Part 4 – SOX Sustainability – A Business Process
Issue
Creating, maintaining and operating a sustainable
Sarbanes-Oxley compliance framework requires and
understanding of the organization’s business
processes. Without well designed processes that
integrate compliance requirements into the process,
the internal control assessment process will always
be an afterthought and headache. If SOX compliance
is not built-in to what the company does or how it
normally operates, it will always require additional
effort.
Let us consider a handful of
realities.
- SOX will not be a one-time
thing. Although some of the
§404 (section of the Sarbanes-Oxley
law) rules have been relaxed, banks are in for
years, if not decades of internal control
assessments. The SEC’s rationale for
postponing
§404 for small companies is/was to
allow them more time to efficiently (as opposed
to expensively) achieve an effective control
universe. However, most have been hoping the
lobbying efforts would relieve them of the need
to be compliant.
- When people are forced to
swallow additional workloads, they tend to
adapt, either for better or worse. To add
something new requires dropping or changing
something old. Whether you plan
to change your internal processes or not to
accommodate SOX, they will change anyway. The
staff will see to that.
- Few banks are/were
“pre-optimized” for SOX. That is, few if any
companies are or were prepared to satisfy SOX
requirements without losing any steps along the
way. Instead, they are meeting their initial
compliance requirements by having their staffs
do more than normal, and by juggling priorities
to get SOX done.
- Integrating new
technologies or software systems will
necessarily drive changes in internal
processes. What may not be apparent at first
glance is the extent to which processes will
change with the arrival of new system(s) and new
obligations.
Based
on this, it would seem that every bank faces
inevitable change connected with SOX, whether they
see it now or not. If doesn’t matter if they plan
for it now or not. The changes may be obvious,
substantial and fast, or they may be subtle,
moderately widespread, and periodic. But they will
occur. The question is how to best plan for the
process changes and optimize them to derive some
business performance benefits as the changes
unfold. Change can’t be avoided, it can only be
managed.
Management can either take the bull by the horns to
try to determine where and how to evolve processes
(financial, disclosure, regulatory and operational)
or allow the processes to evolve on their own
timelines. Adaptive process changes by
staff-members are seldom optimal for the
organization at large. Treating SOX as something
that the organization can effectively assimilate
without planning and integration will likely breed
control weaknesses and sub-optimization as the
culture tries to swallow something it wasn’t
prepared to eat. Optimizing business processes
(today) to deliver the goods efficiently and to
derive compliance as a by-product requires conscious
choices, thoughtful integration, planning, and maybe
training.
The first step in determining
what process changes are appropriate is to perform a
critical assessment of those processes and methods
that the entity can readily assimilate (today). The
second step is a critical assessment of those
processes and methods that are important for the
organization two to five years downstream that the
organization should move toward. The third step is
a critical assessment of those capabilities and
processes that really should be handled from outside
for the foreseeable future. SOX is a business
challenge that requires its own solution and
integration timetable. Some things can and should
be done inside, and some should be done outside.
The trick is in determining the mix that is best for
the company.
Intrinsic Processes are those
that the organization handles today or can readily
handle tomorrow. Extrinsic Processes are those the
organization must outsource or stretch to
integrate. Processes that fit with the entity’s
native capabilities, talents and culture are easier
to integrate and sustain. However, bolt-on
processes (extrinsic) may be functionally necessary
if the entity presently lacks key capabilities or
technologies necessary to efficiently assimilate
certain compliance drivers. Over time,
well-conceived and implemented bolt-on processes can
become intrinsic. This past year many companies
outsourced key compliance functions such as internal
audit to satisfy
§404 requirements because they lacked the
necessary, onboard internal audit resources. But
does it make sense to bring internal audit into the
culture or leave it outside going forward? These
types of questions must be addressed if a company is
to determine how to optimize itself for future
control requirements.
Our Team
Our team is
comprised of experienced executives, managers and
consultants who will assist your banking
organization in the development, implementation and
execution of comprehensive risk management and
compliance strategies. From the initial passage of
Sarbanes-Oxley in 2002, Visage has provided
solutions to a client base ranging from private,
entrepreneurial companies to large multinationals.
