Using the Sarbanes-Oxley Act by mThink, May 23, 2005 Who would have predicted that significant help in managing operational risks would come from such an unlikely source: Section 404 of the Sarbanes-Oxley Act? But, by voluntarily extending the Sarbanes-Oxley model by stretching managements study and evaluation of controls beyond financial reporting and control to operational reporting and control, forwardthinking utilities may more effectively uncover and manage regulatory and business risks, resulting in increased investor confidence. So the scramble is on: Many public companies have staffed up internally and hired outside resources to comply with Section 404 of the Sarbanes-Oxley Act. These companies are consuming much in the way of time, manpower and money to document, test and evaluate their internal control structures and procedures for financial reporting. For example, an Ernst & Young survey of 100 major businesses found that 70 percent of companies anticipate investing at least 10,000 hours to comply with Section 404. Moreover, a survey by Financial Executives International found that responding companies expect to pay an average of $732,100 for external consulting, software and other assistance to comply. (Section 404 requires that companies document and test controls three months before the end of the fiscal year.) For most of these companies, the end product of these significant investments may result in an internal control report from management that accomplishes two key objectives. First, it will help confirm managements responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Second, it will help assess how well the structure and procedures work. The companys external auditors must attest to, and report on, managements assessment as well as the effectiveness of internal controls over financial reporting as of the assessment date. When its all said and done, management at most companies will likely breathe a sigh of relief, be glad its over, put Section 404 activities on the shelf for awhile and move on to more invigorating activities. It becomes clear, however, that forward-looking companies should consider taking the logical next step of extending the Section 404 framework from the financial side of the house to the operational side. Yes, thats right, voluntarily extend the Section 404 mindset to operations, proactively immersing the entire organization in the identification, documentation and testing of operational controls. Changing a Mindset Many companies view elements of Sarbanes-Oxley as time-consuming and expensive. However, beyond the direct improvements resulting in financial reporting, such efforts have additional potential upside as well. The most important upside is: taking the expertise developed in documenting, measuring and testing financial controls and applying it to operations. In many ways, it is no more than the logical next step. Those who translate everything theyve learned on the financial side of the house to the operations side will emerge from the 404 process the strongest. The need for better operational controls and reporting has never been greater for utilities. Over the past decade, new players, new regulations and new market forces have shaken up the once-stable utility industry. The landscape is littered with ill-fated attempts at deregulation, high-profile business failures and scandals at energy trading organizations. Consumers are angry and confused, investors are wary and state and federal legislators and regulators are determined to return order to an industry that they believe is in desperate need of it. All of these factors plus the capitalintensive nature of the business point to increased need for vigorous risk management practices, policies and procedures. The dawning of Section 404 financial reporting presents a golden opportunity for management teams to put processes in place that manage risk from its origin operations. Without thorough operational control, true financial control may be difficult to attain. Focus on Financial In all but the most sophisticated companies, operational controls traditionally have been underdeveloped compared with the financial side. The group most often charged with operational controls the internal audit function is usually focused on compliance, instead of the operational issues that ultimately affect financials. This focus on financial controls will only grow as compliance with Section 404 is institutionalized. In many companies, oversight of operational processes and controls is scattered throughout the organization. More often than not, the job of mandatory operational reporting to various state and federal energy, health and safety, and environmental regulatory agencies falls on different functions within the organization, such as human resources. By default, these departments within a company become the keepers of various data and information, reporting them to regulatory agencies on a habitual basis. Because it lacks systemic control, standardized processes and oversight, this ad hoc reporting style can create significant risks. As a result, internally driven challenges to what organizations are doing operationally are often nonexistent. A lot of upward reporting occurs, but not a lot of peer review or systematic checks and balances. And its only through those approaches that gaps can be uncovered and addressed before they create problems. Sarbanes-Oxley is forcing companies to be more forthcoming and expose their financial control risks. To truly control financial risks, however, companies should think about looking even deeper and identify the operational risks from which their financial risks emanate. The principles of Section 404 can give them the tools to do so. The Payoff: Fewer Surprises Having stringent operational controls and reporting processes in place can alert management to potential trouble spots long before their effects show up in financial statements. This is because there is a very clear and close link between operational and financial reporting. Financial reports are simply a reflection of what has happened in operations. Unfortunately, managements first look at what happened operationally frequently occurs when the financial statements are produced. When the results arent what theyd expected or hoped for, they then try to fix the problem, but by then its too late. In essence, management works backward from the financial statements. Having operational controls and processes in place, documented and monitored could serve as an early warning system and allow a company to address what is happening operationally on a more real-time basis. Long before financial statements are produced, management would recognize that things arent going as anticipated and take corrective action. Many of the recent headline-grabbing corporate scandals and failures might have been prevented or mitigated with better operational controls and oversight. With better operational controls, management at these companies could have known early on that they had a fundamental business problem brewing and could have acted on it, avoiding all of the tragedy that followed. Unfortunately, they didnt understand what was happening in their companies operationally, and by the time they discovered it, they didnt have enough time to manage it. What to Do Companies that determine to extend assessment of controls beyond those dealing with financial reporting will immediately be faced with a daunting task: deciding where to start. Most utilities face no shortage of operational risks, and there are essentially four ways to address them: Insuring them; Hedging them; Learning to live with them because they dont pose a threat for significant loss; and Mitigating them through improved operational and financial controls. Because its impossible, and probably unnecessary, to address every risk, we suggest employing two criteria for identifying those to tackle immediately. First, try to zero in on the critical handfuls that pose the most significant potential for loss. Second, consider addressing those that lend themselves to mitigation by improved internal controls. This would include defining and mapping the process as it currently exists, defining what it ideally should look like, and implementing a plan to fill in the gaps. Internal audit functions are the likely candidates to make suggestions to management for implementing 404-like practices in operations. But to do so, they will need to create a new model for developing, implementing and monitoring operational controls a revamp that is long overdue in most companies. In the future, the internal audit groups that deliver the most value to their organizations will be those that offer innovative solutions to operational control problems. Though each company faces a unique set of challenges, there are a handful of likely candidates for Section 404-like documentation, review and testing at most utilities. Near the top of the list are energy procurement and commodity trading activities. In the mid- to late-1990s, most utility companies took advantage of price-risk protection offered by the use of derivatives by creating their own trading groups to interact and transact with major trading houses. These groups quickly gained tremendous market power constrained only in limited fashion by their regulatory authorities and developed significant expertise and sophistication in negotiating transactions using complicated derivatives. But as these trading groups grew in sophistication, their operational controls did not keep up. As a result, they present significant risk from lack of, or inappropriate, controls over the segregation of duties, as well as the authorization, validation and confirmation of transactions. Even after numerous high-profile collapses within the industry, many utilities today still have to increase a level of scrutiny over controls within their trading departments. While 404 has caused them to focus on controls regarding segregation of duties between the front-, middle- and back-office functions, the initiation of transactions and the ensuing confirmation, there are still major operational control issues that utilities should address, including: Determination of the appropriate authority limits, including spending limits, contract length limits, capital at risk or other parameters in line with the corporate governance objectives of the organization and the expectation of shareholders; Credit policies, including collateral requirements and credit limits for counterparties; Document retention and price reporting policies to provide safe harbor relative to regulatory requirements; Segregation of transactions between regulated and unregulated entities under the same corporate umbrella; Realignment of compensation models vis-à-vis the trading strategies of the organization; and Reassessment of the controls surrounding the physical movement of the commodity, including scheduling to minimize imbalances. Another likely candidate for operational control overhaul in many utilities is the process surrounding approval, initiation and management of capital construction projects. Long-term, tangible assets remain the backbone of utilities, and their integrity must be maintained through frequent upgrades, expansion, repair and replacement. Often, utilities lack appropriate controls over project approval and initiation. Because field personnel and operations crews are tasked with completing capital projects within tight deadlines, projects can be established and executed with minimal scrutiny from an operational standpoint. A utilitys ability to navigate the new regulatory landscape is another operational aspect worthy of close examination. During the 1990s and early 2000s, many utilities dramatically altered their strategic growth plans to focus on nonregulated energy entities that held the allure of higher, market-based returns. Stable, cash-generating regulated activities, while still at the core of the utility business, were often labeled as slow growth or no growth enterprises. As a result, the in-house regulatory affairs capabilities of many utilities, once large and well-staffed, changed focus and shrunk dramatically. Fast forward to 2005. Because of recent spectacular deregulation failures, many nonregulated energy service offerings have declined or disappeared over the last few years. Many utilities have gone back to the basics safely maintaining their assets, reliably delivering energy and collecting revenue in a timely manner with regulated activities once again accounting for the lions share of utilities growth prospects. During the period of infatuation with nonregulated businesses, there was little major utility rate case activity. Now with the focus shifting back to regulated activities, many utilities are likely to no longer have the inhouse capabilities, skill sets or resources to mount any significant rate case work. As energy utilities embark on their strategy development beyond the first year of 404, they must discover resources capable of reviving their own industry expertise, market intelligence and regulatory insight. As these resources are added, implementing a framework where operational controls are present provides the best opportunity to manage risk and prevent many of the mistakes of the past. Who Will Lead? Because recent business failures and scandals have created an environment that puts internal operational controls under the microscope, its logical to think that many companies will embrace this idea. But thats not likely to happen. Managements are so focused on 404 implementation that many may fail to recognize, due to time and resource constraints, that assessing financial reporting controls is only half the battle. To date, the investment community has not placed a great deal of emphasis on strong operational controls. But it reacts negatively to financial reporting control failures, often not realizing that these failures usually result from the lack of operational controls. Investors and other constituents of these companies will come to that realization when another scandal occurs despite Section 404 compliance. If Section 404-weary management does not lead the charge to extend this concept to operational controls and reporting, the call for stronger operational controls will likely come from regulators, boards of directors, audit committees, investors, rating agencies and other stakeholders, as they realize that Section 404 compliance does not address all ills a company faces. When this happens, investors and other constituents will then place a premium on organizations that are well-managed and have best-in-class operational controls. The irony is that, for companies consumed with the Section 404 compliance flurry, a promising solution for addressing their operational risks could be right in front of them. Filed under: White Papers Tagged under: Utilities