James Lam preaches a religion sure to scare many corporate executives: that compliance with the Sarbanes-Oxley Act is just the beginning of the reforms corporate America needs to make.
Inspired by his tenure as chief risk officer for Fidelity Investments in the 1990s, Lam envisions a paradise of automated risk management—where companies can measure potential threats to their business and gauge how likely those risks are to occur.
Framed that way, SarbOxs focus on internal controls stands alongside operational risks such as environmental damage and financial risks such as currency exchange rates.
Still, for all the lofty goals enterprise risk management entails, Lam said executives must first solve a puzzle at the heart of IT and personnel management.
"How," Lam asked, "do you get to the information to develop a composite picture of the risk facing the company?"
"This is absolutely vital, because the alternative is adding more and more people to the end of a business process to manage risk," says Mark Lindig, head of KPMG LLPs information risk management practice. Considering the surge in regulations surrounding risk, such an approach is simply not feasible for large businesses. "You cant go through this year after year."
More and more companies are trying not to. Despite the exhaustion of SarbOx compliance efforts, a new wave of enterprise-risk projects is taking root. A few examples:
• Laclede Gas Co., a $1.2 billion gas utility in St. Louis, last year established a three-person "department of risk and control services" to graft lessons learned from SarbOx onto a broader effort to manage risk.
• Houston-based trash disposal company Waste Management Inc. just assigned its head of internal audit to conduct a companywide risk assessment this year.
• SCM Microsystems Inc., a $49 million maker of smart-card security systems in Silicon Valley, now uses its SarbOx compliance systems to tackle other risks such as hazardous-waste reduction.
The goal for these projects is identical: moving from manual processes that detect risks after a breach occurs to automated processes that prevent those risks from growing unchecked in the first place.
The trick is how to get there when responsibility falls across numerous corporate departments, and executives already face a dizzying array of tools to track the necessary data.
"I think its appropriate to have a consolidated point of oversight, reporting at a very high level within the organization," said Ted Frank, president of Axentis Inc., a maker of governance software in Warrensville, Ohio. "Not to manage the process, but to define best practices and help guide the organization to the best decision."
No matter what the approach, IT executives can expect to find themselves in the cross hairs.
Elizabeth Hackenson said she found herself in the cross hairs at MCI Inc. last year. As CIO of the $20 billion long-distance carrier, she was instrumental in helping the company document its internal controls by years end to comply with SarbOx—but she was not the executive in charge of the project. That responsibility fell to MCIs chief financial officer.
Hackenson said she acted more as a liaison and consultant, advising the CFO on how best to automate MCIs controls and leading the 250 IT employees assigned to the project.
For example, she said the CFO and his SarbOx specialists had decided that MCI had to restrict user access privileges based on a workers job function. Then, Hackenson said, "he allowed me to figure out the solution from an IT perspective to implement those user controls."