Is Sarbanes-Oxley All Bad?

Computerworld - Finding the Sarbanes-Oxley Act as difficult to swallow as bad-tasting medicine, many companies question the need for it. They might better question why it took an act of Congress to get companies to list and track the performance of their material risks and associated control procedures, activities that are fundamental to running a good business.
Sarbanes-Oxley raises even bigger questions: Is your company really organized when it comes to managing overall governance, risk and compliance (GRC)? Doesn't compliance encompass more than accounting controls? (Enron wasn't an accounting problem; it was a business and ethics problem. Accounting was just the means to perpetrate the crime.) And once a company is organized to manage GRC, how does it leverage technology that enables truly effective and efficient GRC management?
Seize the Opportunity
Is Sarbanes-Oxley all bad? Not when it makes compliance management visible at the highest organizational levels. The COSO framework, the underpinning of Sarbanes-Oxley's internal control requirements, isn't a vast conspiracy to enrich accounting firms. Many, if not most, risk-related processes in a company may be poorly run for the simple reason that they have been viewed as a burden and not a driver of revenue. As a result, most compliance activities have been seen as bothersome necessities rather than as strategic imperatives. COSO provides the guidelines to enhance compliance processes.
Rather than railing about compliance and regulatory requirements, companies should use this time to define a GRC strategy. Companies that execute this strategy as rapidly as possible can increase competitive advantage, whereas companies mired in risk avoidance will be left far behind.
Compliance is friction in your organization, and the friction has gotten bad -- more regulations, more scrutiny and enforcement, and more time spent by your employees doing what for most is an adjunct to their primary job of attracting and retaining customers. But companies with well-run compliance processes (with applied resources and executive commitment) enjoy share-price premiums, competitive advantage, improved morale and reduced risk of being tomorrow's corporate scandal headline. How do successful companies transform GRC management into a real driver of business performance? They leverage the substantial effort and cost tied to Sarbanes-Oxley for all compliance issues.
Richard Steinberg, the founder of Steinberg Governance Advisors Inc., was one of the principal PricewaterhouseCoopers authors of the COSO Internal Control -- Integrated Framework and is an internationally recognized expert on corporate governance, internal control and enterprise risk management. According to Steinberg, "Some of the companies I'm working with are not seeking merely to comply with the Sarbanes-Oxley requirements and viewing