For my first blog at iSixSigma, I would like to contemplate disciplines that are slow to embrace Six Sigma but need it most: internal control and enterprise risk management. Passage of the Sarbanes Oxley Act of 2002 thrust these domains into the limelight. The Committee of Sponsoring Organizations (COSO) defines enterprise risk management as follows:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
COSO’s definition and several internal control concepts evoke quality: risk management is quality management; risk appetite sounds like fault tolerance; reasonable assurance regarding achievement of objectives depends on satisfying expectations of customers and regulators.
Language is a barrier to Six Sigma penetrating internal control disciplines. Ask a focus group of CPAs to explain the link between defects per unit and risk of misstatement, and many will scratch their heads. Risk of misstatement — inherent or residual risk of events giving rise to a significant or material misstatement of financial results — becomes heady as soon as discussion turns to assertions, materiality, control objectives, fraud considerations and methods of reaching conclusions (e.g., probability, belief-function theory, fuzzy logic). Translated into practice, Six Sigma can be a powerful tool for internal control practices: business process management and DMAIC are a systematic way to baseline and improve internal controls over financial reporting, compliance and operations. Co-evolution of these disciplines needs to occur, as managers strive for systematic thinking, discipline and cost savings in their Sarbanes Oxley programs.
Integration of Six Sigma, internal control and enterprise risk management disciplines will progress over time. Six Sigma deployment in finance, accounting and compliance functions is young relative to manufacturing and operations. Internal control disciplines are just passing through the first two years of Sarbanes Oxley compliance. Using voice of the customer to drive compliance monitoring, measurement of control effects and testing of key controls will become mainstream.Your thoughts, experiences and knowledge sharing are encouraged.