Effective compliance with Sarbanes-Oxley could require organisations to implement an enterprise risk management strategy, according to Anthony Sullivan

The Sarbanes-Oxley Act of 2002 (SOX) has elevated the profile of risk management within executive suites and boardrooms in the US. The potential imprisonment of the CEO and CFO for up to 20 years for faulty certification of financial reporting has focused management on the importance of accurate and complete financial statements and disclosure. Although a great deal of time and money1 has been expended to assure the accuracy of financial statements, we believe that historical changes in the social, economic and legal environment in combination with traditional accounting practices and interpretations place management at risk of filing faulty certifications due to incompleteness. The issues of contingencies, disclosures, management discussion and analysis, probability and materiality are where risk management and SOX compliance intersect.

Some have suggested that compliance with SOX requires that an organisation establish an enterprise risk management (ERM) system. Although SOX does not explicitly mandate ERM, and on the surface seems to be restricted to accounting and financial reporting2, there are issues buried within the Securities Exchange Commission (SEC) rules and interpretations and the Financial Accounting Standards Board (FASB) standards that implicitly necessitate at least partial ERM.

SOX did not begin with Enron, Arthur Andersen and WorldCom. SOX is one step in an evolutionary process tending towards a regulatory requirement for comprehensive, coordinated management of risk across the entire enterprise (ERM). It is but one regulatory manifestation of a broad historical change in the governance of corporations driven by the democratisation of corporate ownership3.


There are eleven sections to SOX. We will restrict discussion to the three sections that impact upon the practice of risk management:

- Section 302 requires that the CEO and CFO certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer."

- Section 404 requires an annual report by management regarding the adequacy and effectiveness of internal controls over the financial reporting.

- Section 906 establishes criminal penalties for CEO and CFO knowingly or willing filing false certifications.

Within the universe of risk that an organisation must manage, financial reporting is only a subset of the information risks. How can a requirement for accurate accounting and financial reporting translate into a need for ERM? The answer lies within the purpose and meaning of financial reporting.

Both the purpose and meaning are broader than most people assume.

Accounting is primarily concerned with the past4. Although this is true, it is not the whole story. We need to return to the basic purpose of financial reporting to understand the issues of concern and the risk to executive management in the new environment.

The purpose of the vast layering of laws, rules, and accounting standards that underlie SOX is two fold:

- to provide investors with accurate and complete information on the current financial condition of the company; and

- to provide investors with material information that will allow them to judge whether the financial information is suitable for projecting future results5.

Although there is common agreement concerning the desirability of the first objective, a strong dialectic tension exists regarding the second objective. Accountants and the executive management they report to do not like being forced to predict the future. Many of the basic accounting standards were codified in the mid-1900's when the social, economic and legal pressures for corporate accountability and transparency were weak, but not non-existent.


Three forward-facing reporting requirements are included in the meaning of financial reporting:

- Contingencies;

- Disclosures; and

- Management discussion and analysis.

Traditionally the impact of these requirements has been diluted by the use of ambiguous non-definitions related to Probability and Materiality.

Perhaps the most important intersection between certification of financial reporting and risk management occurs in the requirements for accruing and disclosure of contingencies. "A contingency is defined as an existing condition, situation, or set of circumstances involving uncertainty as to possible gain or loss to an enterprise that will be ultimately resolved when one or more future events occur or fail to occur6."

A loss contingency is accrued against income when both of two conditions are met - the first being that information available prior to issuance of the financial statements indicates that is probable that an asset had been impaired or a liability had been incurred at the date of the financial statement; and the second that the amount of loss can be reasonably estimated.

If no accrual is made for the loss contingency because one or both of the conditions are not met, but there is at least a reasonable possibility that a loss may have been incurred, it must be disclosed. Note the key role played by probability in determining whether a contingency is accrued, disclosed or ignored.

FAS No. 5 makes the following definitions of probability:

- Probable - the future event is likely to occur.

- Reasonably possible - the chance of the future event occurring is more than remote, but less than likely.

- Remote - the chance of the future event occurring is slight.

If you look "likely" up in the dictionary, you will find that it means probable; check "slight" and you will find "remote". What we have is an ambiguity sandwiched between two tautologies. All that can be said is that the three labels lie somewhere between certain and never. These non-definitions are used to avoid making accruals and disclosures.

Although "Risk of loss or damage of enterprise property by fire, explosion or other hazards" is listed as an example of loss contingency at the beginning; elsewhere in the Statement it is declared as an example of what can not be considered a loss contingency. The reasons given are that these events are random in their occurrence and that there is no relationship of these events to the activities of the enterprise prior to their occurrence and no asset is impaired prior to their occurrence.

However fire, explosion and other similar hazards are not random, nor are they unrelated to the activities and condition of the enterprise prior to their occurrence. The assets are also impaired in the sense that they contain deficiencies that are only uncertain with regard to when and by how much the value will be diminished. It is also possible to identify the deficiencies and estimate the likelihood and severity of the impact.


Sections 302 and 906 require that material contingencies and disclosures of future uncertainties be certified. Section 404 requires that you report on the adequacy and effectiveness of your internal controls. Contingencies and disclosures are the intersection with risk management, because they involve managing uncertainty. How can you make these certifications and reports without at least a partial ERM system to identify and measure the future uncertainties?

We say partial ERM, because although SOX requires that you report that the house is on fire and that it is likely to burn down, it does not require that you call the fire department, nor pick up a water hose and put it out. Identifying and assessing the risks that are embedded within the financial reporting requirements is expensive, but adds no value other than the avoidance of regulatory fines. Taking the next step and doing something to control the risk is where value is created.


An Enterprise Risk Management system should have three goals that are intimately involved in the management of value-creating opportunities:

- to protect the organisation from existential risks that prevent it from achieving its objectives.

- to increase the efficiency and effectiveness of operations by decreasing frictional costs associated with risks and by optimising the allocation of resources.

- to increase opportunities by bringing the associated risks within the organisation's risk appetite.


Talk to an accountant for 10 minutes and you will hear the word material a half dozen times. It is the central concept regarding disclosure. What does material mean? The following three definitions are utilized in the US10:

- SEC - "Materiality concerns the significance of an item to users of a registrant's financial statements. A matter is 'material' if there is a substantial likelihood that a reasonable person would consider it important."

- FASB - "A matter is material enough to report if, in the light of surrounding circumstances, the magnitude of the item is such that it is probable that the report would have been changed or influenced by the inclusion or correction of the item."

- US Supreme Court - "A fact is material if there is substantial likelihood that the fact would have been viewed by the reasonable investor as having significantly altered the 'total mix' of information made available."

Note that again we have an ambiguous definition. What is worse is that it references after the fact, second guessing by "reasonable" people.

The risk is that ambiguity is a double edged sword. Most organisations deal with complex issues involving major uncertainty, making judgment calls difficult. Before the calamitous event the ambiguity lures you into complacency and rationalisation of non disclosure, but after the losses mount and the mob is looking for someone to blame, a reasonable person is hard to find. That non material, non disclosure is, after the loss, obviously material. The refinements of complex judgment fail to be appreciated by the prosecutors, press and juries.


SOX is indeed a backdoor to ERM. Financial reporting involves more than a quarterly report of past profit or loss. It requires an evaluation of uncertainties regarding contingencies and conditions or circumstances that jeopardise the ability of current assets and operations to produce future cash flow. Only a systematic approach to identification and assessment of risks will provide executive management and the board with the assurances that they need to certify financial reporting and internal control effectiveness.

However a minimalist approach to SOX adds little or no value.

At Willis we define ERM as: "A systematic approach to managing the risks associated with opportunities in a consistent, coordinated fashion across the entire organisation."

Such an approach not only provides the assurances that management needs, but also creates value. SOX requires that you step up onto the back porch.

A desire to realize value will compel organizations to take the extra step and enter through the door.

Anthony F Sullivan is senior vice president at Willis.


Company A produces a Net Operating Profit After Tax (NOPAT) of $1 per share utilising a modern, well managed and well protected plant. Customer environment is such that a 100% loss of the plant for one year will put the company out of business permanently. Analysis of current conditions indicates that the probability of such a loss is 1 in 1000 years.

Company B also produces a NOPAT of $1 per share utilising a decrepit, high hazard, poorly managed plant. Customer environment is such that a 100% loss of the plant for one year will put the company out of business permanently. Analysis of current conditions indicates that the probability of such a loss is 1 in 50 years.

Standard No. 5 is vague as to whether either Company A or B should accrue the contingent loss, although the balance of the argument appears to lean toward non-accrual and possibly non-disclosure.

Consider (without limitation):

- How many firms disclose deficiencies that put income-generating assets or operations at risk?

- As an investor do you believe knowing the difference in the quality of the corporate assets and continued likelihood of the existence of those assets would be important in making an investment choice between the two companies?

- Do you believe a sharp lawyer or ambitious prosecutor could argue that Company B failed to make a material disclosure?

Section 302 requires not only certification of the appropriateness of the financial statements, but also disclosures. In its rule making discussion the SEC states that it is necessary to have senior officers certify material non-financial information7.

Further clarification is provided by FASB: "Financial reporting should provide information to help investors in assessing the amounts, timing and uncertainty of prospective net cash inflows to the enterprise8."

The SEC summarises the disclosure requirement succinctly: "One of the principle objectives of MD&A is to provide information about the quality and potential variability of a company's earnings and cash flow, so that readers can ascertain the likelihood that past performance is indicative of future performance9."

It is not enough to provide accurate and complete financial statements.

You also are required to disclose any circumstances that could materially affect future performance. You are not required to predict events beyond your possible knowledge, but are required to report circumstances that should be within your knowledge.


1. An April 19, 2005 Wall Street Journal Editorial, SOX and Stocks, reported one estimate of $35bn for Section 404 compliance.

2. SEC Final Rule on SOX, section 404-2, II. A. Definition of Internal Control.

3. Willis Market Forecast for 2000, Corporate Governance - Implications for Risk Management provides an overview of the broad historical forces shaping corporate governance and risk management.

4. APB Statement No. 4, "Basic Concepts and Accounting Principles Underlying Financial Underlying Financial Statements of Business Enterprises". "Financial accounting and financial statements are primarily historical in that information about events that have taken place provides the basic data of financial accounting and financial statements."

5. References to the need to disclose material information concerning the repeatability of current financial results is scattered throughout the accounting standards and SEC Rules. A few examples include:

- SEC Final Rules on Section 302 of SOX, Section 302-2, II.3. Content of Certification - "We believe that it is consistent with Congressional intent to include both income or loss and cash flows within the concept of 'fair presentation' of an issuer's results of operations.

The certification statement regarding fair presentation of financial statements and other financial information is not limited to a representation that the financial statements and other financial information have been presented in accordance with 'generally accepted accounting principles' and is not otherwise limited by reference to generally accepted accounting principles. We believe that Congress intended this statement to provide assurances that the financial information disclosed in a report, viewed in its entirety, meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under generally accepted accounting principles."

- FASB, Statement of Financial Concepts No. 1, Objectives of Financial Reporting by Business Enterprises, CON 1 Highlights - "Since investors' and creditors' cash flows are related to enterprise cash flows, financial reporting should provided information to help investors, creditors' and others assess the amounts, timing and uncertainty of perspective net cash inflows to the related enterprise."

- SEC Issues Interpretative Guidance Regarding MD&A, January 7, 2004

- "Remember the Purpose of MD&A. MD&A should ... (3) disclose information about the quality and variability of a company's earnings and cash flow, so that investors can judge whether past performance is indicative of future performance."

6. FASB, Statement of Financial Accounting Standards No. 5, "Accounting for Contingencies".

7. SOX Final Rule: Certification of Disclosure in Companies' Quarterly and Annual Reports Section 302-2.

8. FASB Statement of Financial Concepts No. 1.

9. SEC, Interpretive: Commission Guidance Regarding Management's Discussion and Analysis of Financial Condition and Results of Operations, III.B.3.

10. SEC Staff Accounting Bulletin, No. 99 - Materiality.