James Lam preaches a religion sure to scare many corporate executives: that compliance with the Sarbanes-Oxley Act is just the beginning of the reforms corporate America needs to make.
Inspired by his tenure as chief risk officer for Fidelity Investments in the 1990s, Lam envisions a paradise of automated risk management—where companies can measure potential threats to their business and gauge how likely those risks are to occur.
Framed that way, SarbOxs focus on internal controls stands alongside operational risks such as environmental damage and financial risks such as currency exchange rates.
Still, for all the lofty goals enterprise risk management entails, Lam said executives must first solve a puzzle at the heart of IT and personnel management.
“How,” Lam asked, “do you get to the information to develop a composite picture of the risk facing the company?”
“This is absolutely vital, because the alternative is adding more and more people to the end of a business process to manage risk,” says Mark Lindig, head of KPMG LLPs information risk management practice. Considering the surge in regulations surrounding risk, such an approach is simply not feasible for large businesses. “You cant go through this year after year.”
More and more companies are trying not to. Despite the exhaustion of SarbOx compliance efforts, a new wave of enterprise-risk projects is taking root. A few examples:
• Laclede Gas Co., a $1.2 billion gas utility in St. Louis, last year established a three-person “department of risk and control services” to graft lessons learned from SarbOx onto a broader effort to manage risk.
• Houston-based trash disposal company Waste Management Inc. just assigned its head of internal audit to conduct a companywide risk assessment this year.
• SCM Microsystems Inc., a $49 million maker of smart-card security systems in Silicon Valley, now uses its SarbOx compliance systems to tackle other risks such as hazardous-waste reduction.
The goal for these projects is identical: moving from manual processes that detect risks after a breach occurs to automated processes that prevent those risks from growing unchecked in the first place.
The trick is how to get there when responsibility falls across numerous corporate departments, and executives already face a dizzying array of tools to track the necessary data.
“I think its appropriate to have a consolidated point of oversight, reporting at a very high level within the organization,” said Ted Frank, president of Axentis Inc., a maker of governance software in Warrensville, Ohio. “Not to manage the process, but to define best practices and help guide the organization to the best decision.”
No matter what the approach, IT executives can expect to find themselves in the cross hairs.
Elizabeth Hackenson said she found herself in the cross hairs at MCI Inc. last year. As CIO of the $20 billion long-distance carrier, she was instrumental in helping the company document its internal controls by years end to comply with SarbOx—but she was not the executive in charge of the project. That responsibility fell to MCIs chief financial officer.
Hackenson said she acted more as a liaison and consultant, advising the CFO on how best to automate MCIs controls and leading the 250 IT employees assigned to the project.
For example, she said the CFO and his SarbOx specialists had decided that MCI had to restrict user access privileges based on a workers job function. Then, Hackenson said, “he allowed me to figure out the solution from an IT perspective to implement those user controls.”
So how does a company define what that top-level executive should know and what he can delegate to lower-level IT employees? The person must monitor risks across finance, operations and IT, which could require large-scale reorganization of business responsibilities and provoke some bare-knuckle turf wars.
“Thats a big question,” said James DeLoach, managing director of Protiviti Inc., a compliance consultancy in Menlo Park, Calif. “Its hard. What incentive do [other executives] have to change? Probably none.”
Lam said he sees considerable give-and-take between the chief risk officer and the CIO, since part of the CROs duty is to manage IT risks—whether they be security, user access, business continuity and so forth. “That doesnt mean the CRO always has responsibility for IT risk, but IT risk is a core element of operational risk,” he said. “The CRO might look to the CIO for having a strategy in place.”
At Sumitomo Mitsui Banking Corp., a Tokyo-based bank with U.S. headquarters in New York, IT Director Rise Zaiser said she maintains that sort of relationship with SMBCs compliance director. He interprets all new regulations (which come fast and furious in the banking world); Zaiser acts as liaison with the IT group, explaining to the group what compliance goals must be met and developing ways to meet them.
As a foreign-owned bank not traded on U.S. exchanges, SMBC does not face SarbOx obligations directly, Zaiser said. But it still faces risks such as money-laundering clients (now regulated by the USA Patriot Act) and loan defaults (now regulated by an international agreement called Basel II), among many others.
The introduction of a new authority to manage compliance and risk (whether embodied in one top-level executive or divided among a select few) is difficult enough. The IT department must still generate data about those risks and compliance efforts, and somehow deliver them back to the top-level decision makers in a digestible format.
“If you dont do that, then at the corporate level, you dont have the ability to gain visibility across all the business units,” said Axentis Frank. “If you dont have some basic level of consistency, youll never have the business intelligence to drive performance.”
In the long run, companies will almost certainly move toward employing a top-level executive to oversee risk and compliance across a corporation, many agree. Already, the Committee of Sponsoring Organizations—the accounting industry group that devised todays SarbOx standards—has called for risk management as a next logical step and has endorsed the idea of a CRO of some kind.
Success on that front, Lam said, will hinge on selecting the right executive and surrounding him or her with the right IT systems to provide the data necessary for good decisions: “He needs to know enough to ask the right questions.”
Matt Kelly is a free-lance writer based in Somerville, Mass. He can be reached at [email protected].