It's Time to Take Your SOX Off

By Paul Kocourek, Jim Newfrock, and Reggie Van Lee
http://www.strategy-business.com/resilience/rr00014?tid=230&pg=all

To protect shareholder value, companies must link risk management with strategic planning and avoid overreacting to regulatory compliance mandates.
 

Here’s a fact that bucks conventional wisdom: More shareholder value has been wiped out in the past five years as a result of mismanagement and bad execution of strategy than was lost because of all of the recent compliance scandals combined. This is a key finding of a recent Booz Allen Hamilton survey and analysis of the performance of 1,200 firms with market capitalizations of more than $1 billion for the five-year period from 1999 through 2003.

Consider the 360 worst financial laggards. Eighty-seven percent of the value lost by these firms was attributable to strategic missteps — management ineffectiveness in reacting to competitive pressures or forecasting customer demand — and operational blunders, such as cost overruns and M&A integration problems. Only 13 percent of the value destruction suffered by these companies was caused by regulatory compliance failures or was a result of poor oversight of company operations by corporate boards.

Still, the media went for the headlines on compliance debacles. And the Sarbanes-Oxley Act (SOX) — a legislative attempt to rein in rogue corporate activities through stringent new rules for governance, data integrity, and disclosure — was passed to help U.S. businesses move on from the Enron saga. Obviously, compliance is vital, and the Sarbanes-Oxley legislation can help. But it will do little to improve most firms' real risk profile.

Despite its reputation as a panacea for raising the bar on business governance, SOX is essentially a quality-control mechanism piggybacking on financial reporting systems. It does little to protect the primary strategic and operational elements that, according to Booz Allen’s survey, are the primary cause of shareholder value destruction. Because of this, the impact of SOX on management reforms to improve corporate performance has been disappointing: To insulate their boards and senior executives from extensive scrutiny, firms have ended up sacrificing growth and innovation for regulatory acquiescence.

In reacting to Sarbanes-Oxley with an exaggerated fear of risk exposure, many companies are tempted to reduce risk management to an expensive “box-checking exercise” in regulatory compliance. However, to thrive in the current business environment, companies need to do much more: They must be proactive in addressing risk by understanding and anticipating the full range of threats to their businesses. And they must embed risk management in strategic planning capabilities. These two processes are interdependent: Only when companies develop a risk management program that protects and enhances shareholder value can they eliminate unwanted earnings surprises and foster growth.

Recognizing that companies have to deal with SOX and manage for growth, executives must design a more robust and integrated strategic planning process built on a broad understanding of all risks to the business. Board directors and senior managers need to look beyond traditional risks — typically, capital credit and physical security — and anticipate earnings-driver risks and cultural risks, too. The specifics of such an ambitious risk management agenda will vary from company to company, but we have identified five imperatives for developing an effective program:

• Define what constitutes “risk” and develop early-sensing mechanisms. Most companies need to expand their definition of risk beyond market, legal, and natural hazards. They need to consider threats that could have a long-term influence on company performance, such as customer churn, price pressure, and brand impairment. They also need to address weaknesses in organizational behavior, and the management and cultural factors that influence it, such as misaligned incentives, unethical conduct, and communications breakdowns. But identifying existing risks is only half the battle. Companies also need to institutionalize sensing mechanisms to anticipate emerging risks. An earnings-driver risk assessment, for example, identifies and prioritizes key demand and supply-side risks across the value chain.

• Determine the risk agenda. After defining, identifying, and prioritizing risks, management needs to assess how capable the organization is of mitigating the most critical risks. Companies can establish an effective risk agenda by determining the intersection of high-priority risks with weak capabilities. This risk agenda can be used to align the actions of various company stakeholders, such as the risk committee, office of the chairman, and business or functional management.

• Build and adapt the risk management architecture. This architecture must reflect the risk agenda and encompass corporate processes, organization, information tools, and culture. For example, a company that depends on a nimble, decentralized organization to succeed in its markets should consider having a risk management architecture that manages activities and accountability in a decentralized fashion, but is also supported by diligent central monitoring of results.

• Integrate risk management with strategic planning. Companies must incorporate their risk management capabilities — such as better business intelligence and scenario planning — in the strategic planning process. Fundamentally, the same capabilities that mitigate risk enable a company to capture growth opportunities. For example, when a company identifies a competitor that is posing a specific threat to its strategic position, the tools that will help the company defend itself and enhance revenues and earnings are better market-sensing capabilities, improved product development, and more sophisticated strategic planning activities.

• Adapt the agenda and architecture to changes in the risk environment. Any broad risk management system must be flexible and responsive enough to adjust quickly to changing market dynamics. For example, if shifts in customer demand require a change in the company’s product mix, a good risk management system will anticipate the change and trigger a reassessment of the capabilities required to manage in the new risk environment implied by the new product mix.

Executing these imperatives requires a shift from a “culture of compliance” to a “culture of confidence.” That is, it requires a cultural shift from an exclusive focus on controls to an atmosphere in which managers can confidently choose, on the basis of robust analysis and strong corporate values, which strategic risks to take, which to mitigate, and which to avoid. By taking a diagnostic approach, companies not only avoid negative earnings surprises, but also save significant sums by targeting their investment on the key gaps in their strategic risk management capabilities.

Companies that are successful in establishing an effective risk management program are more likely to protect directors and officers against charges of lack of good faith, build stakeholder trust, capture opportunities, and improve corporate performance and shareholder value over the long run. 

Author Profiles:

Jim Newfrock (newfrock_jim@bah.com) is a principal with Booz Allen Hamilton in New Jersey. He specializes in business strategy and enterprise risk.