Enterprise Risk Management
Unintended consequences
SOX appears to be antithetical to ERM goals
By Michael J. Moody, MBA, ARM
Even a quick review of the literature will show that enterprise risk management (ERM) appears to be acquiring a significant buzz within the risk management community. ERM’s unique holistic approach to risk management is gaining acceptance in a wide variety of industrial settings and is rapidly becoming the “best practices” approach for many corporations. The basic principle of the ERM approach is to view risks in their totality, for the entire organization. By doing so, companies are better able to effectively manage their risks, thereby affording themselves a competitive advantage.
While the ERM concept has been around for over 10 years, it initially got off to a slow start. And it was not until the passage of the Sarbanes-Oxley Act (SOX) in 2002 that ERM gained any real traction. SOX was passed in large part as a response to the troubling trend of financial reporting fraud at publicly held corporations in the United States. Several large corporate failures and subsequent scandals, including WorldCom and Enron, pointed out the extent of the financial reporting shortcomings. And while SOX has many different aspects, its primary objective was to expand federal regulations with regard to corporate governances for publicly traded companies. Another key aspect of the SOX legislation was that corporations had to identify their internal control procedures and then evaluate the effectiveness of the controls. While not a direct result of the legislation, many experts believe that it was the passage of SOX and its subsequent internal control requirements that provided the impetus for many corporations to begin their ERM programs.
Over and above these risk-related issues, SOX also imposed some strict new requirements on corporate officers and directors. For example, the chief executive officers and chief financial officers have to certify their corporation’s financial statements. Additionally, SOX significantly tightened the regulations of the organization’s auditors. Compliance with these specific requirements has been an ongoing process for most corporations since the effective date for SOX implementation.
Corporations have spent significant time and money in an attempt to comply with the SOX regulations. And for the most part, the regulations have successfully limited the financial fraud issues that had plagued U.S. corporations for the previous 10 years or so. And certainly the advancement of ERM has provided corporations with the ability to better manage their corporate risks. However, a recent study by several professors at the University of Pittsburgh suggests that the effects of SOX may not be in concert with the goals of ERM.
Corporate risk taking
The study, titled “Sarbanes-Oxley and Corporate Risk Taking,” includes data from more than 4,000 U.S. publicly traded corporations and reviews several key benchmarks regarding corporate risk taking. Among the major issues the study addresses are research and development spending, capital expenditures, and cash holdings. It provides a pre-SOX and post-SOX comparison. Additionally, the study provides similar benchmarking information for about 1,000 UK corporations over a comparable time frame. The study was presented publicly at the American Enterprise Institute in mid-June.
The authors of the study found that the ratio of research and development expenditures to assets for U.S. companies declined significantly following the passage of SOX, compared to the UK corporations. Additionally, a similar trend of rapid decline was observed for the ratio of capital expenditures to assets for U.S. corporations compared to UK organizations. On the other hand, the ratio of cash holdings to assets increased sharply for U.S. corporations following the passage of SOX. The cash holdings ratio declined for UK companies during the same time period.
Further, the study looked at the number of initial public offerings (IPO) after the passage of SOX. The study reviewed the IPO activity of firms in industries that are typically associated with high research and development expenditures. The study found that, as a group, these types of firms in the U.S. had significantly fewer IPOs following SOX. This contrasts greatly with the UK group that had little or no change in the percentage of IPOs offered. In fact, the study indicated that in the UK, the higher a firm’s R&D activity, the greater the increase in the probability the firm would go public.
Behind the numbers
Many people have strong feelings about SOX and its long-term role in business. Certainly the occurrences of financial statement wrongdoing have been greatly reduced. Today it is rare to hear about inappropriate information being included in the financial statements of publicly owned corporations in the United States. For the most part, this portion of the law has been successful, and given the prior lack of investor confidence that followed the rash of fraudulent reporting issues in 2000-2002, this is a meaningful result. But what was the true expense to achieve this goal?
Most of corporate America is well aware of the time and money (millions, if not billions of dollars) that was needed to implement the SOX regulations. However, the implementation costs are only a portion of the complete picture. Another significant change that came about as a result of SOX was the increase in outside, independent directors on many corporate boards, and this had costs associated with it as well. Corporations were required to have independent majorities on their board of directors. As a result, independent directors became more than a sounding board for management; they began to take a more active role in the overall management of the corporations. There were positive aspects of this action, to be sure. But in the long run, these directors are part-timers, who for the most part are unfamiliar with the details of the company’s business. And this lack of knowledge can naturally lead to a more cautious and conservative approach to business.
And while there can be a variety of reasons for the results of U.S. corporations compared to benchmarks outlined by the UK corporations, some reasons for the results are clear. Less R&D typically means that organizations are investing less in identifying new growth options than they did pre-SOX. Further, the scaling back on both R&D and capital expenditures, as opposed to holding significant amounts of cash is reflective of a non-operating, low-risk investment. All of these signs are consistent with companies that have reduced their risk-taking activities.
Conclusion
The results of the study advanced by several professors from the University of Pittsburgh and the American Enterprise Institute would appear to indicate that despite the noble goals of SOX, one of its unintended consequences has been to reduce corporate America’s risk-taking appetite. And for the most part, this is at odds with the goals and objectives of ERM. In fact, ERM is designed to assist corporations in assuming more risks through many of its strategic risk management techniques. The study’s results are quite compelling: SOX has impaired corporate risk taking.
Additionally, on a long-term basis, this action will leave U.S. businesses in a less competitive position and ultimately affect our position in the world economy. This, of course, is just the opposite of what ERM is trying to do.
Today, there is much debate about the continued need for SOX. Based on the results of the study, one would have to question the ongoing value of the SOX legislation and whether it should remain in its current configuration. But regardless of the SOX decision, it is clear that SOX compliance and ERM can no longer be viewed as moving along parallel tracks. Thus, combining ERM with compliance activities would appear to limit the overall effectiveness of ERM. *
The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved. |
|
|
|
|
Despite the noble goals of SOX, one of the unintended consequences has been to reduce corporate America’s risk-taking appetite. |
|