I am Sarbanes-Oxley (SOX) or Model Audit Rule (MAR) compliant. Why do I need ERM?

You need ERM because financial reporting risk management doesn’t cover all of your risks!

Financial Reporting Versus Four Broad Categories of Risk

A popular methodology for implementing ERM is the Commission on Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) Framework.  This framework builds on the COSO Internal Controls Framework (ICF) used by many organizations as the basis for their SOX 404 implementations.  The common depiction of the methodologies is via the following cubes.

COSO ERM methodology deals with four categories of objectives versus three for ICF:

1. Strategic – High-level goals designed to support the enterprise’s mission or vision. (New)
2. Operations – Efficiency of operations, including achievement of performance goals and safeguarding against loss.
3. Reporting – Reliable reports. (Not just financial reporting)
4. Compliance – Compliance with laws and regulation.

These categories highlight the first major difference between SOX/MAR and ERM.  The risks and control objectives for SOX/MAR only relate to the financial reporting category of ICF.  For an ERM implementation, this is a sub-category of the reporting category.  Frequently companies also have compliance departments to address compliance risks, a strategic planning process for strategic risks and various operational processes for dealing with operational risks.  ERM will pull these disparate processes together as one.

Material Misstatement versus Threats and Opportunities

The second major difference relates to event identification and risk response.  For SOX/MAR, you identify events that may have a material impact upon the financial statements and respond with controls to provide reasonable assurance that the events do not occur.  For ERM, you consider internal and external events and their impact on the achievement of objectives.  This process includes both threats and opportunities providing for a full portfolio of risks.  Does this also happen in your other risk assessment processes?

A participant in my COSO ERM class is leveraging their SOX implementation base to implement ERM.  He affirmed that ERM is much broader and requires pulling together of disparate risk management processes.  The good news is that he is successfully leveraging the base infrastructure implemented for SOX.

I challenge you to brainstorm risks in the company unrelated to financial reporting and then note the process currently used to address the risks.  Let me know if you find any falling through the cracks.

For more information on the COSO ERM methodology, contact Elaine Nissley at ENissley@macpas.com.