Edward Giniat
Joseph Saporito

Not-for-profit healthcare organizations should not regard voluntary compliance with the Sarbanes-Oxley Act as an end in itself; it should be part of a larger enterprise risk management initiative.

At a Glance

  • By improving the integrity of financial reporting, voluntary compliance with the Sarbanes-Oxley Act can help a not-for-profit healthcare organization preserve its reputation within its community.
  • Because SOX compliance is not mandatory for not-for-profits, they have great flexibility in how they structure their compliance activities.
  • Making SOX compliance a part of a larger enterprise risk management program can help not-for-profits to streamline and coordinate their approach to all risk-be it financial, operational, or strategic.

"A good reputation is more valuable than money."
-Publilius Syrus, writer of maxims (~100 BC)

The risk to not-for-profit healthcare institutions of a damaged reputation has probably never been as great as it is today. Pressure is mounting from payers, both governmental and private, for a solution to rising healthcare costs. Some payers charge that healthcare providers are not responding quickly enough to criticism about pricing and performance. Not-for-profit providers also face questions about whether they can justify their tax-exempt status. The result of these concerns has been an increase in litigation, legislation, and regulation. At issue, ultimately, are the relevance, reliability, and transparency of reporting by healthcare provider organizations-and not-for-profits in particular.

Healthcare providers cannot afford to take this situation lightly: The greatest risk faced by the board and management of a not-for-profit healthcare institution may well be damage to its reputation in the community. A healthcare institution's reputation is a vital, fragile asset that rests on its stakeholders' perceptions of the institution's quality of patient care and the quality of its stewardship over the resources entrusted to it. High-quality care and stewardship, in turn, depend upon the integrity of the institution's reporting-its content, accuracy, relevance, transparency, and timeliness.

The Need to Manage Risk

Many of the unfortunate surprises that have hurt healthcare organizations' reputations recently could have been avoided-or at least anticipated-by more effective risk management and more transparent reporting. Many boards and healthcare provider executives have come to recognize this fact. They have come to believe more reliable and relevant documentation is necessary for financial statements as well as for detailing other activities of the enterprise, including quality measures.

Demonstrating better clinical quality and better financial reporting can help an institution preserve and protect its reputation. The challenge for not-for-profits looking to manage their risks more effectively is in finding a way to manage across silos and anticipate and prevent risks before they surface as problems.

Voluntary compliance with the Sarbanes-Oxley Act (SOX) is one approach to managing risk that is widely advocated for not-for-profit healthcare organizations. And, indeed, such compliance can be extremely beneficial to these organizations. But not-for-profits should not limit their focus to the financial reporting risks that SOX addresses. SOX compliance by itself is not sufficient to account for risk where the root causes are in operations, compliance, and strategic activities.

Not-for-profits have a tremendous opportunity today, however, to incorporate SOX compliance into a larger, integrated enterprise risk management (ERM) approach that tailors their SOX compliance to their specific needs while ensuring that other types of risk also receive critical attention. In this way, they can apply a coordinated approach to addressing many of the root causes of risk facing their organizations.

An in-depth discussion of all of the requirements of such an ERM approach is beyond the scope of this article. But as a starting point for consideration of such an approach, the following discussion describes what the overarching objectives of the ERM approach should be and then focuses again on voluntary SOX compliance, and how such compliance might be incorporated into the larger approach.

The ERM Approach

ERM has been an important area of discussion and focus for public companies, which-in the wake of Sarbanes-Oxley-have been seeking ways to manage risk beyond financial reporting to encompass the root causes of financial problems in operations. Intended as a means to develop and share information about risks, ERM can help prioritize an organization's risks and then assign accountability for managing and mitigating them. ERM engages the organization across silos and levels, including management and the board.

View Exhibit 1


The splintered approach that many healthcare providers take to risk management is due to the growing range of frequently overlapping regulatory requirements. Business structures and reporting processes have become increasingly complex, leading to redundancies and inefficiencies.  Silos tend to develop across the healthcare providers' complex and diverse organizations as the providers attempt to balance their teaching, research, and patient care missions.

ERM engages leadership across these silos by ensuring that they use a common language and methodology to identify, measure, prioritize, and manage risk. It also creates a framework and process to improve the focus and efficiency of governance and to link the risks the organization faces to its strategy and decision-making process. Too often, the board and committees charged with oversight spend their time and direct management resources in areas that are of little consequence to the healthcare provider's overall success, while ignoring areas that could affect the enterprise's ability to accomplish its overarching missions. ERM helps the organization's executive leadership understand diverse risks and place those risks on a common platform that takes into account each risk's likelihood of occurring and its potential magnitude of impact should it occur.

Gaining an understanding of which risks pose the greatest threat and the nature and cost of mitigating controls helps to rationalize resource allocation and could actually save money over time. Key steps in the ERM process can be summarized in the following two activities:

  • Creating contact-identifying, profiling, and prioritizing the risks faced by the enterprise
  • Creating process-building and maintaining a dynamic risk management process.  

The objectives of ERM are described succinctly by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The COSO describes itself as "a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance."

According to the COSO, ERM encompasses six key objectives:

  • Aligning risk appetite and strategy
  • Enhancing risk response decisions
  • Reducing operational surprises and losses
  • Identifying and measuring risk impact across the enterprise
  • Seizing opportunities
  • Improving deployment of capital

By improving risk management processes, the organization can better identify who is accountable for managing specific risks. This sort of organizational clarity can help to improve the management of more than just financial risks. Strategic, operational, and compliance risks also may become more visible to the entire organization. Further, such a view helps educate the audit committee-as well as the full board and committee structure-assisting them with their oversight requirements and helping them to better anticipate, prioritize, and mitigate the institutional risks healthcare providers face. Improved risk management should also help to improve the effectiveness and efficiency of the internal audit plan and corporate compliance function.

SOX in the Context of ERM

How should SOX compliance fit within the larger context of ERM? Consider, first, the specific objectives of voluntary SOX compliance.

As noted previously, many not-for-profit healthcare organizations are looking at voluntary SOX compliance as the foundation for improving their approach to risk management. They are focusing especially on Section 404 of SOX, which requires documentation and testing of the system of internal controls around financial reporting. Compliance with SOX is aimed primarily at preventing the financial reporting issues rooted in the manipulation of generally accepted accounting principles.

An important point for not-for-profit healthcare organizations to remember when implementing SOX compliance measures to achieve these objectives is that they are not bound by the specific requirements of the law in the same way that public companies are. In fact, not-for-profits are well positioned to take a different path from public companies. They can benefit from the lessons learned from Sarbanes-Oxley compliance, as well as from the New York Stock Exchange's (NYSE) requirements for risk oversight by an organization's audit committee. Not-for-profit healthcare can, in fact, "get it right" the first time by developing a broader view of risk across the enterprise.

While Sarbanes-Oxley may have initially been viewed as a panacea for better reporting, some of its critics argue that the initial implementation of the law has focused too much on the detailed process-level controls instead of on the company-level monitoring controls. In effect, the critics contend, there has been too much focus on a coverage-based approach instead of a risk-based approach.

This point of view has been reflected in the recently issued guidance from the Security and Exchange Commission and the Public Company Accountability Oversight Board, which effectively alters the Sarbanes-Oxley requirements.  In looking at the aftermath of Sarbanes-Oxley implementation, public companies, especially their audit committees, are increasingly discussing whether they might indeed adopt a more risk-based approach to Sarbanes-Oxley, including an effort to gain greater insight into risk and controls for the company as a whole.

Not-for-profit healthcare organizations have an advantage over public companies. When a not-for-profit considers Sarbanes-Oxley voluntary compliance within the larger context of an ERM initiative, it gains a perspective on SOX compliance that allows greater creativity and flexibility. It therefore can more easily forge ahead with a risk-based approach to SOX compliance-i.e., an approach that focuses on the processes and controls that are the most important, most costly, and most vulnerable.

Consider, for example, that one of the lessons learned from the first year SOX went into effect is that the costs associated with complying with the law reflect a comprehensive approach to assessing controls. Public companies and their advisors chose to assess controls companywide, in-depth, and end-to-end. Typically, they did not deploy a risk-based approach.

As an alternative, not-for-profit healthcare institutions can consider an approach that acknowledges there are controls embedded in their reporting, but that does not test those controls to the extent required by Sarbanes-Oxley. If organizations undertake a comprehensive risk assessment, considering both business risks and financial reporting risks, and then focus their scarce resources on the most significant risk areas and underlying processes, they may be able to cover the majority of their risks with a much lower level of effort.

Not-for-profit healthcare is a business where the "80/20 rule" applies. That is, roughly 20 percent of the key processes involved in running a not-for-profit healthcare institution may represent about 80 percent of its most significant risk areas. By focusing on these most important top 20 percent, the organization will be able to address its key risks appropriately and more effectively than with a 100 percent coverage model. This approach does not, by any means, suggest institutions can ignore the other 80 percent of processes, but it does suggest that areas of lesser risk can be controlled and monitored at a corporate level with stronger oversight and analysis.

Governance over Risk

In September 2005, management consultant McKinsey & Company issued a report indicating that although directors want to spend more time on strategy and risk, few (only 11 percent) believe they have a "complete understanding of the risks their companies currently bear, while 23 percent have a limited understanding or none…." (Felton, R.F., and Fritz, P.K., "The View from the Boardroom," The McKinsey Quarterly, 2005 Special Edition: Value and Performance).

A lack of full understanding of enterprise risk is, or should be, of concern to directors of public companies because the NYSE mandates that the audit committee of its registrants play "an essential role in the oversight of the company's risk management systems and the public reporting of a company's risk factors…." (New York Stock Exchange, Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, February 1999).

As effective governance has risen on the agenda of boards, audit committees, and senior management, it also has become a point of focus for bond-rating agencies. The major bond-rating agencies in the United States have issued reports that discuss corporate enterprise oversight, specifically an approach to managing risk across the enterprise. The agencies say that more effective management of risk will become the centerpiece of corporate governance and, all else being equal, each would look more favorably on companies with better corporate governance over risk.

In June 2005, in its report Governance of Not-for-Profit Healthcare Organizations, Moody's Investors Service said:

In light of the changing environment affecting for-profit corporations and the proposals at the state and federal level for greater oversight of not-for-profit organizations, we believe that governance will continue to be an important dimension of credit quality in the not-for-profit healthcare sector. We also anticipate that the growing complexity of the organizations whose debt we rate, especially in the areas of operations and debt, will lead us to ask for greater participation by board members in the credit evaluation process. We will continue to review and modify our analytical approach in response to evolution in governance practices.

In an August 2005 report, Sarbanes-Oxley and Not-for-Profit Hospitals, Fitch Ratings recommended that not-for-profit healthcare institutions focus on internal-controls issues by voluntarily adopting provisions of Sarbanes-Oxley section 404. If the institutions do not, "Fitch will question why section 404 has not been adopted and what steps have been taken by boards and management teams to document, assess, and improve internal controls," the agency said.

And in its Dec. 7, 2005, report U.S. Not-for-Profit Health Care Sector Explores the Benefits of Sarbanes-Oxley Compliance, Standard & Poor's said:

Implementing appropriate Sarbanes-Oxley reform measures may lead to several important and positive byproducts for not-for-profit hospitals and health systems, including streamlining communication and decision making surrounding financial matters; upgrading investments in information technology to create more efficient business processes; developing an enterprisewide risk management program; and promoting greater understanding on the part of boards and management with respect to how their hospital and healthcare-related companies are legally organized.

Time to Reassess Your Risk Framework

Although not-for-profit healthcare providers already have processes and controls in place to manage risk, these processes and controls typically are inadequate for managing all enterprise risk. Not-for-profits should reassess their risk framework and, where necessary, make modifications to stay current with changing industry trends and organizational needs. Above all, they should consider implementing ERM to address risks more comprehensively, across silos, with the goal of enhancing the ability to anticipate risk in line with the mission, business goals, and the organization's culture.

No standard solution fits every organization. But every organization can find ways to implement ERM by building on the current foundations, improving the existing risk framework, and making cost-effective investments in improving controls.

Edward Giniat, CPA, is an audit partner and industry sector leader, health care, KPMG LLP, Chicago, and a member of HFMA's First Illinois Chapter (eginiat@kpmg.com).

Joseph Saporito is an advisory partner, health care, KPMG LLP, New York, and a member of HFMA's New Jersey Chapter (jsaporit@kpmg.com).

Another Perspective on ERM

For a further discussion of enterprise risk management, read "Searching for Risk," by Thomas Heim, originally published in the April 2004 issue of hfm.

Publication Date: Wednesday, August 01, 2007

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead