So how does a company define what that top-level executive should know and what he can delegate to lower-level IT employees? The person must monitor risks across finance, operations and IT, which could require large-scale reorganization of business responsibilities and provoke some bare-knuckle turf wars. "Thats a big question," said James DeLoach, managing director of Protiviti Inc., a compliance consultancy in Menlo Park, Calif. "Its hard. What incentive do [other executives] have to change? Probably none."At Sumitomo Mitsui Banking Corp., a Tokyo-based bank with U.S. headquarters in New York, IT Director Rise Zaiser said she maintains that sort of relationship with SMBCs compliance director. He interprets all new regulations (which come fast and furious in the banking world); Zaiser acts as liaison with the IT group, explaining to the group what compliance goals must be met and developing ways to meet them. As a foreign-owned bank not traded on U.S. exchanges, SMBC does not face SarbOx obligations directly, Zaiser said. But it still faces risks such as money-laundering clients (now regulated by the USA Patriot Act) and loan defaults (now regulated by an international agreement called Basel II), among many others. The introduction of a new authority to manage compliance and risk (whether embodied in one top-level executive or divided among a select few) is difficult enough. The IT department must still generate data about those risks and compliance efforts, and somehow deliver them back to the top-level decision makers in a digestible format. "If you dont do that, then at the corporate level, you dont have the ability to gain visibility across all the business units," said Axentis Frank. "If you dont have some basic level of consistency, youll never have the business intelligence to drive performance." In the long run, companies will almost certainly move toward employing a top-level executive to oversee risk and compliance across a corporation, many agree. Already, the Committee of Sponsoring Organizationsthe accounting industry group that devised todays SarbOx standardshas called for risk management as a next logical step and has endorsed the idea of a CRO of some kind. Success on that front, Lam said, will hinge on selecting the right executive and surrounding him or her with the right IT systems to provide the data necessary for good decisions: "He needs to know enough to ask the right questions." Matt Kelly is a free-lance writer based in Somerville, Mass. He can be reached at firstname.lastname@example.org.
Lam said he sees considerable give-and-take between the chief risk officer and the CIO, since part of the CROs duty is to manage IT riskswhether they be security, user access, business continuity and so forth. "That doesnt mean the CRO always has responsibility for IT risk, but IT risk is a core element of operational risk," he said. "The CRO might look to the CIO for having a strategy in place."