In peanut butter, as in life, we encounter lumps and smooth parts. The lumps are invariably
the most interesting. So it was at the annual General Audit Management Conference of the Institute
of Internal Auditors, held in Orlando, Florida, on March 21-23. The lumps that commanded the attention
of the almost 600 paid registrants were those produced by the Sarbanes-Oxley Act, the new law
and regulations that affect all public companies in the United States plus many foreign companies
traded here. Of the 47 sessions, including pre- and post-conference workshops, fourteen sessions
explicitly mentioned this new law and many of the others addressed it parenthetically. It dominated
the discussion in Florida, just as the new Basel II Accords dominated the GARP (Global Association
of Risk Professionals) annual conference in early February. Regulators, auditors and consultants
all tried to dissect the importance of the regulations, their effects and costs, and how best to respond.
Given this new Washington ogre, internal auditors are scrambling to assure compliance and to create
the needed controls. It even submerged enterprise risk management, a favorite topic in prior years,
as "governance" and "compliance" become the prevailing buzzwords. Despite this,
I saw strong evidence that risk management thinking has successfully infiltrated the general processes
of the internal audit profession. This is the most promising development.
This year´s GAM started inauspiciously with a presentation labeled "Ethics-Based
Leadership." What I heard was a motivational comic monologue filled with one-line jokes- a paean
to the self-importance of the speaker-that shed little light on a critically important topic. Anyone
who sports five sets of initials after his name (none of which I recognized!) creates an immediate
aura of suspicion. It sounded like a sales pitch for his consulting services more than a contribution
to our understanding of the importance of ethical behavior these days. Warning to conference organizers:
these kinds of "motivational" speakers may handle themselves well on stage, but they inevitable
demean the intellectual content of a conference.
Following that poor start, GAM immediately improved. Charles Niemeier, of the new Public Company
Accounting Oversight Board, in Washington, reminded the audience of the initial Federal government
securities acts in 1933 and 1934, responding to the first major market crisis. He warned that the
old system embodied a checklist approach, creating an illusion of a safety net that did not exist.
He sees Sarbanes-Oxley as a return to basic issues and concerns, a new "willingness to challenge
accepted norms," something essential to improving the system. His organization, an offshoot
of Sarbanes-Oxley, is focusing on five key issues for the accounting profession: creating a new "tone
at the top," revising partner compensation, assuring accounting firm independence, requiring
client acceptance of reforms, and, most important, continuing interaction with non-US affiliates
making a global firm operate under the same standards. He acknowledged that, in the past, accounting
standards in the United States have been "rule-based," in contrast to the
"principle-based" global standards.
Yet the approach of Niemeier and the PCAOB seems overly negative-trying to avoid major accounting
pitfalls and disasters-with little recognition of some of possible favorable opportunities. This
gloomy-Gus focus was echoed later by Joseph Atkinson, of PricewaterhouseCoopers, who summarized the
ideas of COSO´s new ERM framework (see RMR December 2004). COSO limits itself by aiming only
at "shareholder value" instead of the broader and more applicable "stakeholder value."
It sees risk as a negative outcome, and it fails to stress the importance of stakeholder communication.
The Atkinson presentation was fluid and intelligent but it failed to recognize COSO´s internal
contradictions. Robert A Howell, a professor at the Tuck School of Business at Dartmouth College,
issued a similar warning in CFO Magazine in March this year. He suggested that the Sarbanes-Oxley
over-focus on compliance might inhibit the risk-taking necessary for continued growth. He concluded:
"Once people have confidence that their systems are all that they need to be, then you´ll
be able to take greater (my italics) risk and know that you can assess the impact of the risk that
Three other sessions gave me new insights into current issues. Daniel Langer, a consultant with
Jefferson Wells, shed light on some of the risk issues connected with executive compensation,
something that most risk officers approach with utmost caution! Too much time is spent on approving
the pay numbers, contracts and agreements and too little on the effect of excessive executive
compensation on stakeholders and reputation. Public perception is the most important driver. But are
those responsible for risk management ready to attack the compensation issue? Thomas Marshall, manager
of Enterprise Risk Management at First Energy Corporation, described his firm´s approach to ERM,
already a four-year effort. He helped create a new risk infrastructure, a culture of risk awareness,
a common methodology for risk measurement and, finally, an ERM function that serves as First Energy´s
"risk advocate." He also described one way to produce a tangible benefit: showing
a cumulative distribution of risk (both plus and minus), before an after responses, showing a reduction
in the likelihood of outlier (extreme) events. He described in detail one example, using weather hedges
for tornado damage. While Marshall´s presentation was excellent in describing ERM in practice,
I had the nagging feeling that, somehow, First Energy might overlook some systemic risks in its emphasis
on the more conventional operational and financial risks. Finally, Byron Hollis, the National Fraud
Director of Blue Cross/Blue Shield, offered a frightening description of the magnitude of fraud loss
within our national healthcare system. About 70% of all fraud cases involve medical practitioners,
and only 18% involve patients (subscribers). The annual cost of fraud in the United States ranges from
3% to 10% of the total cost of healthcare ($1.9 trillion in 2004), or as much as $180 billion. Two
problems are that most anti-fraud activities are reactive, not proactive, and that the system must deal
with multiple participants who have radically different interests: the medical practitioners,
the insurers, the employers who finance many of these programs and the subscribers/patients. Fraud is
a monumental problem.
As usual I try and review some of the technical management factors for conferences. GAM 2005 reported
over 750 participants, who whom 587 were paid registrants and 56 were speakers. The IIA also reported
29 exhibitors and nine sponsors. Of the speakers, 25 were auditors, 22 were vendors and 9 represented
government, academia and regulators. The IIA produced a first-rate booklet that included brief bios
on all speakers, plus a CD with copies of almost all the presentations. It was also one of the
best-organized sessions I´ve attended.
From studying the registration list, I uncovered an unusual fact: over 10% of the paid registrants
(61 of 587), came from one vendor, the consulting firm of Protiviti. I´ve never seen this
dominance of one vendor at any risk management conference.
A small chance of distress or disgrace cannot, in our view, be offset by a large chance of extra returns.
Warren E. Buffett, 1989