David Wagner, chief financial officer of Entrust Inc., Dallas, TX, spoke at NC State’s Enterprise Risk Management (ERM) Roundtable on Friday, November 18, 2005. More than 140 business professionals and College of Management graduate students attended the program at which Wagner provided an overview of how Entrust, as a small, publicly traded company that develops and markets information security software solutions, is striving to leverage work driven by compliance requirements into greater value-added activities related to enterprise risk management (ERM).
Wagner used two examples of regulatory requirements facing enterprises to illustrate the need for an ERM approach to risk management: Section 404 of the Sarbanes-Oxley Act (the Act) and regulatory/legal requirements related to protection of information assets.
Like many publicly traded enterprises, Entrust has tackled the first-time challenge of ensuring compliance with Section 404 of the Act, which requires management assertions and auditor testing and reporting on the operating effectiveness of internal control over financial reporting. Having never publicly asserted about the effectiveness of such controls, Entrust faced the challenge of ensuring that its internal controls were designed and operating effectively to ensure that risks related to material misstatements of its financial statements were remote. That required a company-wide risk-based analysis of all its key business processes to identify threats to those processes that might impact Entrust financial statement accounts.
Management and employees identified 66 key business processes that directly affect 42 different financial statement accounts. For each of the 66 business processes, management and key business process owners approached their risk assessments by first asking “what could go wrong with this process?” They began by focusing on inherent risks surrounding each of the 66 different businesses processes and assessed identified risks on a low, medium, or high risk basis. For each identified inherent risk, management then evaluated internal controls already in place to mitigate those risks to acceptable levels. Over 100 internal controls related to those processes were identified, in addition to 0ver 90 other higher level controls related to the company’s information technology infrastructure.
To manage this process, Entrust developed a “Risk and Controls Repository” to track both the identified risks and related internal controls. The repository identified the business process affected and then indicated the risk rating (using a low, medium, high assessment). A “risk owner” was assigned responsibility for documenting the internal control to mitigate the identified risk. All this information was tracked in the repository.
By the end of this 404 compliance process, Entrust had invested over $2.5 million, representing 2.5% of revenue, in complying with Section 404. Given the size of that investment, questions were raised about whether the company received anything worthwhile from the Section 404 efforts. Management’s conclusion: Yes.
One of the major benefits identified by management was the risk-based review of the entire organization. While Section 404 is primarily focused on risks related to financial reporting, the risk-based review of over 60 key business processes provided valuable insights for management and key business process owners about risks affecting all aspects of those processes. While some of the risks identified may have impacted financial reporting, other risks affecting the strategy and operations of the enterprise were also identified.
For example, given Entrust’s core business of software development, there is a huge “intellectual property rights” risk facing its overall strategy. Review of key business processes surrounding software development (which is Entrust’s main revenue generating process) helped highlight areas for improving processes related to protecting its intellectual property rights. That kind of risk identification, in management’s and the board’s view, is key to a core strategic aspect of Entrust’s business model. Furthermore, the company’s efforts surrounding Section 404 helped develop and train all business process owners on the benefits of having a risk and controls process analysis. Now all key business owners are more aware of a risk approach to analyzing processes, which should ultimately help management identify key risks affecting the overall enterprise.
In addition to sharing insights from the Section 404 first-year compliance experience, Wagner also focused on the growing expectations and regulatory requirements associated with information security protection. Wagner’s discussion highlighted that while Sarbanes-Oxley is driving enterprises towards an ERM approach to risk management, information security demands are having a similar impact on the need for effective risk management.
As businesses continue to expand their digital information in how they operate their business, for example through greater use of Internet-based delivery of services, they are increasingly facing greater and greater threats to the security of key information that is vital to the successful operation of their business. Regulations are rapidly emerging that require adequate safeguarding of valuable information assets, which are spread throughout most businesses.
Strategic business information may be the most valuable asset for most enterprises. And, with the growth of the use of information technology throughout virtually all business processes, any threat to the security of that information may affect any aspect of the enterprise. Certain breaches in information security could simultaneously “shock” multiple business processes within a single enterprise, ultimately leading to significant harm to brand image and threats to the viability of the enterprise. Thus, information security risks must be considered on an enterprise basis, which argues for an ERM approach to risk management. So, like Section 404, growing expectations in information security are also calling for greater focus on risk management from an enterprise-wide perspective.