Sarbanes Oxley Act and Risk Management
3 March 2011 Leave a comment
Sarbanes Oxley Act (SOX in the USA) gets blamed for all sorts of controls inflicted upon project. It has also been used by many business software providers as an excuse to sell their wares. However, the cost of this additional requirement on an organisation must have some return on investment.
If there is a specific SOX requirement for the way risk management is done in that organisation (I’m not convinced there is, though some claim that is so) then that should be followed. SOX is more about the avoidance of fraud and it does require that risk is assessed, risk for specific large undertakings (investment, portfolios, large projects, programmes) are modelled and good controls (mainly financial) are in place.
In projects, risks are wider than financial but an organisation wide recognition of risk management will make it easier to talk about the process.
The focus on SOX compliance has allowed the implementation of reporting in a consistent way in some organisations. This allows consolidation of risk reporting (especially with financial measures) across projects to see organisation level exposure: a potentially useful board tool in difficult economic climates.