, a consumer products company used the Internal Control--Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to assess internal control in its five business units (remember that internal control in the COSO Framework begins with business-centric risk assessment). It found a direct correlation between control and performance. The poorest-performing unit was on the verge of being out of control and was sold shortly thereafter, primarily to cleanse the corporate portfolio of a major business risk.

This anecdote, which is supported by research, illustrates the relationship between control and performance. For example, a study conducted at the London School of Economics in 2005 by McKinsey and the Center for Economic Performance indicates that managers and their competencies and motivations--basic principles of good risk and controls management--are more important to how a company performs than other structural factors. In other words, mediocre control goes hand in hand with mediocre corporate results. The research notes that, in studying 18 management practices:

* One company used monitoring (one of the five components of control in the COSO Framework) to spur action only when output dipped. It then discontinued the monitoring when output rose, so there was no way to track performance with business objectives. This is consistent with Level 1 control, as defined in one of the tools I developed to apply the original COSO Framework effectively. The tool contains questions to ask about the five components in the COSO Framework and then provides four levels of answers to each question. Level 1 is applied to answers that indicate that the organization would only know it was out of control if it were told so by an outside party, such as a regulator or a reporter.

* A second company monitored performance indicators continually but didn't share this information with the operating personnel, depriving them and the company of improvement efforts. This is Level 2 control, which works adequately in periods of stability (and most organizations don't have the option of being in periods of stability).

* A third company set up display screens to show personnel where their performance ranked along with daily targets and other goals. Managers provided a monthly overview and summary, met with operating personnel every morning to discuss the previous day's performance and the current day's agenda, and used lunch breaks as opportunities for feedback on performance, achievements, and improvement opportunities This is beyond Level 3 control (control in the face of change), and verges on Level 4 control (control capable of dealing with the unusual situations called "acts of God").

The research also indicates a statistically supportable correlation in performance among these companies. There are several lessons here: First, good people enable good performance. Second, sound management techniques incorporating management of risk and controls provide a setting for good people to perform better. Third, control as envisioned in the principles of the COSO Framework--beginning with a control environment of competent people, well-designed policies and procedures, effective communications, reinforced human resources policies, and risk assessment--is built into those techniques. Fourth, the techniques provide a focus for goals, for performance in the context of current practices, and for improving current practices. The result is a premium on working smarter, not working harder--and working smarter includes managing risks and controls cost effectively.

Whatever the SEC decides, make internal control and risk management work for you first. Then make it work for your auditors second, if at all.

THE RIGHT APPROACH

Now that we know risk and controls management is good for you, the next question is: Can it be less painful than is generally being reported? The answer is "yes." I'll show you a low-cost, high-value method that is worth implementing whether compliance is mandated or not. This "better way" is based on using a generic, integrated, business-process-based template and involves following a step-by-step implementation approach. To help illustrate the method, I'll also discuss a case study where a small public company used the template and approach. By the way, the cost of this application was in the area of several person-months of internal effort, a similar amount of some incremental consulting, and about $25,000 in software costs, which is nowhere near the millions of dollars and person-hours that are being reported for risk and controls management approaches. Basically, the steps for the right approach are: