SOX Compliance Still Poses Challenges

Two recent discussions reminded me that Sarbanes-Oxley compliance continues to prevent many companies from launching and/or successfully executing broader GRC initiatives that promise greater returns (than "avoiding non-compliance").

The first ah-ha took place while I was interviewing Dun & Bradstreet Chief Risk Officer Charles Pavlonis about his company's impressive enterprise risk management (ERM) initiative.

At the end of our chat as we were hashing over some of the reasons behind the success of the program, Pavlonis exclaimed, "Wait a minute -- this is really important!" He then said that ERM success hinges on "getting SOX [compliance] to be something that is not disruptive, that is almost embedded in the core DNA of the company."

I asked him why, and he explained, "Companies that are still struggling year to year with SOX compliance are enduring a distraction that doesn’t allow them to free resources to conduct the other risk assessments that you need [for ERM].”

The second discussion took place during the Q&A session following a Business Finance/CA webcast that I participated in earlier this week. As a participant you can see the questions audience members (in this case, nearly 300 folks) type in as the presentation progresses. It struck me that a large number of the questions essentially boiled down to: “How can we tame our SOX efforts so that we can start GRC in earnest?”

That’s a crucial question – and one that some GRC experts may be surprised still needs attention. On that note, here’s another link to thorough guidance on issues and considerations related to SOX’s “subtler” sections.

One more thing/shameless shill: look for my case study on D&B’s ERM program in the December issue of the print magazine. Pavolonis is definitely among a handful of elite finance (and GRC) executives who you would want to catch up with at a conference.