Study: Sarbanes-Oxley Playing Second Fiddle

Sarbanes-Oxley (SOX) compliance is taking a back seat to other governance and risk management initiatives, according to a new AMR Research study.

For the first time since AMR began polling IT and business executives on governance, risk management and compliance (GRC) in 2003, SOX is not at the top of the GRC priority list. While companies plan to increase spending on GRC projects by 7.4 percent to $32 billion this year, spending on SOX will tick up only 2 percent to $6.2 billion.

Survey respondents indicated that SOX may still be on their to-do lists, but 31 percent say better management and mitigation of risk is what is really driving GRC investment this year.

"In this economic climate, companies can no longer focus solely on reactive spending to meet each new regulation," wrote John Hagerty, vice president and research fellow at AMR Research as part of the study. "As executives are becoming aware of how different business and IT risks affect their bottom line, their spending focus is shifting toward approaching risk strategically, not just tactically."

The increase in overall GRC spending reverses a trend over the past few years that had seen governance and risk management initiatives shrinking as companies streamlined their compliance efforts. AMR attributes the upswing to a renewed awareness of risk.

Researchers also found that executives are looking guidance framing risk in the context of their business. As a result, GRC remains people intensive with two-thirds of IT?s GRC earmarks?some $21.5 billion overall?going to services and headcount in 2008.

AMR collected responses from 424 IT and line-of-business leaders across all industry sectors in the United States, Germany, and Japan for the survey.