ERM: Building on Section 404
Originally Published: April 01, 2006
Once a company completes their initial compliance with Section 404 of the Sarbanes-Oxley Act, they don't necessarily address the requirements needed to fully implement enterprise risk management (ERM). However, most companies that have taken this first step are developing more discipline and more control awareness within their business. The next important goal is to address the eight ERM components:
• internal environment,
• objective setting,
• event identification,
• risk assessment,
• risk response,
• control activities,
• information and communication, and
The internal environment of a company is a reflection of how employees react to risks. The environment includes companies' methods of creating their risk appetite and moral values.
ERM makes certain the importance of setting objectives and matching those objectives with an organization's mission and risk tolerance. Also, the positive and negative risks must be identified before continuing with the risk management process. Risk assessment is used to decide how the risks should be managed. When using ERM, all business risks are considered instead of focusing only on financial reporting risks.
The communication of risk management and the responsibilities of all personnel are important components of a successful risk management process. Also, risk control activities are more closely monitored under ERM and organizations are encouraged to look at quality opposed to simply the pass/fail criteria under Section 404. Essentially, companies must see the benefits that can be realized in ERM and have a compelling desire to use ERM. The real turning point for ERM will take place when companies see the advantages and realize they need the competitive edge that can be obtained from closely monitoring all risks.