Private Companies Can No Longer Risk It
Why a sound control environment matters to private companies
Marketplace volatility has created incentives for private companies to get a firm grasp on risk management.
In response to several highly publicized fraud cases involving public companies, federal lawmakers passed the Sarbanes-Oxley Act of 2002 (SOX). One of the primary objectives of this legislation was the protection of investors in publicly traded companies from inaccurate or misleading financial reporting. While public company executives scrambled to devise a program that satisfied SOX’s mandate of financial reporting transparency, heads of private companies generally opted out of SOX-based approaches, knowing that the initial costs of elevating their control environments could be significant. Although private company leaders could initially adopt a relaxed position concerning the rigor in their financial reporting controls and processes, there are issues in today’s economic climate that require a change of attitude. The marketplace volatility witnessed over the last few years has created incentives for both public and private companies to get a firm grasp on risk management. Risks inherent to the companies’ ongoing operations should be identified, quantified, and mitigated.
The effort necessary to develop a risk management program may initially seem daunting for private companies, but most leaders who have undertaken the effort will attest to the benefits far outweighing the costs. Plus, private companies can walk before they run — selectively addressing the most important risk factors as they get started.
How should a private company develop a risk management program? Although SOX’s internal control framework relates to publicly traded companies, private companies can benefit from the rigorous approach of a SOX program. It’s been 20 years since SOX came on the scene, and it’s still considered the gold standard across the globe for risk management programs and control environments. Below are some benefits private companies can realize by elevating their risk management programs and internal control environments.
A sound control environment enhances decision-making
Among the many benefits engendered by SOX, the most impactful has been the enhanced stakeholder confidence in reported material financial and non-financial information. The regulatory environment has fostered investor confidence in the reliability of public disclosures on publicly traded US companies, driving investment globally. From a private company perspective, stakeholders and management can elevate governance and controls to help make better strategic decisions, monitor company operations, and even enhance company valuations stemming from a similar level of investor confidence seen in US public markets.
Company leaders are faced with decisions on how best to allocate capital on a daily basis. For executives to be effective in this effort, they must have confidence in the accuracy of their financial statements and be able to count on timely information. Regardless of company size or public listing status, an organization’s decisions are only as good as the information on which they are based. Elevating private company control environments can help ensure timely reporting reliability, enhancing the ability of both management and company stakeholders to make sound operational and investing decisions.
Related success story
Great governance benefits all organizations
While the period preceding SOX legislation was riddled with large fraud scandals involving public companies, recent history has seen a deluge of frauds and spectacular collapses of privately owned enterprises. As venture capital and other forms of private investment have increased over the past several decades, more companies remain private longer. Regardless of whether legislation requires it, effective corporate governance is prudent for many companies to ensure that shareholder value is appropriately stewarded.
For example, should a private company wait until it becomes listed on a public exchange to establish an effective delegation of authority? No. Effective governance should not be contingent upon regulation. Formally prescribing and delegating authority helps set expectations of employees throughout the organization — while also empowering managers to make decisions that help ensure processes don’t become overly inefficient. Dynamic company leaders will establish sound corporate governance because it makes good business sense. To that end, private companies may choose to emulate the rigor of a SOX-aligned approach when seeking to establish sound governance methods.
Managing risk helps prepare for future growth
Growth is embedded in every company’s strategy; however, substantive growth and staying power require proactive planning. If going public is part of a company’s growth strategy, it must be prepared to comply with SOX regulations. Knowing this, a private company would be wise to lay the groundwork for its compliance program before entering the public domain. Transitioning from private to public comes with many obstacles beyond SOX compliance. Proactively assessing the control environment will help a private company ensure other critical milestones associated with SEC registration can be prioritized.
By establishing robust internal controls, private companies can set themselves up for successful expansion. In addition to having a head start on regulatory requirements, they will have established processes to handle increased complexity and risk.
A better control environment will enhance cybersecurity and data protection
Data breaches and cyber attacks are on the rise, and public and private companies alike are increasingly concerned about the security of their data. Plus, with more employees working remotely and leveraging unsecured public networks, cybersecurity risk is more acute than ever. A robust ICFR program encompasses information technology-related risks, including data security, elevating the control environment to anticipate, prevent, and monitor for threats to data security.
Ensuring best practices in the form of data security can help improve customer trust and satisfaction. Beyond customer satisfaction, robust data security can also help to mitigate the reputation risk associated with embarrassing, costly, and highly publicized data breaches.
Robust controls lead to operational efficiencies
Beyond managing risk, robust control environments can enhance operational efficiency. Well-documented processes and controls help private companies thrive despite employee turnover by ensuring that procedures are uniform and repeatable. A new employee can step into a role with minimal interruption to operations.
Furthermore, a strong control environment also fosters accountability, serving as a tool to align disparate facets of a company and ensuring all levels of the organization align with the strategic initiatives of leadership.
By clearly documenting key processes and defining process ownership, a clear separation of duties can be established. This often results in a reduction in errors, reduced risk of fraud, and enhanced efficiency.
In summary, there are a multitude of benefits that private companies can realize by making risk management a priority. Over time, company leaders discover that an effective control environment can improve corporate governance, enhance decision-making, facilitate growth, track benchmarks against industry best practices, and bolster operational efficiency.
Refining a private company’s risk management approach
Many private companies that have elevated their control environments find that the benefits outweigh the costs. To reap the rewards of a sound control environment, company leaders should ask the following questions: “Where does our company fall on the spectrum of effective risk mitigation?” “Is the company’s control environment conducive to driving the benefits outlined above?”
Although private companies aren’t required to be SOX compliant, leadership must be mindful of the challenges presented by an ineffective governance and control environment:
- Accounting and finance processes will remain inefficient – Some private companies have more controls than needed. Assessing and fine-tuning the company’s needs will lead to a more manageable control environment, enabling faster financial close cycles.
- Inadequate controls often expose private companies – Conversely, employee turnover can cause some companies to have too few controls. The shortage of accounting and finance talent may create a scenario where leadership develops a lax control strategy and becomes complacent with a determined number of deficiencies.
- Long-tenured teams could be overlooking risks – At many companies, a small group of veteran employees may be responsible for managing risk and controls. Because a fresh perspective is often beneficial, relying solely on the legacy approach could make it easy to overlook deficiencies in the control environment. Enhancing the existing control framework and engaging external advisors could provide the foundation for a sound risk management program.
- Slow and steady wins the race – Valuable changes take time, and risk management teams must be willing to invest in developing the institutional muscle memory and culture that facilitates an effective control environment.