The US Sarbanes-Oxley Act of 2002 has had a huge influence on both American businesses and those in the rest of the world, especially those who want to do business with or in the USA. Section 404 of the act tells us that the management has to be in control, and that the auditors must verify this. A manager must sign a formal statement to declare that he or she is in control.
That immediately begs a question: How can I be sure that I am in control? And more importantly, how can I demonstrate to the auditors that my statement is true? After all, that’s what’s important with any compliance requirement – being able to show others that you are indeed compliant.
Hmmm. That ability to demonstrate being in control might be tough, but don’t worry, SABSA can come to your rescue here. Let us first look at what being in control might mean. The Macmillan Dictionary gives us a generic definition:
Someone who is in control has the power to make decisions and decide what should happen. Examples: Dr Marion is the person in control of all medical decisions at the hospital. The governing board is in control of the school’s budget.
Wikipedia gives a more business-focused definition, in which performance management is introduced:
A management control system (MCS) is a system which gathers and uses information to evaluate the performance of different organizational resources like human, physical, financial and also the organization as a whole in light of the organizational strategies pursued.
These definitions lead us nicely on to the multi-tiered SABSA Business Attribute Profile (BAP) as a means to break down the business into a series of attributes that are the key performance indicators at every level of the Business Stack. The diagram shows this SABSA concept.
The first thing to recognise is that ‘to make decisions and decide what should happen’ is another way of saying ‘manage the business risks’. The diagram shows the way in which risk management (which is at the heart of the SABSA framework and methodology) is distributed through the layers of the stack.
The diagram indicates that a SABSA BAP can be defined at every level. The Business Attribute ‘In Control’ is one associated with the high level value chain – the business itself, but of course that must be inherited downwards through the stack levels, interpreted into many more specific attributes appropriate to the various levels.
Each attribute is defined within the context of the stack layer, and each one is assigned a measurement approach, a specific metric and a performance target. The attributes are ‘proxy assets’ for the highest-level asset, Business Value, and the performance targets are an expression of risk appetite with regard to acceptable risk performance of those assets. SABSA defines risk as being the uncertainty of outcome for both grasping opportunities for enhancing business value, and for mitigating threats that might undermine business value. So if you adopt SABSA as your method of controlling, managing and reporting business risk, your done! You’re in control and you can demonstrate that by reporting performance.