Risk Assessments for SOX and ERM: An Analysis

Document Sample
Risk Assessments for SOX and ERM: An Analysis Powered By Docstoc
					    Enterprise risk Management

Risk Assessments for SOX and ERM: An Analysis
By Jaclyn Jaeger                                with potentially severe consequences for      SOX.
                                                the ones that don’t. That has driven com-        “Basically, a proper ERM program

E    ver wonder what the risk is that
     you’ve wrongly assessed how you’re
supposed to do risk assessments?
                                                panies to focus only on their compliance
                                                risks (since those are the most immediate
                                                worries), “which is only one component
                                                                                              is a perfect marriage of the Sentencing
                                                                                              Guidelines and Sarbanes-Oxley,” Integ-
                                                                                              rity’s Cellini says. It requires companies
    Sarbanes-Oxley has certainly put            of the overall risk profile that a business   to assess risks that are both criminal and
the concept of analyzing risks at the           may be incurring,” says Richards.             civil, within a broad range of categories
forefront of most compliance execu-                Richard Cellini, head of marketing         both financial and non-financial, he
tives’ minds. But many companies often          at compliance software firm Integrity         says.
conflate the idea of a risk assessment un-      Interactive, agrees. In fact, he stresses,       Another major difference is that
der SOX (or under the U.S. Sentencing                                                         while an ethics and compliance risk as-
Guidelines, for that matter) with enter-                                                      sessment can be an annual process under
prise risk management. If you’re in com-                                                      Sarbanes-Oxley, ERM should be a con-
pliance with SOX risk assessments, this                                                       stant process since organizations change
thinking goes, you’re “doing ERM,”                     “Basically, a proper ERM               and new risks are always evolving, Rich-
and vice-versa.                                                                               ards says. “It’s not necessarily clear-cut,
    In fact, experts tell Compliance Week,        program is a perfect marriage               and that’s why it needs to be reviewed
the two terms are very different.                  of the Sentencing Guidelines               on an ongoing basis,” he says.
    “The phrase ‘ERM’ is being used for
more than what it is,” says Kristina Stie-                and Sarbanes-Oxley.”                SOX as ERM Framework
                        lau, a compliance
                        manager at Teleflex,
                        a $1.9 billion indus-
                                                                     —Richard Cellini,
                                                                   Head of Marketing,
                                                                                              B   ut while a SOX risk assessment may
                                                                                                  be limited in scope, the elements that
                                                                                              make it up can be used as a framework to
                        trial parts manu-                          Integrity Interactive      apply more rigor to other areas of risk
                        facturer.      “ERM                                                   manage
Description: Another best practice when thinking about ERM is to consider compliance with SOX Sections 302 and 404 as a single component of continuous reporting, "because the two are inextricably linked," [Shawn Tebben] says. Section 404 governs internal controls over financial reporting, while Section 302 addresses "disclosure controls" to ensure that all corporate data that should be disclosed does get captured in company filings.
ProQuest creates specialized information resources and technologies that propel successful research, discovery, and lifelong learning.