SOX: The Ante for Business in the 21st Century
May 22, 2006
Jared Diamond, in his fascinating book Guns, Germs and Steel (Vintage, 1998), explored how the establishment of initial conditions can determine outcomes and consequences that are not readily apparent for generations. He posited, for example, that societies that adopted farming were destined to succeed (i.e., conquer or displace) when coming in contact with societies that remained hunter-gatherers. The seeds to success, he claimed, were inherent in the selected paradigm and had little to do with the intelligence or heartiness of the people. In today’s business climate, especially when it comes to public companies, national and international regulations and standards are establishing conditions that are likely to winnow out weak companies, and this winnowing will probably take place in a single generation. As a result, I’m convinced a new paradigm will emerge in the coming decades, it might not be called Enterprise Resilience Management, but it will resemble ERM in every important way.
One of the most talked about laws jump-starting the emerging paradigm is the Sarbanes-Oxley Act (formally titled the Public Company Accounting Reform and Investor Protection Act of 2002). SOX or SarbOx (as the act is commonly called) was enacted in the aftermath of the corruption scandals that affected companies like Enron, Tyco International, and WorldCom (now MCI). It aims to protect investors by improving the accuracy and reliability of corporate disclosures by publicly-owned corporations. The act addresses issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility and enhanced financial disclosure. Because large audit firms, like Arthur Andersen, were in collusion with these corrupt corporations, SOX was also designed to review dated legislative audit requirements. It is considered the most significant change to United States securities laws since the New Deal in the 1930s.
SOX has become the “ante” necessary for public corporations to get into the no limit business game that will be played in this new era. And just like the made-for-television Texas Hold ‘Em tournaments on television, the cost of the ante (technically called blinds) increases with each new round − and that cost is enormous. Last year alone an estimated $5.8 billion was spent by companies on SOX compliance and over 200 executives have been indicted since SOX was passed and signed in 2002. To date, most companies have simply thrown manpower at the problem, but those that continue down that path will be no more successful than the Lilliputians were in trying to overcome Lemuel Gulliver in Jonathan Swift’s famous novel. The Gartner Group estimates that companies that continue to use an ad hoc approach to compliance will spend ten times as much as those who develop a more proactive approach.
The other problem with the Lilliputian approach is that every part of the company attacks the same problem, generally resulting in redundancies and waste. The TowerGroup estimates that up to 30 percent of IT spending associated with compliance consists of wasteful duplication of effort. Each function coordinates to some degree with the others – but not consistently. The lack of coordination leads to operational friction and slower response time. At times, critical actions or data are lost in the seams of these disparate sectors, with each sector assuming the other was on top of it. Let’s get back to Jared Diamond. In Guns, Germs and Steel, when discussing successful food strategies, he writes:
All other things being equal, people seek to maximize the return of calories, protein, or other specific food categories by foraging in a way that yields the most return with the greatest certainty in least time for the least effort.
That is what Enterprise Resilience Management is all about. ERM is a strategy that maximizes return by permitting companies to perform “in a way that yields the most return with the greatest certainty in the least time for the least effort.” It does this by automating rule sets that run business processes. The results include elimination of human errors, reduction of required man-hours, and improved performance. Going back to our poker analogy, companies that become resilient bet small blinds while their competition are constantly betting large blinds. They still have to perform, but they have more “chips” with which to work. No analogy is perfect, and the poker analogy may be inappropriate for business, but I think you get my drift. Companies that succeed will divert fewer of their precious resources into non-productive activities such as compliance − which in the end gives them a competitive advantage — and in a Guns, Germs and Steel sort of way, those companies will become the ultimate survivors.