RISK WATCH COLUMN: SOX and Quack Governance

By Dr Alan Waring

 

Recent articles and correspondence in the Financial Mirror on the subject of corporate governance and Sarbanes-Oxley have prompted me to add to the discussion. As I am also about to jet off to the Far East to present a paper on ‘Avoiding Tunnel Vision and Quack Governance’ at the Economist/CFO Asia SE Asia Summit, the timing seemed just right.

 

— Comprehensive and Appropriate?

 

I believe that both Michael Olympios in his governance article referring to Sarbanes-Oxley and Nikolas Michailidis in his response have the best of intentions in proposing the Sarbanes-Oxley Act or a Cypriot version of it as a necessary instrument for good governance. However, may I refer to two of the key principles of good corporate governance:

– Ensure a comprehensive and effective system of internal controls to manage the significant risks to which the enterprise may be exposed

– Ensure that appropriate appraisals, audits, reviews and routine monitoring of internal controls take place at least annually.

I have emphasized ‘comprehensive’, ‘significant’ and ‘appropriate’ deliberately. Behind these general principles is an implicit need to protect not just finances but also corporate reputation and brand as well as other significant risk exposures. Share values, market confidence and willingness of other companies to engage with yours all depend on reputation and brand and ultimately the very survival of the organization may be challenged.

Broad-based internal controls are clearly necessary but particular approaches such as Sarbanes-Oxley and Basel II are very focused on finance, accountancy and counter-fraud protection. They do not deal with the vast array of other significant risk exposures typically encountered by large organizations. They are not comprehensive and not appropriate for all significant risk exposures. The narrow focus of SOX compliance may therefore create an illusion of protection regarding broad-spectrum enterprise risk.

 

— Lethal Exposures

 

Many of these other risks can be lethal to enterprises. Indeed, I have long argued that the root causes of collapses such as Enron, Barings, China Aviation Oil, Parmalat etc lay in complex interplays between people, organization and systems, with organizational culture and power relations as much as formal controls being at the core of the problem and its solution. For example, the case study on the Barings Collapse that Prof Ian Glendon and I did (in Managing Risk, 1998 ISBN 1-86152-167-7) showed just how critical HR risk exposures and lack of HR risk controls had been to the whole pre-collapse build-up. Questions included how it was possible for an individual (Nick Leeson) with no trading experience and a conviction for dishonesty to be employed by Barings at all let alone be left largely unsupervised and unchecked – and then be promoted! The ‘gung-ho’ cavalier attitude of the street-smart brokers in Barings Securities in Singapore was a world apart from the conservative bankers at Barings Brothers & Co in London.

 

— Horses for Courses

 

Often wider enterprise risks are marginalized or even ignored because they lie outside the qualifications and experience of those charged with addressing them. However, in other cases lip service is paid. Moreover, brave attempts by the accountancy world to ‘bolt on’ enterprise-wide non-accounting risk exposures and integrate them into Sarbanes-Oxley e.g. CoSO/Treadway Commission have been naïve and unconvincing. There is something perverse, if not dangerous, about individuals with qualifications and experience in, say, financial derivatives, internal audit or Basel II compliance deciding if and when professional advice and judgement on major hazards, supply chain risks, counter-terrorism, political risks, HR risks, intellectual property and the many other kinds of significant enterprise risk exposure are required – or worse still sallying forth themselves to render such advice and judgement. To make an analogy, who would find it acceptable for a heart surgeon to pontificate on brain surgery or gynaecology? Yet that is the kind of unsophisticated state of affairs prevalent in the SOX environment.

To avoid tunnel vision, therefore, organizations need a more sophisticated multi-disciplinary approach to Enterprise Risk Management (ERM) so that robust internal controls go far beyond those needed for financial probity alone. A beacon of hope exists where organizations establish not only a Board Audit Committee but also a Board Risk Committee, as is happening increasingly in the UK, Singapore and Hong Kong.

 

— SOX is not Salvation

 

As evidence of the growing disaffection and concern about SOX, Mr LeLand Graul, SEC Director of accountants BDO Seidman said at a meeting in Hong Kong last year that SOX had not prevented the Refco collapse, for example. He stated that in his opinion the more comprehensive and appropriate approaches in Europe and specifically the UK Turnbull/Combined Code probably give better protection to investors.

Prof Roberta Romano of Yale Law School has argued that SOX itself is flawed in its whole approach to accounting/finance protection let alone any consideration of wider risk exposures. She brands it as ‘quack governance’.  The time, cost and energy drain of ‘feeding the beast’ of SOX compliance can render an organization exhausted and antagonistic towards genuine Enterprise Risk Management. Many executives have been misled into believing that SOX and ERM are identical and, perhaps understandably, now have a jaundiced view of all risk management. To be sure, the financial audit companies have been adept at milking SOX for all it is worth and even creating variants such as J-SOX for Japan. However, it is now clear that many organizations no longer want to be ‘milked’ and have told their auditors that in future they will only accept the very basic SOX audits. The audit majors in the Far East, for example, are all reported to be scaling down their projected SOX revenues after a 5-year beano.

 

— Conclusions

 

To nurture a culture of responsible risk-taking and ensure long-term ERM and resilience, the tunnel vision and quack governance of narrow approaches to ERM must be avoided.

All large organizations need to consider the benefits to corporate reputation, brand, shareholder protection and public confidence from implementing corporate governance codes and the damage that may result from ignoring them. Implementation should not be dominated by ‘feeding the beast’ of compliance with particular instruments, such as SOX. Such tunnel vision may create an illusion of protection when it comes to the full array of Enterprise Risk exposures.

 

Dr Alan Waring is an internationally recognized risk management consultant and is Adjunct Professor at the HKBU Centre for Corporate Governance & Financial Policy, Hong Kong. Contact [email protected].

 

(c) 2007 Alan Waring