Enterprise risk management (ERM) has matured over the past few years and has evolved from a number of other risk management-related applications. One of the most obvious was an outgrowth of the Sarbanes-Oxley Act of 2002 (SOX). This legislation was passed on the heels of numerous financial reporting shortcomings from U.S. corporations.

As a result, Congress acted, due in large part to a lack of confidence from the investing public, in an attempt to re-establish credibility in financial reporting. The crisis in confidence shown by investors was having serious consequences for the U.S. stock market, and Congress realized that more stringent financial reporting requirements were needed.

The legislation was a direct result of a number of financial statement fraud issues that had rapidly spread throughout the United States Among others, these fraudulent financial statements included high visibility losses from firms such as Enron, WorldCom, Global Crossing and too many others to count. While there were many reasons for the losses, many industry observers believed that they were caused by powerful CEOs, and ineffective or compliant auditors (internal and external). Other frequently noted reasons were soft penalties for perpetrators and weak management of risks.

A wide variety of sections in the regulation relate directly to shortcomings in financial reporting. Some of the more significant are that executives (CEOs and CFOs) must personally certify a public corporation’s financial results (Section 302). Further, they also must issue a report on the effectiveness of the company’s internal controls over its financial reporting (Section 404). While there are other important aspects of the Act, such as the independence of the auditors, audit committee compensation and the penalties for accounting fraud and related offenses, it was Sections 302 and 404 that caught the immediate attention of executive management.

The legislation had taken direct aim at the drivers of fraud by attempting to strengthen both the board and audit committee’s risk oversight. It was realized that if left unchecked, accounting fraud could quickly cause damages in the billions of dollars, frequently to the detriment of unsuspecting shareholders. What corporations soon found out was that SOX left corporations with a myriad of new requirements to be met.

Investor confidence in financial reporting in 2002 was at a low point. Even companies with little or no problems with their financials found themselves being second-guessed by security analysts, financial pundits and the investing public. Once passed, SOX became the law of the land and created a massive implementation headache for corporate America. It was soon obvious that SOX compliance was costing organizations significant amounts of time and money via professional consulting fees and other miscellaneous resources. While many corporations viewed the new law as an overreaction to the reporting problems, since they felt that it would do nothing but increase the cost of compliance for public companies, some organizations did believe that the benefits of SOX would offset the cost of compliance. But the majority did not believe that the cost of compliance was worth the additional effort. Only time would provide the answer to the cost-benefit issue.

After the adoption of SOX, most companies appeared to simply be looking for methods to not run afoul of SOX compliance rather than looking for ways to improve risk management. Those companies often thought that SOX was nothing more than a “check-the-box” type of exercise with little real benefit to the investing public. However, they also realized the penalties for not complying.

Despite its detractors, SOX planted the seeds for enterprise risk management for many organizations. Inevitably, those initial steps were mostly about compliance-related issues. However, forward-looking corporations actually saw the advantages of implementing a formal SOX agenda, which could lead to a competitive advantage if combined with other risk management activities. Unfortunately, all too many organizations were unable to see that SOX compliance was merely the first step in the holistic risk management environment of ERM.

Even today, some corporations still fail to see that ERM is the next step in the evolution toward proactively managing risks. The effects of moving to an ERM mentality have been to formalize the risk management process from a holistic standpoint, thus providing a more comprehensive scope than the original SOX compliance efforts. As a result, the significance provided by ERM is in its ability to optimize the value created from the joint management of risk and capital. In essence, ERM establishes a framework that considers both the downside risks as well as the upside risks, (i.e., risk and reward). This framework goes far beyond mere compliance to provide a unifying approach that can be used to articulate risks consistently across an organization by evaluating alternative capital structures to bear those risks.

Obviously, businesses of all types take risks every day in an attempt to create value for their shareholders. While this risk-taking process has gone on in one form or another, its link to value creation has not always been clear. However, due in large part to significant, high profile financial losses that precipitated SOX, executive manage­ment has been forced to take a more serious view of its business operations and its overall risk management programs.

Today, the management of risk has entered a new era; it is more than compliance, and farsighted corporations have been able to harness ERM as a strategic imperative, and as a method for boosting shareholder value. While compliance was the mainstay of the SOX legislation, as well as some of the newer regulations associated with the recent financial meltdown caused by situations in the housing market, ERM, with its holistic approach to managing risk, has rapidly taken center stage.

Without question, some corporations have invested heavily in order to become compliant with SOX, but they have also quickly discovered the high cost of sustaining that compliance. Many of these companies are looking for some additional methods of making their SOX investment “pay off.” What they have found is that the work done on SOX and similar regulations can serve as the foundation to build ERM capabilities that can be integrated into the overall strategic management of the risk of the organization.

Without question, U.S. corporations over the past six or seven years have poured significant amounts of money into their initial SOX compliance efforts. As a result, it has been difficult to make the business case for ERM, since so many of the executives at these firms continue to maintain a compliance view of this approach to risk management.

While regulatory actions may have provided the initial impetus, the insights gained from these efforts do not typically have a profound effect on management’s ability to create value. Unlike compliance efforts, ERM is able to assess risks and provide business owners with recent and relevant data that they need to make better decisions. Many businesses that have embraced the broader, more holistic view of risk management have found ways to recover the initial costs of their SOX-related efforts and also have found a competitive advantage not available from a compliance-related approach to risk management.