Technology and Corporate Risk Management

It's a fact: Litigation costs have skyrocketed over the last two decades. In the securities industry, this trend is evident in that governmental inquires into the practices and dealings of financial and corporate entities on the heels of the MCI WorldCom and Enron scandals have shown no signs of abating. The shareholder actions resulting from these scandals have done little to restore investor confidence. To ameliorate the situation and shore up public confidence in a system that has been operating in a de facto mode of “irrational exuberance,” a host of legislation has been introduced to address the need for greater accountability and transparency in the way our financial institutions and corporations conduct their affairs. The most significant legislation is the Sarbanes-Oxley Act of 2002 (SOX). Comprised of 11 parts and 66 sections, this is broadest piece of legislation out of Washington since the 1933 and 1934 U.S. Securities Acts.

SOX and Risk Management

SOX has had far-reaching consequences from a number of perspectives, and has spawned a number of industries, many of which have evolved into the burgeoning field of Corporate Risk Management from Litigation Support and Readiness disciplines. Loosely defined, Corporate Risk Management functions involve the periodic assessment and auditing of organizational accounting practices, financial reporting and decision making systems, human resources policies and procedures, IT information management, retention systems and data content, vis a vis their impact on ensuring organizational conformity and compliance with the various industry practices, rules and regulations. Corporate Risk Management as embodied primarily by sections 302, 404 & 409 of SOX, is described as follows:

Section 302

Section 302 creates accountability and transparency requirements with severe pecuniary and criminal implications for material financial misstatements. It includes a quarterly reporting requirement in which CXOs (chief executive officer, chief financial officers, chief operations officers, etc), personally certify that they are responsible for disclosure controls, procedures and that regular audits and evaluations of the controls and mechanisms have been performed.

Section 404

Section 404 requires entities to create detailed documentation relating to financial reporting controls, and systematically assess the efficacy of the reporting systems. If material weaknesses exist and they are not addressed as a result of oversight or a simple failure to correct a deficiency for which there is notice, the entity's external auditor is obliged report it. Any deficiency reported in this “whistleblower” section becomes a matter of public record.

Section 409

Section 409 calls for real-time reporting of material events that, depending on the nature of the event, may have significant implications on a company's financial performance.

What They Mean

The net objective of these sections is to provide a legislative framework governing corporate information systems and practices that will help proactively mitigate the ever-present risk of deliberate or inadvertent conduct that could ultimately result in adverse consequences to an organization, and ultimately its shareholders. While the legislation is intended to re-mediate various corporate practices and address certain fiduciary concerns, the Pandora's Box of compliance has created corporate technology architecture issues that are in themselves immensely complex and potentially very costly. Companies now have to change their thinking and scramble to create enterprise infrastructures that facilitate the rapid assessment of data and information irrespective of source or platform. To this end, some institutions have taken steps to bring massive offline stores of electronic data consisting of billions of records of e-mail and files to a “near-line” state in order to test, mine and monitor the data for compliance with the law and industry practices. The thinking here is that proactively analyzing and assessing a corporation's internal data will facilitate controlling the costs of responding to governmental inquiries, and of litigation, should it follow.

Technology As a Compliance Facilitator

Key to understanding how technology facilitates compliance and risk mitigation is knowing what is required by the law. From a practical perspective, SOX requires organizations to manage and “near-line” archive disparate data from a number of sources including, but not limited to, e-mail, file servers, instant messaging as any number of third-party applications. Given the fact that billions of transactions and interactions are generated daily in industries falling under its auspices, the challenge that SOX poses of managing this data can be incredibly daunting and costly. Some technology service providers, systems integrators and other similarly situated consulting organizations have astutely recognized this and have pointedly re-engineered content management technologies that previously had applications in litigation discovery or a research context, and packaged them for redeployment in the market as compliance solutions. Companies such as Iron Mountain (Records Management & Retention), National Data Conversion (Rapid Data Restoration, Conversion and Analysis), Zantaz (Real Time Correspondence Archival and Retrieval) and Planet Data Solutions (Paper and Electronic Document Digitization and Auto-Indexing) are racing to fill the void and bridge the gap between the adjunct disciplines of Corporate Risk Management and Litigation Support and Readiness. Each of the companies mentioned has a mix of service offerings that address the data life-cycle management concerns of the CXO and general counsels' offices brought about by SOX and other legislation.

The Responsibility to Embrace Cost-Effective Solutions

Given the fact that the variety and flavor of compliance solutions are growing quickly and are more affordable than ever, it is incumbent on Directors, CXOs and General Counsel to ensure that implementation of compliance solutions and technologies that facilitate corporate governance takes place. Failure to take advantage of technology that can help mitigate the risk of litigation could well be deemed misfeasance on their part if it is obvious that someone in their role should have acted more prudently. The SEC has been extremely active in heightening personal accountability of officers and directors where there are instances of accounting fraud and reporting violations that could easily have been found or addressed by properly implemented risk management systems. SEC enforcement actions rose from 484 in 2000 to nearly 700 in 2003. Of those filed in 2003, nearly 200 involved fraud or reporting violations. SOX has effectively reduced the standard to bar an officer or director from having a role in a corporation or Board of Directors from “substantial unfitness” to “unfitness.” This shift in policy has had a definite impact on the responsibility imputed to management.

The Future of Compliance

U.S. legislation bolstering and adding teeth to corporate governance strictures will have an unprecedented ripple effect in the other major economies of the world. Many domestic U.S. entities long considered bastions of capitalism and the free-market system are increasingly leery about the relationships they have fostered with offshore entities that are not subject to the same controls that have been, and are currently being put in place here. Examples of sloppy internal corporate practices giving rise to litigation are rife in the EU, the Soviet Union, Canada, and Central and South America. Offshore organizations that adopt standards analogous to U.S. standards may initially suffer competitively as their internal culture adapts to the new rules, but the opportunities for U.S.-based companies to help transition them will be enormous.

The shakeout will result in a safer climate for international investment as those entities whose practices make them appear transparent and accountable will seek to do business with others whose practices reflect theirs. The risk of litigation will never abate entirely, but the probability of litigation should see a decline as the risk management culture gains a foothold in the marketplace.

It's a fact: Litigation costs have skyrocketed over the last two decades. In the securities industry, this trend is evident in that governmental inquires into the practices and dealings of financial and corporate entities on the heels of the MCI WorldCom and Enron scandals have shown no signs of abating. The shareholder actions resulting from these scandals have done little to restore investor confidence. To ameliorate the situation and shore up public confidence in a system that has been operating in a de facto mode of “irrational exuberance,” a host of legislation has been introduced to address the need for greater accountability and transparency in the way our financial institutions and corporations conduct their affairs. The most significant legislation is the Sarbanes-Oxley Act of 2002 (SOX). Comprised of 11 parts and 66 sections, this is broadest piece of legislation out of Washington since the 1933 and 1934 U.S. Securities Acts.

SOX and Risk Management

SOX has had far-reaching consequences from a number of perspectives, and has spawned a number of industries, many of which have evolved into the burgeoning field of Corporate Risk Management from Litigation Support and Readiness disciplines. Loosely defined, Corporate Risk Management functions involve the periodic assessment and auditing of organizational accounting practices, financial reporting and decision making systems, human resources policies and procedures, IT information management, retention systems and data content, vis a vis their impact on ensuring organizational conformity and compliance with the various industry practices, rules and regulations. Corporate Risk Management as embodied primarily by sections 302, 404 & 409 of SOX, is described as follows:

Section 302

Section 302 creates accountability and transparency requirements with severe pecuniary and criminal implications for material financial misstatements. It includes a quarterly reporting requirement in which CXOs (chief executive officer, chief financial officers, chief operations officers, etc), personally certify that they are responsible for disclosure controls, procedures and that regular audits and evaluations of the controls and mechanisms have been performed.

Section 404

Section 404 requires entities to create detailed documentation relating to financial reporting controls, and systematically assess the efficacy of the reporting systems. If material weaknesses exist and they are not addressed as a result of oversight or a simple failure to correct a deficiency for which there is notice, the entity's external auditor is obliged report it. Any deficiency reported in this “whistleblower” section becomes a matter of public record.

Section 409

Section 409 calls for real-time reporting of material events that, depending on the nature of the event, may have significant implications on a company's financial performance.

What They Mean

The net objective of these sections is to provide a legislative framework governing corporate information systems and practices that will help proactively mitigate the ever-present risk of deliberate or inadvertent conduct that could ultimately result in adverse consequences to an organization, and ultimately its shareholders. While the legislation is intended to re-mediate various corporate practices and address certain fiduciary concerns, the Pandora's Box of compliance has created corporate technology architecture issues that are in themselves immensely complex and potentially very costly. Companies now have to change their thinking and scramble to create enterprise infrastructures that facilitate the rapid assessment of data and information irrespective of source or platform. To this end, some institutions have taken steps to bring massive offline stores of electronic data consisting of billions of records of e-mail and files to a “near-line” state in order to test, mine and monitor the data for compliance with the law and industry practices. The thinking here is that proactively analyzing and assessing a corporation's internal data will facilitate controlling the costs of responding to governmental inquiries, and of litigation, should it follow.

Technology As a Compliance Facilitator

Key to understanding how technology facilitates compliance and risk mitigation is knowing what is required by the law. From a practical perspective, SOX requires organizations to manage and “near-line” archive disparate data from a number of sources including, but not limited to, e-mail, file servers, instant messaging as any number of third-party applications. Given the fact that billions of transactions and interactions are generated daily in industries falling under its auspices, the challenge that SOX poses of managing this data can be incredibly daunting and costly. Some technology service providers, systems integrators and other similarly situated consulting organizations have astutely recognized this and have pointedly re-engineered content management technologies that previously had applications in litigation discovery or a research context, and packaged them for redeployment in the market as compliance solutions. Companies such as Iron Mountain (Records Management & Retention), National Data Conversion (Rapid Data Restoration, Conversion and Analysis), Zantaz (Real Time Correspondence Archival and Retrieval) and Planet Data Solutions (Paper and Electronic Document Digitization and Auto-Indexing) are racing to fill the void and bridge the gap between the adjunct disciplines of Corporate Risk Management and Litigation Support and Readiness. Each of the companies mentioned has a mix of service offerings that address the data life-cycle management concerns of the CXO and general counsels' offices brought about by SOX and other legislation.

The Responsibility to Embrace Cost-Effective Solutions

Given the fact that the variety and flavor of compliance solutions are growing quickly and are more affordable than ever, it is incumbent on Directors, CXOs and General Counsel to ensure that implementation of compliance solutions and technologies that facilitate corporate governance takes place. Failure to take advantage of technology that can help mitigate the risk of litigation could well be deemed misfeasance on their part if it is obvious that someone in their role should have acted more prudently. The SEC has been extremely active in heightening personal accountability of officers and directors where there are instances of accounting fraud and reporting violations that could easily have been found or addressed by properly implemented risk management systems. SEC enforcement actions rose from 484 in 2000 to nearly 700 in 2003. Of those filed in 2003, nearly 200 involved fraud or reporting violations. SOX has effectively reduced the standard to bar an officer or director from having a role in a corporation or Board of Directors from “substantial unfitness” to “unfitness.” This shift in policy has had a definite impact on the responsibility imputed to management.

The Future of Compliance

U.S. legislation bolstering and adding teeth to corporate governance strictures will have an unprecedented ripple effect in the other major economies of the world. Many domestic U.S. entities long considered bastions of capitalism and the free-market system are increasingly leery about the relationships they have fostered with offshore entities that are not subject to the same controls that have been, and are currently being put in place here. Examples of sloppy internal corporate practices giving rise to litigation are rife in the EU, the Soviet Union, Canada, and Central and South America. Offshore organizations that adopt standards analogous to U.S. standards may initially suffer competitively as their internal culture adapts to the new rules, but the opportunities for U.S.-based companies to help transition them will be enormous.

The shakeout will result in a safer climate for international investment as those entities whose practices make them appear transparent and accountable will seek to do business with others whose practices reflect theirs. The risk of litigation will never abate entirely, but the probability of litigation should see a decline as the risk management culture gains a foothold in the marketplace.