Too Much SOX Can Kill You - Booz Allen Hamilton

Too Much SOX Can Kill YouResolving the Compliance ParadoxIn recent years, corporate missteps have wipedout hundreds of billions in shareholder valuein industries ranging from telecom to energy tohealthcare. CEOs have lost their jobs. Investorshave lost their money. Employees, suppliers, andcustomers have lost their livelihoods. Most important,the marketplace has lost its confidence inthe effective stewardship of corporate assets. Theresult has been an onerous wave of regulatoryreform that threatens to hinder growth and innovation,as boards and senior executives scramble tocomply and insulate their firms from scrutiny. Isthis new, more stringent environment an overreactionto the damage done by a few bad apples, oris the rotten fruit a symptom of a systemic flawin the governance mechanisms of modern corporations?According to our research and clientexperience, the problem runs deeper than a fewbad apples. It reflects fundamental deficiencies inexisting approaches to corporate risk governance.Even the Best Aren’t Good EnoughBooz Allen Hamilton recently completed a cross-industrybenchmarking study of leading practitioners in thefield of enterprise risk management and discovered thateven these exemplars have fallen short in developinga governance agenda and architecture that effectivelyanticipates some of the most significant risks to theirbusiness. While they may have advanced capabilities inone area—generally in their core business—their systemsand processes are often not as well developed in others.And, almost universally, companies fail to look beyond thetraditional “downside” risks to their business to considerand incorporate the “upside” risks (e.g., missed growthopportunities) as well. Many companies have yet toachieve a corporate culture that strikes the right balancebetween control and innovation. The challenge they faceis developing a risk governance program that both protects(i.e., eliminates earnings surprises) and enhances(i.e., fosters growth) shareholder value.Too Much SOX Can Kill YouThe temptation in reacting to Sarbanes-Oxley and otherrecent regulatory requirements is to reduce risk managementto a “box-checking” activity, an expensive andresource-intensive compliance exercise. That sort ofnarrow and defensive approach constrains a company’sability to innovate and grow in today’s networked, nonstopglobal economy. To thrive, companies need toadopt a more forward-looking perspective and build betterlinkages between their strategic planning and riskmanagement systems and processes. Only then canthey foster strong yet smart growth.Compliance Is Not the CulpritThe truth is: More shareholder value has beendestroyed in the past five years as a result of strategicmismanagement and poor execution than was lostin all of the recent compliance scandals combined.Recently, Booz Allen analyzed 1,200 firms with marketcapitalizations over $1 billion for the five-year period

2Exhibit 1The Real Risks to Shareholder Value Lie in Strategy and Execution 4 4 4 Source: Booz Allen Hamiltonfrom 1999 through 2003 and identified the poorestperformers—the 360 companies that trailed the lowest-performingindex for that period, the S&P 500 (seeExhibit 1). Only 13 percent of the value destroyed bythese companies resulted from compliance failures;the other 87 percent was attributable to strategic andoperational blunders. Clearly, boards and managementdo not effectively understand and anticipate thefull range of risks to their business, nor do they havethe systemic capabilities to isolate and evaluate all ofthem. To manage for growth, companies must embedrisk management in the strategic planning capability;they cannot be independent processes. That suggestsa more robust and integrated strategic planningprocess built on a broader understanding of all risksto the business—both downside and upside. Boarddirectors and senior managers need to look beyond traditionalrisks (e.g., credit, physical security) and anticipateearnings driver risks and cultural risks, as well(see Exhibit 2, page 3). Of course, taking this moreexpansive view is difficult at even the most well-managedcompanies. How do companies drive growth whileactively addressing an expanded spectrum of risks?Five Imperatives of Good Risk GovernanceWhile the specifics of the risk management agendaand architecture will vary from company to company,our market experience suggests five imperatives fordeveloping an effective risk governance program, onethat fosters growth while managing risk.Define what constitutes “risk” and develop early-sensingmechanismsMost companies need to expand their definition of“risk” beyond the traditional (e.g., financial, legal, market,natural hazard) and consider threats to earningsdrivers (e.g., customer churn, price pressure, brandimpairment), as well as cultural risks (e.g., misalignedincentives, unethical behavior, communications breakdowns).A comprehensive view of risk should includethe perspectives of all stakeholders along every link ofthe value chain (see Exhibit 3, page 4).Of course, identifying existing risks is only half thebattle. Companies also need to institutionalize sensingmechanisms that anticipate and address these risks. Anearnings driver risk assessment, for example, identifiesand prioritizes key demand and supply-side risks acrossthe value chain. Cultural risks, while less tangible, are

3Exhibit 2Enterprise Resilience View of Risk4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 Source: Booz Allen Hamiltonincreasingly significant—even the most sophisticatedcontrols and processes break down when behavior isnot consistent with strategic and risk managementobjectives. Cultural risks, their underlying drivers, andmanagement mechanisms to address them can beisolated with a comprehensive diagnostic tool.Determine the risk agendaThe risk agenda dictates “what you focus on.” Afterdefining and identifying risks, the board and seniormanagement of a company need to establish acommon understanding of risk priorities and materiality,which they can then translate into an agenda.Benchmarking leading practices provides a basis foridentifying the gaps in the risk agenda and translatesopportunities into specific recommendations (seecase study, page 5).Build/adapt the risk management architectureThe risk management architecture lays out thecapabilities needed to manage risk and encompassesthe processes, organization, information/tools, andcultural elements. The architecture is built with the riskDoes your risk management system supportyour growth agenda? Transparent: Does it provide insight intomaterial risks and efforts to manage them? Strategic: Is the approach aligned to corporatestrategy and linked to strategic planning? Aligned: Is risk management activity alignedto board and management risk agendas? Anticipatory and adaptive: Does theapproach provide early warning of emergingrisks, and the ability to adapt rapidly tochange? Optimized: Are risk management investmentsoptimized based on strategic goals? Disciplined: Does the program ensure businessdiscipline and internal controls? Embedded in culture: Is there a commonvision for risk taking and risk management?

5Case Study: Rapid Risk Management DiagnosticA major Fortune 100 company was shifting strategic direction and adopting a more aggressive growth orientation.While its existing risk management systems were highly disciplined, developed, and tied into thestrategic planning process, their focus was insufficiently comprehensive and forward-looking to anticipateall the risks to the company’s business. The company was about to invest in a million-dollar enterprise riskmanagement program, but it was unnecessary given the strong practices already in place.Instead, Booz Allen executed an expedited risk management diagnostic, benchmarking the client’s existingcapabilities and plans against its database of leading practices. Gaps were identified in the company’s riskmanagement agenda and architecture. The result is a highly targeted set of recommendations: Adopt a stakeholder view of strategic risk Align risk management investments with risk priorities Link risk management to strategic planning Adapt the culture to better balance traditional risk aversion with a more growth-oriented mindsetThe company prioritized for implementation a select set of capabilities critical to managing growth (e.g.,strategic risk identification and assessment, risk-sensing capabilities, linkage between risk management,and strategic planning). The result: a closer linkage between the company’s risk and strategic agendas, aboard more comfortable that management is effectively controlling both downside and upside risk, and considerablesavings in terms of time and money.What Booz Allen BringsBooz Allen Hamilton has been at the forefront of managementconsulting for businesses and governmentsfor 90 years. Booz Allen, a global strategy and technologyconsulting firm, works with clients to deliver resultsthat endure.With more than 15,000 employees on six continents,the firm generates annual sales of $2.7 billion. BoozAllen provides services in strategy, organization, operations,systems, and technology to the world’s leadingcorporations, government and other public agencies,emerging growth companies, and institutions.To learn more about the firm, visit the Booz AllenWeb site at www.boozallen.com. To learn moreabout the best ideas in business, visit www.strategybusiness.com,the Web site for strategy+business, aquarterly journal sponsored by Booz Allen.Contact Information:SAN FRANCISCONEW YORKMCLEANPARSIPPANYPaul KocourekSenior Vice President415-627-3367kocourek_paul@bah.comReggie Van LeeSenior Vice President212-551-6421van_lee_reggie@bah.comChris KellyVice President703-377-4301kelly_chris@bah.comJim NewfrockSenior Director973-630-6789newfrock_jim@bah.comDownloadable digital versions of this article and other Booz Allen Hamilton publications are available from www.boozallen.com.

Worldwide OfficesAbu DhabiCharles El-Hage971-2-6-270882BrisbaneTim Jackson61-7-3230-6400FrankfurtRainer Bernnat49-69-97167-0MadridMercedes Mostajo34-91-411-8450ParisBertrand Kleinmann33-1-44-34-3131ShanghaiEdward Tse86-21-6100-1696AmsterdamPeter Mensing31-20-504-1900Buenos AiresIvan De Souza54-1-14-131-0400GöteborgAnders Sewerin46-31-725-93-00McLeanMartin J. Bollinger703-902-3800PhiladelphiaMolly Finn267-330-7900StockholmJan-Olof Dahlén46-8-506-190-00AtlantaJoe Garner404-659-3600CaracasJosé Gregorio Baquero58-212-285-3522HelsinkiTimo Leino358-9-61-54-600MelbourneTim Jackson61-3-9221-1900Rio de JaneiroPaolo Pigorini55-21-2237-8400SydneyTim Jackson61-2-9321-1900BangkokTim Jackson66-2-653-2255ChicagoChris Disher312-346-1900Hong KongEdward Tse852-2251-8892Mexico CityAlonso Martinez52-55-9178-4200RomeFernando Napolitano39-06-69-20-73-1TampaJoe Garner813-281-4900BeijingEdward Tse8610-8520-0036ClevelandMark Moran216-696-1900HoustonMatt McKenna713-650-4100MiamiAlonso Martinez305-670-8050San DiegoFoster Rich619-725-6500TokyoSteve Wheeler81-3-3436-8631BeirutCharles El-Hage961-1-336433Colorado SpringsGlen Bruels719-597-8005JakartaTim Jackson6221-577-0077MilanEnrico Strada390-2-72-50-91San FranciscoBruce Pasternack415-391-1900ViennaHelmut Meier43-1-518-22-900BerlinRene Perillieux49-30-88705-0CopenhagenTorsten Moe45-33-18-70-00Lexington ParkNeil Gillespie301-862-3110MunichRichard Hauser49-89-54525-0SantiagoLeticia Costa562-445-5100WarsawReg Boudinot48-22-630-6301BogotáJaime Maldonado57-1-628-5050DallasTim Blansett214-746-6500LondonShumeet Banerji44-20-7393-3333New YorkDavid Knott212-697-1900São PauloLetícia Costa55-11-5501-6200WellingtonTim Jackson64-4-915-7777BostonJohn Harris617-428-4400DüsseldorfThomas Kuenstner49-211-38900Los AngelesTom Hansson310-297-2100OsloKarl Høie47-23-11-39-00SeoulJong Chang82-2-2170-7500ZurichJens Schädler41-1-20-64-05-020040051/10/04 PRINTED IN USA©2004 Booz Allen Hamilton Inc.