23 Jan Use operational controls to combat a down economy
Madison, Wis. – Challenging economic times call for bold actions and creative approaches to stay ahead of the competition, or perhaps even afloat. Profitability, strategy, revenue growth, client satisfaction, cash flows, and other operational objectives are often magnified by boards, creditors, and the investing community during economic downturns.
Unfortunately, much of the governance, risk, and compliance (GRC) efforts this decade have been geared towards the transparency, timeliness, and accuracy of financial reporting, due largely to the Sarbanes-Oxley Act of 2002 (SOX). While the integrity of financial reporting is obviously important, one consequence of SOX for many companies is the disproportional amount of energy spent on regulatory compliance as opposed to operational objectives.
To help ensure efficient and effective operations, companies are well advised to leverage the principles of GRC for operational purposes.
While there are many definitions of corporate governance, I define it as:
“The decision making process of directing, managing & monitoring a corporation with the goal of creating shareholder value while protecting the interests of stakeholders such as: customers, communities, creditors, suppliers, and regulators.”
The first part of this definition draws attention to decisions at the board, management, and auditing levels. A breakdown at any level can spell disaster. Consequently, companies need to have clear information, accountability, performance metrics, and controls in place to best make decisions in the interest of shareholders.
However, the second part of this definition does not let us forget about the external parties needed for success. This is where corporate responsibility comes into play by integrating stakeholders’ interest into the organization’s policies and actions. Companies are encouraged to draw into their governance process key stakeholders to develop “win-win” business cases in an effort to generate revenue, create operating efficiencies, and best attract capital.
Once accomplished, companies are empowered to move offensively in competitive markets and harness innovation through their corporate culture. The results typically include a stronger public image, greater customer loyalty, reduced employee turnover, healthy vendor relationships, and more favorable capital options.
There are a slew of risk assessment matrices, surveys, templates, questionnaires and checklists all geared towards helping companies standardize the risk-assessment process. While they can be helpful, be careful not to become blinded by the rigidity of some of these tools. This is oftentimes an area where simplicity is better than complexity. If the risk assessment process becomes too complex, the message and direction is often lost. The unnecessary layers also become time consuming and expensive. Assumptions are critical; therefore, invest adequate resources on them. Remember that your risk assessment conclusions are only as good as the information and assumptions that go into the process.
The “top-down, risk-based approach” preached by the SOX regulators should be applied to strategic decisions and operational objectives, not just financial-reporting objectives. A top-down approach evaluates controls in a sequential manner, starting with company-level controls and significant activities (e.g., boardroom leadership, culture, staff competencies, hiring practices, etc.), and then working down to relevant individual controls at the process or application levels. A risk-based approach simply focuses resources on the highest-risk areas. These approaches are interrelated and when appropriately used can be a powerful tool in managing operational risks.
Compliance is oftentimes thought of from the external standpoints of governmental regulations, legal requirements, and external audit activities. However, it is primarily the internal side of compliance that needs attention regarding operational objectives. Internal compliance is absolutely essential to help ensure successful operations and cost efficiencies. This includes evaluating the effectiveness of your supply chain, product or service quality, marketing activities, sales, customer service, human resources, information, communication, and many more areas. A company’s monitoring of internal compliance in these operational areas needs to be strong and directly tied to well-defined operational controls.
Operational controls must be clearly understood across the company to ensure accountability. A control is simply a policy, procedure, or supporting activity to help accomplish an objective. The Committee of Sponsoring Organizations (COSO) identified three objectives categories (operations, financial reporting, and compliance) through their Internal Control-Integrated Framework published in 1992. Although this control framework often is thought of in the context of financial reporting (thanks to SOX), it applies equally to operational objectives. Compound this with the fact that companies are not constrained to the inefficiencies of documentation and the external audit process triggered by SOX, and you have a powerful platform to build your operational controls.
In conclusion, companies should develop holistic programs that integrate boardroom leadership, enterprise risk assessment, management activities, and compliance controls. Companies are well advised to perpetually maintain a healthy balance of resources on all three objective categories of operations, financial reporting, and compliance.
Remember that SOX doesn’t care if you are making money, keeping clients happy, or meeting other operational objectives. Yet these operational areas are the essence of business and need to be at the forefront of attention. It is now more important than ever for a renewed focus on operational controls utilizing the disciples of GRC to help ensure success.
Recent articles by Ronald Kral
- Ron Kral: Independent oversight critical for long-term solution to financial crisis
- Ron Kral: Something more onerous than SOX? Try global accounting standards
- Ron Kral: Technology helps but the best way to reduce Sarbox cost is with people
This is an article reprint from the Governance Issues Newsletter, Volume 2009, Number 1, published on January 22, 2009. To automatically receive the newsletter, go to www.candelasolutions/newsletter and register. Or, send a request to firstname.lastname@example.org and we will register on your behalf.
The opinions expressed herein or statements made in the above column are solely those of the author, and do not necessarily reflect the views of Wisconsin Technology Network, LLC.
WTN accepts no legal liability or responsibility for any claims made or opinions expressed herein.