Here’s a fact that bucks conventional wisdom: More shareholder value has been wiped out in the past five years as a result of mismanagement and bad execution of strategy than was lost because of all of the recent compliance scandals combined. This is a key finding of a recent Booz Allen Hamilton survey and analysis of the performance of 1,200 firms with market capitalizations of more than $1 billion for the five-year period from 1999 through 2003.
Consider the 360 worst financial laggards. Eighty-seven percent of the value lost by these firms was attributable to strategic missteps — management ineffectiveness in reacting to competitive pressures or forecasting customer demand — and operational blunders, such as cost overruns and M&A integration problems. Only 13 percent of the value destruction suffered by these companies was caused by regulatory compliance failures or was a result of poor oversight of company operations by corporate boards.
Still, the media went for the headlines on compliance debacles. And the Sarbanes-Oxley Act (SOX) — a legislative attempt to rein in rogue corporate activities through stringent new rules for governance, data integrity, and disclosure — was passed to help U.S. businesses move on from the Enron saga. Obviously, compliance is vital, and the Sarbanes-Oxley legislation can help. But it will do little to improve most firms' real risk profile.
Despite its reputation as a panacea for raising the bar on business governance, SOX is essentially a quality-control mechanism piggybacking on financial reporting systems. It does little to protect the primary strategic and operational elements that, according to Booz Allen’s survey, are the primary cause of shareholder value destruction. Because of this, the impact of SOX on management reforms to improve corporate performance has been disappointing: To insulate their boards and senior executives from extensive scrutiny, firms have ended up sacrificing growth and innovation for regulatory acquiescence.
In reacting to Sarbanes-Oxley with an exaggerated fear of risk exposure, many companies are tempted to reduce risk management to an expensive “box-checking exercise” in regulatory compliance. However, to thrive in the current business environment, companies need to do much more: They must be proactive in addressing risk by understanding and anticipating the full range of threats to their businesses. And they must embed risk management in strategic planning capabilities. These two processes are interdependent: Only when companies develop a risk management program that protects and enhances shareholder value can they eliminate unwanted earnings surprises and foster growth.
Recognizing that companies have to deal with SOX and manage for growth, executives must design a more robust and integrated strategic planning process built on a broad understanding of all risks to the business. Board directors and senior managers need to look beyond traditional risks — typically, capital credit and physical security — and anticipate earnings-driver risks and cultural risks, too. The specifics of such an ambitious risk management agenda will vary from company to company, but we have identified five imperatives for developing an effective program:
Define what constitutes “risk” and develop early-sensing mechanisms. Most companies need to expand their definition of risk beyond market, legal, and natural hazards. They need to consider threats that could have a long-term influence on company performance, such as customer churn, price pressure, and brand impairment. They also need to address weaknesses in organizational behavior, and the management and cultural factors that influence it, such as misaligned incentives, unethical conduct, and communications breakdowns. But identifying existing risks is only half the battle. Companies also need to institutionalize sensing mechanisms to anticipate emerging risks. An earnings-driver risk assessment, for example, identifies and prioritizes key demand and supply-side risks across the value chain.