Sarbox clever

Four years after the introduction of Sarbanes-Oxley many organisations are
still struggling with embedding compliance in their business.

They are realising that they need to get smarter at addressing regulatory
compliance. It’s a challenge that requires a change of mindset from senior

Market reaction to the European Union’s markets in financial instruments
directive (Mifid) shows we still have some way to go. I see the same confusion,
procrastination and lack of strategy as in the early years of Sarbox. It is
understandable, given the lack of clarity in requirements and timescales
relating to Mifid. Directors can be forgiven for wondering where to start.

Non-compliance is not an option. Instead, we need to work out how best to
minimise the effort and burden, and focus on sustainability. These are the
challenges that the more progressive global organisations have addressed with
their Sarbox programmes.

In many cases they have achieved this through several iterations but are now
more capable of meeting future compliance requirements with minimised effort,
and using this to enhance business improvement projects.

In the early days of Sarbox there was similar confusion over the requirements
and how to comply. There was also a lack of documentation of business
operations, and little idea of how much effort would be required to meet the new
obligations. The initial response was to do everything in too much detail.

Once compliant, many organisations struggled with the dilemma of how to
remain compliant while operations evolved.

Finally, some organisations started to take a smarter approach. Smaller
governance groups were formed to agree and document principles and assumptions
to form a compliance framework that they could ‘manage their external auditors
with’. They adopted a risk-based, top-down approach to defining their scope,
really thinking about what was critical and what wasn’t – and why.

Businesses embarked on culture change programmes throughout the o
rganisation. They got their best people involved and they established
initiatives to institutionalise compliance into the business.

Mifid compliance presents very similar risks and opportunities for the
financial services sector.

But by taking the lessons from Sarbox, companies have a choice: to repeat the
same mistakes and over-comply or to take the right steps early to ensure minimal
pain and maximum value.

John Bronjewski is director of client services at Resources Global

Related reading