Lee Dittmar is a Principal with Deloitte Consulting, where he leads the Enterprise Governance Consulting practice and serves as Co-Leader of Deloitte’s Sarbanes-Oxley services. He is a highly sought after speaker for governance issues, SOX, and how companies can improve financial information, financial performance, and investor confidence. Treasury and Risk Management identified Lee as among the 100 most influential people in finance in 2005 and again in 2006. Consulting Magazine named him as one of the top 25 most influential consultants in 2006.
In an increasingly interconnected world, risk is pervasive and timeless. Technology advances have broken down barriers. The global nature and increasing complexity of business magnifies the challenges. Consequently, risk management, including the need for more proactive risk measurement and monitoring, has become far more dynamic. IT will continue to play an increasingly important role in risk matters as corporate leaders recognize that risk management is an integral part of an organization and not a separate function. Lee Dittmar, Deloitte Consulting LLP Principal, moderated an Executive Discussion with participants from SAP, Sun Microsystems, and Cisco to explore the role of IT in enterprise risk management, what it takes to become a risk-intelligent organization, and how to attain strategic flexibility through risk.
Amit Chatterjee is Senior Vice President for SAP’s Governance, Risk, and Compliance Management business unit. Prior to this, he was VP of Strategy at SAP. Prior to SAP, Amit was at McKinsey & Co. Prior to joining McKinsey, Amit held several management roles in sales, business development, and marketing for companies across the software spectrum, including Excite@Home, Luminant Worldwide, and Kendara.
Robert (Bob) Worrall is Chief Information Officer for Sun Microsystems, Inc., and is responsible for all aspects of Sun’s global IT infrastructure and line-of-business application development, support and maintenance, including information service delivery and security. Bob was honored by CIO Magazine as one of its “Ones to Watch” for 2006. With 25 years of technical and IT management experience, Bob has held a wide variety of IT roles at Sun. Bob currently enjoys serving as an advisor to several engineering and business colleges throughout the Bay Area.
Jay Mellman is currently a Director of Software Initiatives at Cisco. In this role, he is focused on helping deliver customer-centric solutions that leverage the network and its related functionality. Previously at Cisco, he helped formalize a focus on application networking, bridging the worlds of enterprise applications and the networked infrastructure. During his 20-plus years in the IT industry, he has held leadership roles at larger companies like Mercury and HP, and executive roles in a number of emerging technology companies.
What is your perspective on how and why the topic of IT and enterprise risk management is getting so much attention these days?
AC: There are three main reasons why IT and enterprise risk management are getting so much attention – and will continue to get much attention in the coming years.
First, we have all seen increasing regulation in countries around the world, as well as increasing industry-specific regulations. Many companies don’t consider carefully that entry into a new market may mean making their operations subject to completely new regulations. And of course, each additional regulation adds risk – the risk of non-compliance which can bring fines, loss of brand value, etc.
Second, the number of threats in the world is increasing. Your IT network is at risk of being compromised by hackers, and your supply chain – which is now more globally oriented than ever before – is at risk of being interrupted by political instability, even the rate of natural disasters seems to be increasing.
Third, the face of business has completely changed in the last 10 years, and the revolution is continuing. No longer do all employees sit under one roof, enabling the value chain to be executed under the watchful eyes of managers. Instead, employees are scattered across multiple time zones, and the value chain itself is stretched across companies. IT enables this decentralization, but it is still critical that the right products make it through the production chain and to customers efficiently and effectively; information must continue to flow. Risk management helps managers identify blips in the chain before they become errors.
BW: Senior management no longer looks to IT as a service bureau to process data, but views IT as an integrated part of the business, where all strategic information resides. Senior management looks to IT as a competitive weapon to provide information for strategic business decisions. As a result, the enterprise risk management process has escalated the importance of IT risks when assessing the overall risk to the business.
Furthermore, today’s companies are cutting costs to increase profitability. The IT organization has come under increased pressure to reduce costs. As a result, consolidation of systems and applications, and outsourcing of business and IT functions has resulted in new risks that the company must address at an enterprise risk management level.
The last critical factor is the explosive growth in regulatory requirements over the past few years around the world. These requirements force IT to pay attention to the business requirements of the organization and the business to pay attention to IT.
These factors together raise the level of risk to the enterprise. More and more organizations are starting to treat IT as a kind of internal outsource so that the IT organizations are set up to successfully support all the requirements of a global organization.
JM: The issue of IT and business has been hot on the table for several years – whether it is IT alignment, the business value of IT, or any other number of ways of putting it. With ERM, the stakes just got higher. As companies operate more completely across an extended enterprise, the issues multiply. Analysts are routinely talking about increasing risks and regulations, increasing business complexity, the interdependency of risks, the increasing fragmentation and duplication of effort, and most importantly, the increased accountability required by investors and governments.
Today, management of compliance and risk is typically facilitated in separate organizational silos, independent from mainstream processes and decision-making. It is very dependent on human capital as “middleware” to traverse the fragmented technologies implemented to facilitate control, monitoring, and management. Organizations have been experiencing the high costs of ad-hoc compliance management (around SOX, Basel2, HIPAA) for several years; now that it’s clear that compliance and risk management are a way of life and not just a short-term political issue, companies need to rationalize their approach. IT is seen as the likely and appropriate way to do that.
What are the attributes of a “risk intelligent” CIO?
BW: It used to be that the main focus of a CIO was to look at risk from a systems perspective, making sure that the systems and network were available and supported. Today’s CIO must have a good grasp of the business issues and a perspective on risks that the business faces from an enterprise-wide level – not just from a technology perspective. Previously, the CIO’s main skill set was around technology; now, CIO’s must not only have strong technology backgrounds, but also business savvy, risk management, and partnering skills as well.
A CIO should embrace innovation and change by leveraging lessons learned, how technology and effective solutions can address risk factors, supporting governance and compliance activities, and empowering people to address risks at all levels of the organization. It is crucial that a CIO look both internally and externally to their organizations, gathering information and assessing risks from many disparate sources.
Today’s CIO must look beyond his/her own team and systems and interact with senior management across an enterprise to fully understand the needs and strategies within the organization that they support. It’s only with this “higher” view that today’s CIO can truly be “risk intelligent.”
JM: As the role of IT has become more central to the operation of today’s enterprise, the role of the CIO has to become more aligned with all of the business priorities. Years ago, CIOs routinely came from the IT function, generally having grown up around the applications’ development. Today, many CIOs arrive directly from the business or at least having mandates that come directly from the business operations. Today’s CIOs also have the challenge of managing and integrating internal systems with those from both business partners and outsourcing agents. In this environment, the CIO must not only reduce the costs of IT operations, but also help manage external costs and risk, like those specific to compliance and audit.
There are many attributes that will help a CIO best align and meet these challenges. Among many others, three stand out:
• The ability to adapt to the business demands, especially those being expressed from finance and the board room. These demands are often cross-functional and require large cross-system or even enterprise-wide solutions. The ability to balance both business risk against technical risk will be critical to play a valuable role at the table with other C-level executives.
• An ability to build and maintain a nimble IT organization. In early phases, reducing the costs of compliance may be possible with static projects. But as organizations desire the ability to manage risks more holistically, the demands on IT are likely to evolve rapidly.
• A complete understanding of how technology can be applied and extended. While organizations are limited by their current implementations and investments, there are often incremental additions that can provide tremendous information and control even within existing business processes. Such a CIO will be pushing his teams to understand such options and capabilities while maintaining a pragmatic focus.
AC: Tech-savvy: new opportunities to leverage technology for risk management come up all the time – whether through the use of collaboration tools like wiki and blogs, or advanced monitoring of network traffic.
Long-term planner: while many CIOs focus solely on the risk management tasks at hand, it is critical to do serious business continuity planning and crisis planning for events that could arise in the future. Scenario analyses and stress tests can ensure that business will be able to proceed even in times of severe events.
Cross-enterprise view: constantly considers ways to break silos of geography, functions, and systems so that managers and information workers have access to the information they need to ensure that business performance is predictable. Good at identifying synergies across the enterprise.
Sensitivity: build relationships with CEO and other key stakeholders, understand how to build and communicate a vision, tactical judgment and how to communicate decisions
when outsourcing should be considered as an option.
Understand the business: by understanding the business, its key objectives, and strategic goals, the risk intelligent CIO can make sure IT is set up to deliver. The CIO’s team can get involved in reviews and streamlining of business processes to make sure that all of the information available is being appropriately leveraged.
What is the role of technology in risk management?
JM: Risk and compliance management are clearly critical areas for applying technology. But unlike other business processes, managing risk and compliance within an organization must successfully merge policy, information, and technology. There will always be many approaches that customers and vendors consider, ranging from “rebuild it all” to “solve the biggest problem first.” In today’s environment, only a brand new company gets to start from scratch, with a discipline so pervasive; however, it will really take a combination of efforts for success. Depending on the area of the business, companies will be investing in storage, security solutions, new operations management, and information lifecycle management. The challenge with any of these tactical investments is whether these then address the holistic problem: how can an organization improve its overall approach to risk and compliance management substantially and yet incrementally?
The twin challenges boil down to: 1) being able to collect and analyze all sorts of business and technical events more quickly and assuredly than any employee; and 2) being able to normalize and present these events and processes in a business context for appropriate decision-making and control. Part of the solution comes from leveraging a resource that already exists throughout organizations – existing corporate networks. As the only truly pervasive resource, it can provide both unique information and full control enforcement. When coupled with an appropriate context engine, the events and information can flow from both existing and new systems with control being directed centrally and enforced across the enterprise in line with business objectives. This would provide a truly incremental approach and a new risk-adapted business process.
These are very broad areas of scope, but businesses are so expansive that only by implementing the equivalent of a central nervous system can executives understand and control risk across their extended enterprises.
AC: On the one hand IT is a source of risk. Ask any CIO and they’ll tell you that they’re worried about security breaches, crashes, business continuity, as well as the size of the required investment in systems, integration scenarios – the list goes on and on.
On the other hand, IT helps to mitigate risk. Consider what it would be like if accountants still used paper-based journals and calculators to do the books for multinational corporations. The risk of manual calculation errors, as well as the potential for fraud, is very high. IT provides transparency, which is a great combatant of risk. Managers know the value of the deals they’ve closed, the amount of budget they’ve already spent, and which lowers the risk of not meeting their objectives.
Technology can also simplify risk management processes. Without effective use of IT, the risk management organization will be trying to collect information on risks via desktop tools, which can lead to spreadsheet errors and make results very difficult to aggregate. Also, follow-ups and progress can‘t be tracked effectively. Business owners with no formalized process for risk identification end up only being able to identify risks in cases where it‘s too late, and they can‘t leverage experience or re-use best-practice responses – like each event is always happening for the first time. Finally, executives aren‘t aware of what‘s going on in other parts of the enterprise; they don‘t consider organizational implications, and aggregation and auditability are not possible, since without IT, risk management is a non-repeatable, manual process.
With effective risk management processes implemented via technology and embedded into business processes, risk management can become an effective driver of business change.
BW: Technology reduces risks, and at the same time increases risks. Vendors are doing a better job of implementing risks mitigation features into their hardware and software solutions. This will allow customers to implement detective and preventive controls that reduce risk to the business. At the same time, technology has opened up new areas of risks that CIOs a decade ago would not have dreamed of impacting their business. The ability to deliver services via the Internet to our customers, employees, partners, etc. has made it mandatory that we raise the level of our risk management efforts to stay competitive.
Technology allows automation and enforcement of policies, and it reduces the manual processes and headcount required to address risk. Technology also promotes exposure. People are connecting to technology from any number of devices, from any number of locations, with any number of “handles,” and expecting to have access to their information and network all the time. This is a great offering and what technology is supposed to do – advance the way we live. However, this is also a great risk.
Without the proper safeguards in place with this universal access, things like identity management, single sign on, authentication, and role-based access can have serious repercussions. It is important that organizations and individuals build systems to manage this kind of risk.
How do you believe organizations can improve the efficiency of risk management through automated controls and real-time monitoring of risk?
AC: By leveraging the capabilities of today’s enterprise IT systems – such as automated controls, collaboration, workflow, and alert engines – the efficiency of risk management can be greatly improved.
Automated controls can be implemented in key operational business processes. You can be sure that the controls will be executed for each transaction – an IT system doesn’t randomly skip a transaction, get sick, or take a coffee break. Through ongoing “lights out” monitoring of these controls, business owners can be sure that the controls are being executed and that they will be notified in case of exceptions. This management-by exception greatly reduces the cost of compliance.
Automated controls can be implemented up and down the technology stack. For example, SAP is working with Cisco SONA to deliver a set of network-aware composite applications that implement controls into the network layer – this can extend the reach of control monitoring to your extended value chain – your suppliers, partners, and customers.
Collaboration tools allow managers and risk experts to work together to identify risks, as well as to analyze probability and impact and decide on the most appropriate course of action. Workflow tools included in IT systems route information to the correct users and automatically escalate alerts and notification items in case they are not followed up on time. Alert engines constantly monitor systems and reduce the burden of manual monitoring, focusing your valuable of limited resources on management-by-exception.
BW: Today, a significant number of controls are manual in nature. The monitoring of these manual controls is time consuming and prone to errors. It can also be inefficient to implement due to the budgetary constraints which are facing most IT organizations today. The impact on headcount to implement and manage manual controls can be very costly s well.
We have taken a ground-up approach to our systems. If the foundation of the architecture is reliable, controlled, and monitored, and you have confidence in those systems, then you will also have confidence in the systems that are running on top of it and the applications on top of that. If these systems and applications are also reliable, controlled, and monitored, then you have confidence in the business services and processes that you can layer on top of your infrastructure. It’s a bigger view of the enterprise IT systems and how they integrate and support one another.
Automated controls and real-time monitoring results have proven to be very compelling, by reducing the overall costs and complexity of our systems. It has made it easier for our compliance organization to test and verify that our risk mitigation efforts are effective, which in turn reduces the overall cost associated with a very manual intensive risk program.
JM: There should be very little argument that automating controls can provide value to organizations through reduced compliance costs and the potential to better identify risks over time. But just as IT’s objectives have moved from cost reduction to business value over the past several years, the opportunity to use holistic GRC approaches to drive value is great. Cisco believes that linking the business context and business controls to the network is really the equivalent of giving the brain a complete nervous system. As the only corporate asset that spans the entirety of the enterprise – not just the formal enterprise, but the extended enterprise and all its devices, systems, and sensors – the network can provide true real-time information, not just about technology events, but information about users, systems, and key business processes well before the information would be in systems of record. Likewise, linking the network to an ERM framework, the millions of events that happen every minute can be normalized, correlated, and presented according to a specific business process model. And critically, once a decision needs to be made, the network can play a critical enforcement role in a more timely and efficient fashion than possible today. Here are a couple of examples:
• An integrated and pervasive system could help identify potential service level violations or risks as an adjunct to existing CRM and/or supply chain management systems.
• An advanced system could use sensor data to track sensitive inventory and then escalate problems to appropriate individuals using unified communications technologies based strictly on policy.
• An integrated system could identify and enforce secure communications across the enterprise to ensure that sensitive data was treated appropriately.
Combining these capabilities and both risk aided decision-making and control is a breakthrough.
Discuss how to prevent, detect, correct, and escalate critical risk issues with integrated systems.
BW: We started by establishing an IT compliance group that reports to the CIO. Their charter is to understand critical risks issues with our integrated systems and processes from an IT perspective. This group works in partnership with other compliance groups on the business side, as well as the internal IT groups that manage and maintain our systems, to address risks at an enterprise level.
A good example of how these teams work well together to lower risk is how we are able to identify critical risk issues as we implement our integrated ERP systems and provide recommendations to address these risk issues at the architecture/design phases of the project. Furthermore, as we approach the testing phase of our projects, we are able to test the business and IT preventive and detective controls to assess the effectiveness of our controls from a risk mitigation perspective. This combined view of the project and its place in the enterprise risk management strategy really elevate what the team can accomplish, and greatly lowers the risks associated with an enterprise-wide implementation.
By taking advantage of the latest technology, we are able to prevent many of the typical risk issues. For example, our systems utilize self-healing technology – an automated control which reduces our risk of down time; containers – a service that allows us to greatly reduce the risks around patch management and change control; and policy enforcement technology – an automated control which audits our systems and escalates any issues for resolution.
AC: Technology allows real-time information to be taken into consideration with risk identification and risk analysis. Leveraging information from various operational systems across the enterprise, certain patterns in data, and certain thresholds that have been preconfigured, can be monitored for exceptions. Some of these “exceptions” that are found will be actual risks; others may just be informational notes. In any case, sophisticated sorting algorithms will ensure that these alerts will be evaluated at some point in their full business context by an experienced manager. Here, too, IT plays an important role in both identifying the correct escalation path for the information, and sending it to the person in the manner that makes most sense – on a cell phone, mobile device, as an alert in a dashboard, as an email, or an entry in a task list.
However, the alert information alone is not enough – the context must be reviewed as well – the full value of the customer relationship or the production planning for the next three months, for example. This information can be included if the enterprise systems are integrated. This manager will make the decision of how to respond to the risk – whether mitigation is required or whether to accept the risk as part of normal business.
Many enterprise systems offer controls that can be integrated into business processes targeting specific risks. These preventive controls can ensure that the risk situation won’t come up again since they are set up and configured to become a part of the business process.
JM: While there are millions of events that happen across an enterprise and on the network every hour, the critical value in such an integrated system is the ability to identify and operate around those most critical business priorities. Once an organization identifies these critical processes and the controls needed to implement them, an integrated system can deploy the controls and enforce their action across the entire extended enterprise. In short, an integrated solution could provide the following:
• The ability to detect and assess: This helps balance financial, legal, and operational risks, as well as rationalize controls against multiple frameworks, enabling the organization to correlate frameworks such as Control Objectives for Information and related Technology (CoBIT) against company policies. Built-in event services ensure that the solution detects issues quickly and aggregates them to enable intelligent evaluation of necessary action.
• The ability to measure and monitor: The solution would automatically monitor relevant events in multiple enterprise applications, as well as mobile devices, radio frequency identification (RFID) tags, email communication, instant messaging, and all major IT assets. Using this data, a system simulates control configurations in real-time to let an organization proactively identify and prevent risks.
• The ability to govern and enforce: This proactively prioritizes corrective action while automatically centralizing and storing evidence needed to support decisions taken. When issues arise, flexible notification services make it easy to locate and inform responsible parties through unified communication capabilities, while action services extend documented policies throughout the infrastructure.
What ideas can you share for enhancing strategic flexibility to mitigate risks with existing assets and to enhance risk-taking for reward?
JM: No organization is in a position to start from scratch. There are far too many existing compliance and risk-related issues to automate everything at once. Perhaps Gartner stated this most clearly: “Organizations that choose individual solutions for each regulatory challenge they face will spend ten times more on compliance projects than those that leverage each implementation for multiple requirements.” This type of multiple involved organizations and CIOs can begin to address this area incrementally, and be able to at least satisfy the cost reduction part of the equation. The sticky challenge for most IT organizations is to help identify the areas with most upside – the combination of positive business impact and relatively low technology risk. A CIO who can understand the underlying business risks and align those against technology risks is going to be in the best position.
• Identify key value areas first. By working directly with the finance organization, a CIO can ensure focus on those areas of highest impact or greatest risk management requirement. By working with a technology program office (if it exists), these key requirements can be overlayed against the existing projects and investment plans. Together, these should help organizations understand the degree of existing automation within the risk and compliance space internally and provide a common basis for aligning against risk and compliance requirements.
• Expect to start and build incrementally while keeping an eye on a long-term architecture that can support your risk-sensitive business in the future. There are clearly business areas that can benefit from a more deliberate and automated approach first. There are high value examples where adding incremental (and generally external) capabilities to existing business process can drive dramatic and quick value to the business. Utilizing existing investments – like those in a corporate network – can not only shorten time-to-value but build a strong infrastructure for add-on projects.
• Build capabilities for flexibility while outsourcing those areas more straightforward and/or mundane. How your organization chooses to address the market, whether it grows organically or through acquisition, and how much it depends on external supplies and vendors can all change the importance of managing risk and the need to provide more complete solutions for risk and compliance management. All organizations have a combination of activities that are core and those that are context. Moreover, there are many opportunities for balancing the need for “world-class” versus “does the job.” The critical capability for an IT organization is to be able to adapt to these priorities on an ongoing basis.
AC: When executives decide to enter new lines of business, there are always risks that need to be considered. For example, a high-tech component manufacturer can enhance their strategic flexibility by building not one large factory, but rather four – maybe geographically distributed in India, China, Russia, and Mexico. Then, depending on the risk situation of the country and the production plans, capacity can be strategically deployed. This additional flexibility could help the company produce when their competitors are facing significant challenges – political crises, currency devaluations, strikes, etc. But this flexibility is only possible because back when the new business was just an idea on a whiteboard, management had the foresight to build strategic flexibility into their plans.
Another area where SAP is helping customers to enhance strategic flexibility to mitigate risks with existing assets is by leveraging our partnership with Cisco. Cisco and SAP have both been investing in service-oriented architecture, which makes it significantly easier to exchange information between systems and with all partners in the value chain. Customers can take advantage of their existing investments with SAP and Cisco to identify all sorts of network data exchange risks, using existing assets.
Enhancing risk-taking for reward requires good performance measurement and management – the link between risk management and performance management exists today and will become stronger in the next years – since the goal of risk management is to provide the business with the information they need to deliver predictable results. Therefore, if there is not a system which monitors risk ownership, measures the amount of risk taking, and tracks results, people cannot be held accountable for their actions and rewarded for taking risks.
Businesses and executives need to be able to learn from their experiences: Which business strategies worked? Which risk mitigation plans were worth the investment? Capturing this information consistently and including it into internal “best practice” playbooks means that with time, our executive management will benefit from both positive and negative experiences.
BW: Taking an enterprise approach to risk management is critical. Knowing the requirements that face the organization as a whole allows the IT group to architect the proper infrastructure to support the organization not only today, but into the future. Having key controls in place, understanding what they do and why, and having subordinate controls for flexibility gives the organization the ability to respond strategically to critical events. Whether faced with a natural disaster, an audit or lawsuit, or an acquisition, the infrastructure is agile enough to grow and respond with the needs of the company while still being under control.
Additionally, there are many controls that exist today in IT systems that are not being fully utilized. These controls are both preventive (restrict access to data) and detective (alerted to suspicious activity) in nature, which if properly implemented, will allow the business to enhance risk-taking for reward. However, just implementing these preventive and detective controls does not mean that you reduce the risk associated with these IT systems. Monitoring of these controls is paramount to effectively reducing risks, which will allow you to realize a greater return on investment in your existing IT environment.
Courtesy of GRCJournal.com and you can see the actual article, click here
