In recent years, the focus on complying with Sarbanes Oxley has shifted to an emphasis on improving overall risk management at enterprise companies. In this tip, French Caldwell, a vice president and Gartner fellow who spoke at the recent Gartner Symposium/ ITxpo, offered advice to CIOs and IT leaders on how to carry out this important task.
In recent years, the compliance Sarbanes-Oxley requires has started to shift to an emphasis on improving overall risk management at enterprise companies. Regulators are putting the pressure on boards of directors to improve their risk oversight, resulting in a top-down push to improve the enterprise's understanding of general risk exposure as well as threats to strategic objectives, Caldwell said. This means that CIOs and IT risk managers are increasingly being asked to demonstrate precisely how IT is linked to business risks.
In a recent Gartner risk-management survey, about 43% of respondents claimed risk-management data IT provides does influence board-level decision making, Caldwell said. This might seem like good news but it means that a majority of those surveyed didn't think IT information influenced board decisions. Not only that, but some of those surveyed questioned whether boards even understood the data IT provided.
To increase that percentile, CIOs need to better communicate the connection between IT and the business to the board, Caldwell said. To begin, the CIO must sort out the following: What are the roles of the board, the CIO and other IT executives with respect to enterprise risk management; and when reporting to the board, how can the CIO relate risk to business objectives of the most concern to the board? Caldwell emphasized two guiding principles to answer these questions:
- Business objectives are IT objectives. In essence, the IT organization and the rest of the business at some level share the same business objectives. This gets everyone moving in the same direction.
- IT risks are business risks. If it is established that business and IT share the same objectives, it follows that any IT risks are also risks to the business. This helps solidify a common focus on business outcomes.
Prima facie, it should be understood that the board does not manage risk, Caldwell said. "The board's role in risk management is to ensure there is an effective risk-management plan in place and that the management of the company is effectively implementing it," he said. "They have an oversight role."
Any regulator who comes to meet with board members -- which is happening with increasing frequency in large enterprises, particularly in the financial services industry -- will ask questions targeted at figuring out whether the board is really involved in overseeing the risk-management plan.
"[Board members] are saying an effective risk-management program means … they're not just getting a report once a year on the top ten risks, they actually have risk indicators that management is monitoring," Caldwell said. Those indicators are balanced against the risk appetite for the company, which is the whole purpose of a risk-management plan -- balancing the two.
In that light, CIOs need to understand the IT risk indicators that would prevent or impede the business from achieving its strategic objectives. The distinction is important. Rather than focusing on risks to IT assets, the CIO homes in on the business-performance risks where technology plays a role.
Read more about risk-management plans
Using metrics to enhance risk-management initiatives
Expert predictions about governing risk management and compliance
CIOs, CISOs embrace board of directors' interest in cybercrime prevention
"That doesn't mean we're no longer concerned about the risk to IT assets, but we're looking at that in terms of the processes that lead us to performing against the business objectives that have been established by the board and senior management," Caldwell said. "It's this business-performance review we need to take forward with us when we go in to report to the board."
When making the presentation, their hours spent preparing notwithstanding, CIOs should bear in mind they will have only about 15 minutes to make their case -- and it might be the only formal opportunity to do so in a given year. The presentation is no time for surprises or new information, Caldwell stressed. The chief risk officer, the chief financial officer, CEO and possibly key board members should know in advance what the CIO will be talking about.
The actual presentation should ideally consist of only four slides, Caldwell advised:
- Slide one: List three to six of the enterprise strategic objectives. This is to let the board know you, the CIO, know and understand what these are. In other words, you know what is important to the board.
- Slide two: Identify the IT risks that have the most impact on each of the aforementioned strategic objectives.
- Slide three: Describe the risk-management initiatives underway to manage the aforementioned risks.
- Slide four: Review and wrap up the presentation.
Let us know what you think about the story; email Karen Goulart, senior features writer.