If executives and audit committee members think about enterprise risk management, they typically think about it in terms of business risks and impacts: adverse news reports, failure to meet sales objectives or turnover in key positions.
That is assuming they think about enterprise risk management at all.
But in this, the Sarbanes-Oxley era, it has become critical for companies to be thinking of ways to leverage the information gleaned from Sarbanes initiatives and investments. Smart companies will find that enterprise risk management provides an opportunity to go beyond Sarbanes-Oxley to manage their information technology across an enterprise risk management framework.
When an organization’s leaders set forth their annual goals and objectives, any analysis should incorporate technology risks. Yet it is hardly the norm for companies to think about the technology implications of their business risks. At worst, they are forgotten. At best, they tend to be an afterthought.
However, it is becoming clear that companies are trying to take better advantage of IT-enabling technologies to become more efficient. From a competition perspective, doing so may also provide them with a key strategic differentiator.
Take, for example, a retail firm that uses online package tracking to help its customers. The service is part and parcel of a business strategy to allow greater user access to data. Obviously, the risks of this strategy need to be considered: What happens if users are unable to access the status of a package? What if the status is not available to the user at the appropriate time? What if the information is not updated? All these risks, with their origins in business strategy, link back to technology and need to be evaluated as such.
Too often IT is siloed, and the risks are not uniformly managed from an overall business objective and business risk perspective. In short, IT frequently is playing catch-up, its leaders simply trying to make IT part of the conversation. In fact, IT leaders should be able to alert colleagues to key technology risks of business objectives, as well as potential downsides of using a particular technology to achieve an objective.
Technology’s far reach should not come as a surprise. Sarbanes-Oxley has clearly revealed that many IT risks and controls used to manage companies are not confined within the IT department. Sometimes business departments have their own systems and applications, which are critical to key financial processing elements. Furthermore, they own those applications; IT has nothing to do with them. It has also become apparent that spreadsheets pose their own difficulties. Applications in their own right, spreadsheets are key processing elements to financials and operations. Here again, however, issues arise concerning security, change management, and accuracy.
Third-party vendors are another critical, if often overlooked, nesting ground for technology risks any time data transactions occur with these parties. Companies need to understand, at a detailed level, what takes place in a vendor’s environment—and to obtain appropriate assurance regarding those activities.
In short, technology risks spread far beyond the confines of the IT department’s walls.
The crucial links—and an answer
Underlying any company’s success are a series of infrastructure layers, all of them linked. Business policies may direct the final step toward achieving intended results. But such policies would wither without a basis in sound business processes, carried about by people, who are, in turn, supported by reports and methodologies. And at the root of it all is data, generated by IT systems. Thus, it is critical for each element to be included in risk management considerations.
Enter the Capability Maturity Model. With its five defined levels of capability, it is a potent mechanism for measuring risk.
Take a software development company as an example. Its goal may be to achieve the so-called managed state, defined by a well-managed, enterprise-wide process to ensure delivery of quality software to customers. However, an examination of the processes used to develop the software and manage its quality might reveal an actual, operational capability at a lower state, the “repeatable” state, marked by excessive reliance on people rather than processes and a notable lack of controls documentation.
The model thus provides a clear picture of the current situation as well as the goal–and of the risks that lie between. The model also provides a road map, a means by which executives—particularly those who lack an IT background—can visualize and begin to manage technology risks from an enterprise perspective.
Bringing in Sarbanes-Oxley
How does this all tie in with a company’s Sarbanes-Oxley activities?
Typically, organizations carve up their IT compliance scope based on three levels of controls: entity level, application and general. Of course, all of this is driven by business processes and the applications supporting them. Just as important are the owners or managers of these applications, whether in-house or third party.
Invariably, what unfolds is a scenario involving a multitude of different processes for managing every IT application, each involving different people, different sign-offs and different controls, which, in turn, give rise to different documentation and testing requirements. At the same time, each application represents opportunities for companies to reduce the risk in their organizations from a business perspective.
Sarbanes-Oxley Section 404 compliance can be a starting point for enterprise risk management, with IT as a critical component. Through Sarbanes-Oxley compliance activities, companies can identify opportunities to better manage risks and eventually move up the “food chain” to evaluate other compliance and operational risks outside the 404/302 mandate.
Ultimately, the IT perspective should become an important element in executive settings and strategic planning efforts. Moreover, that should lead to opportunity for hard-dollar savings, such as reduced duplication of IT management processes and reduced testing and management of IT controls. Among the many potential benefits:
- Better business alignment
- Process maturity
- Comprehensive IT assessment
- Robust IT risk inventory
- Improved application and system delivery results
- Greater awareness of technology’s impact
- Increased coordination and collaboration between the business and IT leaders, and better use of IT for competitive advantage.
Make no mistake: leveraging Sarbanes-Oxley in the context of an IT-ERM framework brings tremendous value to the organization, synergistically and financially—which should be enough to convince even the strongest skeptics.