SOX Rocks, but Won’t Block Shocks
To protect shareholder value, companies must link risk management with strategic planning and avoid overreacting to regulatory compliance mandates.
Here’s a fact that bucks conventional wisdom: More shareholder value has been wiped out in the past five years as a result of mismanagement and bad execution of strategy than was lost through all the recent compliance scandals combined. This is a key finding of a recent Booz Allen Hamilton survey and analysis of the performance of 1,200 firms with market capitalizations of more than $1 billion for the five-year period from 1999 through 2003.
Consider the 360 worst financial laggards. Eighty-seven percent of the value lost by these firms was attributable to strategic missteps — management ineffectiveness in reacting to competitive pressures or in forecasting customer demand — and operational blunders, such as cost overruns and M&A integration problems. Only 13 percent of the value destruction suffered by these companies was caused by regulatory compliance failures or resulted from poor oversight of company operations by corporate boards.
Still, the media went for the headlines on compliance debacles. And the Sarbanes-Oxley Act (SOX) — a legislative attempt to rein in rogue corporate activities through stringent new rules for governance, data integrity, and disclosure — was passed to help U.S. businesses move on from the Enron saga. Obviously, compliance is vital, and the Sarbanes-Oxley legislation can help. But it will do little to improve most firms’ real risk profile.
Despite its reputation as a panacea for raising the bar on business governance, SOX is essentially a quality-control mechanism piggybacking on financial reporting systems. It does little to protect the primary strategic and operational elements that, according to our survey, are the primary cause of shareholder value destruction. Because of this, the impact of SOX on management reforms intended to improve corporate performance has been disappointing: To insulate their boards and senior executives from extensive scrutiny, firms have ended up sacrificing growth and innovation for regulatory acquiescence.
In reacting to Sarbanes-Oxley with an exaggerated fear of risk exposure, many companies are tempted to reduce risk management to an expensive “box-checking exercise” in regulatory compliance. However, companies need to do much more: They must be proactive in addressing risk by understanding and anticipating the full range of threats to their businesses. And they must embed risk management in strategic planning. These two processes are interdependent: Only when companies develop a risk management program that protects and enhances shareholder value can they eliminate unwanted earnings surprises and foster growth.
Recognizing that companies have to deal with SOX and manage for growth, executives must design a more robust and integrated strategic planning process built on a broad understanding of all risks to the business. Board directors and senior managers need to look beyond traditional risks — typically, capital credit and physical security — and anticipate earnings-driver risks and cultural risks, too. The specifics of such an ambitious risk management agenda will vary from company to company, but we have identified five components of an effective program:
Define what constitutes “risk” and develop early-sensing mechanisms. Most companies need to expand their definition of risk beyond market, legal, and natural hazards. They need to consider threats that could have a long-term influence on company performance, such as customer churn, price pressure, and brand impairment. They also need to address weaknesses in organizational behavior, and the management and cultural factors that influence it, such as misaligned incentives, unethical conduct, and communications breakdowns. Companies also need to institutionalize sensing mechanisms to anticipate emerging risks. An earnings-driver risk assessment, for example, identifies and sets priorities around key demand and supply-side risks.
Determine the risk agenda. After defining, identifying, and ordering risks, management needs to assess how capable the organization is of mitigating the most serious risks. Companies can establish an effective risk agenda by determining where high-priority risks are met with weak capabilities. This risk agenda can be used to align the actions of various company stakeholders, such as the risk committee, office of the chairman, and business or functional management.
Build and adapt the risk management architecture. This architecture must reflect the risk agenda and encompass corporate processes, organization, information tools, and culture. For example, a company that depends on a nimble, decentralized organization to succeed in its markets should consider having a risk management architecture that manages activities and accountability in a decentralized fashion, but is also supported by diligent central monitoring of results.
Integrate risk management with strategic planning. Companies must incorporate their risk management capabilities — such as better business intelligence and scenario planning — in the strategic process. Fundamentally, the same capabilities that mitigate risk enable a company to capture growth opportunities. For example, when a company identifies a competitor that is posing a specific threat to its strategic position, the tools that will help the company defend itself and enhance revenues and earnings are better market-sensing capabilities, improved product development, and more sophisticated strategic planning activities.
Adapt the agenda and architecture to changes in the risk environment. Any broad risk management system must be flexible. For example, if shifts in customer demand require a change in the company’s product mix, a good risk management system will anticipate the change and trigger a reassessment of the capabilities required to manage in the new environment that is implied by the new product mix.
Executing this program requires a shift from a “culture of compliance” to a “culture of confidence.” That is, it requires a cultural transition, from an exclusive focus on controls to an atmosphere in which managers can confidently choose, on the basis of robust analysis and strong corporate values, which strategic risks to take, which to mitigate, and which to avoid. By taking a diagnostic approach, companies not only avoid negative earnings surprises, but also save significant sums by targeting their investment on the central gaps in their strategic risk management capabilities.
Companies that are successful in establishing an effective risk management program are more likely to protect directors and officers against charges of lack of good faith, build stakeholder trust, capture opportunities, and improve corporate performance and shareholder value over the long run.
Paul Kocourek (kocourek_paul@bah.com) is a senior vice president with Booz Allen Hamilton in San Francisco. He focuses on the strategic transformation of companies facing changes in the competitive landscape or the regulatory environment.
Jim Newfrock (newfrock_jim@bah.com) is a principal with Booz Allen Hamilton in Parsippany, N.J. He specializes in business strategy and enterprise risk.
Reggie Van Lee (van_lee_reggie@bah.com) is a senior vice president with Booz Allen Hamilton in New York. He has extensive experience in developing and implementing major growth strategies and change programs for media and high-tech companies.