Section 404's Divergent Impacts

Survey finds individual risk management departments divorced from requirements of Section 404.

By Cyril Tuohy

Section 404 of the Sarbanes-Oxley Act has had a divergent effect on corporate risk management, a new survey has found.

On the one hand, individual risk management departments aren't much involved in the reporting process. At the same time, the law has served as a catalyst for the implementation of enterprise risk management strategies, according to the survey, which was released in August by Advisen Ltd.

Ineffective at Managing Risk (05/01/13)
RIMS Attendees Talk Drones, Product Recall (05/01/13)
Navigating the Fear Farm (03/01/13)
Who is the Real Gambler? (05/01/13)
Immunity Bites ... for Shark Victims (07/19/11)

While a total of 75 percent of survey respondents said that their company had a team responsible for overseeing the implementation of Section 404, for example, companies' risk management departments were only represented on 23 percent of those teams.

The question is, why?

"One reason risk managers have not been more involved may have to do with a lack of understanding within the organization of the risk management process and its potential application to Section 404 compliance," wrote David Bradford, editor in chief of "Advisen Briefing," which released the survey results.

Another reason has to do with the perceived differences in the job responsibilities of risk management departments and that of managers responsible for meeting the requirements of Section 404.

One survey respondent, cited by Bradford, wrote, "Sox 404 is about controls over amounts going into the financial statements. Risk management is about properly operating the company. You can have good controls over the financial statement process with or without monitoring risks properly or well."

While a number of companies' risk management departments weren't inclined to see their role as one in which they were required to "police" financial statements, Section 404, a passage only four paragraphs long, appears to have had a big impact.

"The control framework mandated by Section 404 has motivated some companies to implement enterprise risk management programs," wrote Bradford.

In addition, of the respondents who said their companies had or were planning to implement ERM programs, nearly 25 percent said their decision was sparked by the requirements of Section 404.

The survey was compiled from 380 responses of public and nonpublic firms to a July e-mail.

The Sarbanes-Oxley Act of 2002, passed in the wake of spectacular corporate failures embodied by Enron and Worldcom, cast corporate risk management departments in a new light but has come under criticism for imposing expensive and onerous rules out of proportion to the benefits it provides.

Partly as a result, the role of risk management in the application of Section 404 is still a work in progress, according to Bradford. With federal regulators backing off somewhat on the Section 404 requirements, particularly for smaller companies, risk managers are likely to find some reprieve.

But taking a more lenient stand may not be in the long-term interests of companies as the law has forced risk management departments to institutionalize internal controls. Whatever the outcome of the implementation of Section 404, the role of the risk manager in Section 404 compliance is a "still-evolving story," wrote Bradford.

November 1, 2007

Newsletter Sign-up