Executives have been batting around the concept of enterprise risk management (ERM) for a long time--certainly at least since I started in this job more than six years ago. Nonfinancial companies seemed to approach it as an almost academic endeavor--some rarefied view of an organization's thinkable and most unthinkable risks and the theoretical interfaces of those potential threats. Quantifying and then prioritizing exposures were always the biggest hurdles, and ones that often made companies settle for something much less in their risk management. That attitude may be changing (should be changing) as we start to see the possibilities that compliance activities can amount to more than a well-ordered pile of internal controls documentation. The Securities and Exchange Commission and Public Company Accounting Oversight Board have now endorsed and, in fact, mandated a risk-based approach to Sarbanes-Oxley's Section 404. Now, it is up to management to step up and implement more sophisticated programs of holistic risk management that will integrate ERM, not just into GRC, but into business operations. It may take some investment in solutions as Alfa Corp.'s Connie Whitecotton discovered. And auditors may balk at having some of their newfound power usurped. But ultimately, the battle is not just over lowering audit fees. The real beauty of Auditing Standard 5 is that it could eventually make compliance programs relevant to how a business actually performs. After four years of grousing, it's time to start making it work.
From the February 2008 issue of Treasury & Risk magazine