From IT Compliance to IT Governance - Managing Risk Within the IT Organization :: The Compliance Authority - Insights, Perspectives, and Best Practices in Compliance Management for Business and Large Organizations

From IT Compliance to IT Governance - Managing Risk Within the IT Organization
BY SANJAY ANAND,
founder and chairman, SOX Institute (www.soxinstitute.org); founding member, NASBA's Center for Public Trust; member, CEO Roundtable of the SOX Compliance Journal

Buzzwords like Governance, Risk and Compliance (GRC) have traditionally been in the domain of accounting, finance, ethics and law. However, with regulations like Sarbanes Oxley (SOX), the Gramm Leach Biley Act (GLBA), the Healthcare Insurance Portability Accountability Act (HIPAA) and others impacting virtually every area of the business, IT is no longer bereft of GRC. IT plays a critical and vital role in business today, and it therefore seems appropriate that the IT department be as responsible for its share of the impact on business just as other areas of the corporation are.

IT plays a dual role in enterprise GRC. First, IT is an enabler of GRC both within and outside the organization by supporting the various business functions including finance, accounting, audit and operations. As a result, IT is well versed in shouldering the responsibility that comes with being part of the underlying foundation and framework of the business fabric. Second, IT itself is a business function, and is therefore subject to the same expectations from a GRC perspective. Specifically, the same business domains of Governance, Risk and Compliance now apply as much to IT as they do to any of the areas of the business that use IT.

Evidence of this is seen in the increasing number of regulations aimed at IT, including data privacy, antispam, PCI and others.

It is the goal of this article to shed some light on (a) how IT can help enable GRC within the organization, and (b) how to enable GRC within the IT organization itself. As shown in Figure 1, roles and responsibilities around Governance, Risk Management and Compliance were often treated as separate, outside or distinct from the corporation. However, over the past several years we have seen corporations not just embody best practices and principles from GRC, but in many ways the corporation today attempts to serve the best interests of its stakeholders (shareholders, customers, employees, vendors, environment etc.) by being the support infrastructure for better GRC within and outside the organization.

Relationship to IT

The primary driver behind IT becoming an important topic of conversation in the context of GRC is that IT has gone from the backroom to the boardroom. IT today is an enabler of business, and plays a vital and valuable role in driving corporate strategy and business direction. The challenge, however, remains that IT is often considered as being separate from the business, and that rules of the business don’t apply to IT. Nothing can be further from the truth. IT is as much about the business as manufacturing, operations, logistics or any other part of the organization is. And if the organization is concerned with ensuring that it complies with quality and consumer standards for the products it manufactures, so must it ensure that it complies with industry standards for its information assets and/or deliverables. The line between business and IT is blurred.

IT as an Enabler

From a business perspective, the key features and functions of GRC include:

1. Governance is a system by which the corporation is directed and controlled. This typically includes using a board of directors to help establish strategic goals and objectives as well as the necessary checks-and-balances to ensure that these goals are being met. From a governance perspective, the primary objective is to ensure that stakeholder (especially shareholder) rights are taken into account, and that management is acting in the best interests of the business and its investors. As an enabler, IT plays a vital role in governance since it can help drive efficiencies which then translate into increased profits and earnings, and shareholder value.

2. In order to meet its strategic objectives, the corporation must ensure that it suitably manages and mitigates risk. There are several areas of risk management that an organization is concerned with, including financial risk, market risk, operational risk, credit risk and so on. One of the most prevalent tools, especially from a process risk perspective, is the establishment of a robust system of internal controls to reduce the likelihood of errors and fraud. While not all risk can be eliminated, many risks can be mitigated.

Management must adopt a top-down “what-mattersmost” approach to determining which risks are worth avoiding and which ones are not. Specifically, if the cost of managing and mitigating a risk exceed the benefits, management may decide to let certain risks remain.

3. Compliance is required for a corporation to remain “legal”. Specifically, there are laws, rules and regulations that all companies must comply with; some of these may be industry-specific while others cut across all industries. Recent examples of regulations include industry-specific ones like GLBA and HIPAA, and across-the-board public company ones like SarbanesOxley (SOX). Oftentimes, industries recommend and/or adopt standards which become the operating norms for those industries. Examples include ISO (International Standards Organization) and CMM (Capability Maturity Model) standards for manufacturing and software respectively. When properly implemented, compliance requirements serve a dual purpose: (a) to help reduce and manage risk exposure for the corporation itself, such as the “segregation of duties” and information security requirements from an internal control perspective in the context of SOX, and (b) to help reduce and manage risk for the economy and environment at-large, as is evidenced by data protection, IT security and other rules and standards that emerge from such regulations as HIPAA, GLBA, SOX and more.

Due to the significant dependence of business on IT, IT plays a very important role in enabling GRC within the organization.

Specifically:

1. IT must be an important aspect of a company’s overall strategic goals and direction, since it can be used to not only provide competitive advantage in the marketplace, but also helps ensure that stakeholder obligations (such as those related to timely and accurate financial reporting) are met by the corporation. Thus, IT has become an increasingly important topic of conversation in governance boardrooms and the various committees of the board of directors, including most recently the audit committee which is required to ensure that audit functions of the company are executed in a fair and timely manner, and in compliance with the specific rules and guidelines for accounting and auditing.

2. Due to the process-oriented and operational nature of several regulations (both industry-specific like HIPAA, as well as the more general ones like SOX), IT is able to help companies comply by simplifying, streamlining and automating aspects of the business that may previously have been manual.

While the “simplifying and streamlining” is often a business activity (e.g. Business Process Reengineering BPR), the automation through IT takes it into the realm of increasing efficiency, repeatability and predictability (see, e.g., Total Quality Management TQM). In today’s business environment, there are aspects of compliance that are virtually impossible to satisfy without the proper use and implementation of IT, e.g. “segregation of duties” using IT security.

3. Due to the repeatability and predictability of operations made possible by IT, we are better able to predict and therefore manage risk and vulnerabilities within the organization. This aspect of risk management and mitigation stems from the fact that IT is able to automate and thereby reduce the number of outlying variations of results and outcomes. It must be noted, however, that IT is serving as an enabler in this case and ultimately the risk management and mitigation is still a business (not technology) function of the organization.

Enabling GRC in IT

We have looked at using IT to enable GRC within the business. However, IT initself is a business function and therefore requires its own GRC. Specifically, the IT organization within a corporation must be better governed and has its own sets of rules and regulations that it must adhere to. There are also several proposed standards for risk management and mitigation within the IT organization, the most prevalent one being publication 800-30 from the National Institute of Standards and Technology (NIST.gov).

1. While most organizations do not currently have a technology committee on the governing board of directors, it certainly is a recommendation that at a minimum the CIO participate in board meetings focused on both strategic as well as operational aspects of the business. The reason is to ensure that IT is treated as an integral part of the planning process rather than as an afterthought. CIOs today are playing a more important role in board and steering committee meetings, and the ideal CIO today is less of a technocrat and more of a business person who is able to wear a technology hat due to his/her background in IT.

2. As briefly mentioned above, risk management standards specific to IT are starting to emerge, and while the familiar business risk management frameworks (such as COSO or Committee of Sponsoring Organizations) continue to remain well-suited for IT, the IT-specific ones provide an increased level of guidance and granularity when it comes to managing risk within the IT organization and infrastructure. For instance, NIST’s 800-30 publication discusses risks (and solutions) specific to hardware, software, inter¬faces, information, users, processes, criticality and sensitivity, all of which have business implications, but all of which are typically not addressed in a business¬GRC conversation or assessment. A large part of Disaster Recovery/Business Continuity (DR/BC) planning today focuses on IT.

3. As with the non-IT aspects of a business, we are start¬ing to see a plethora of compliance regulations emerge for IT as well. These include rules and standards relat¬ed to such areas as data privacy, information security and DR/BC. This list of regulations will only continue to increase as our reliance on technology increases.

When distilled to its core, most of these regulations and standards have one primary goal: to reduce the risk exposure of the corporation and its stakeholders.

Conclusion

IT plays a dual role in GRC. It is an enabler of GRC and also has its GRC requirements that it needs to abide by. In order to effectively and efficiently manage risk within the organization, corporations employ a combination of laws, rules, standards and regulations that take some of the guesswork out of its operations (both IT as well as non-IT), so that the business can then focus on the highest value-add strategic and governance activities.