Business model risk probably is not always the first application of risk management that C-level officers or IT administrators think of, as they are usually more concerned with risk management as it applies to security or compliance. Amit Sen, director and practice leader at Patni Americas Inc.'s business consulting services group, and John Vaughan, director of industry solutions in the group, have a different view on the importance of business model risk, and they spoke with SearchCompliance.com Executive Editor Scot Petersen about the subject. The transcript that follows includes extended excerpts from a Compliance Advisor podcast recorded this week.
This interview continues our discussion from a few weeks ago, when I met Amit and John at the MIT Sloan CIO Symposium. We were in the "IT Governance, Risk and Compliance" panel. During the Q&A period, John asked the panel if they thought that risk management was too focused on security. A few of the panelists danced around the question and never answered it. Later, I asked John if he thought the panel had answered his question. So John, let me start with you. What you trying to ask the panel that day, and what did you think of their answer?
Vaughan: We were at MIT and we had some heavyweights on the panel. One was from the SEC [David Blaszkowsky] and another from Sallie Mae [Karen Kotowski]. We were talking about this idea of governance, risk and compliance.
It sounds so important. But we just came through financial crisis where people or companies were not watching risk, which is the middle term. My primary question was that the last seven years of IT strategies around SOX [Sarbanes-Oxley] compliance seemed to be very focused on security, and hardening the assets and making sure who has the data, and who could see the data. But at the end of the day that does not address the systemic risk that businesses are facing, and how do you get companies to focus more on looking at risk to their business models -- not necessarily risk to what is essentially breaking and entering, or unauthorized access to data. And the panel just didn't know how to answer that.
I think they've been deeply entrenched in the spirit of trying to create security and maybe transparency in reporting, but there hasn't been much focus on putting my business model at risk. And we thought it was a very appropriate topic. [Most executives] talk about process automation, and how process automation is taking business processes and automating them, and then you think about risk. And the question we're trying to pose to the industry is can we take the maturity of a GRC process and turn it onto business model risk instead of security or procedure risk so we can adopt a mature process that already has the CIO's attention, and say, we would like to focus this process, and now let's look at risk to the enterprise business model. Are there things we're doing to automate or going to automate; are there automation changes we are doing that can accelerate the risk to our business model.
In the world of manufacturing you don't have to look very far below the surface to see that people have automated processes that are losing the company money or creating additional risk, and we would like to introduce into the IT governance stack this idea of what procedures can we put in place so that we are watching whether these new things we're automating create risk for the business model. So it's one of those questions: Yes, IT could do it, put up a website, form partners with third parties, and you could connect everybody. But are you introducing risk to the core business model of profitability and market share and leverage. If you take that same process and put a checkmark on it, and go, "I'm going to watch business model risk as part of this process," then I think you really start to address the concerns that were raised when they created the Sarbanes-Oxley legislation, which is not only how do you get more transparency, but you really are trying to answer the question, how do you reduce the chance of a catastrophic failure due to unseen business risk.
Amit, do you think that risk managers can really spend too much time on security?
Sen: The root question is, what is risk, how does risk get introduced by IT or in an IT platform process? And is it about securing the gates or is it about securing the causes that introduce risk that impacts your business model. Or do we primarily focus on password reset and physical risk and security management?
The problem that has happened is IT has become very complex. IT has become global. IT is supporting global platforms, global processes. And IT-enabled processes now have exposure simultaneously to everywhere in the world. So even two to three years ago, if there was ineffective IT governance, if they didn't pay enough attention to risk, the impact was limited so you had some time to react.
Because of lack of management, of complexity that IT introduces in the system, a lot of times transparency is an issue. People do not know what business processes have been automated, what is the implication of turning on the switch and taking the process global? They do not understand how the applications are connected; they do not understand how the data is defined. So the question fundamentally comes down to what are we securing against? Is it only about separation of duties? That's kind of what Sarbanes-Oxley has forced IT organizations to do. But sometimes they have missed the bigger picture.
We talk about globalization and this world of connected systems. There have been situations where companies have run a promotion globally without understanding the impact it will have on the supply chain. So their system got so overwhelmed that they realized within the first two hours of running promotion that this was going to be such a tremendous financial disaster for them, they had to put an immediate stop to that. Did they realize and understand before they actually went into this what the implications were, how quickly the impact of this would be felt everywhere within in the organization? That is fundamentally where we come from. There is something about physical security, IT security, data security, application security that we have to worry about. However, we need to remind the executives, the IT executive, the business executives, that the lack of effective IT governance, lack of desire to control the complexity within IT systems, portends a much bigger risk and much more disastrous risk to your organization than what you have to do as part of Sarbanes-Oxley.
When applying risk management to business processes, how is this accomplished? How do we measure this risk, and then how can companies interpret that data?
Vaughan: You have to start with ensuring that the company clearly builds their own model and documentation around what their business model is. So if you're a CPG [consumer packaged goods] company and you are shipping products, your business model revolves around manufacturing, market share, profitability and inventory positions. And anything that affects your inventory position, or market share, or anything that affects the profitability of those shipments, needs to go through a GRC check. And you have to model the impact of it.
We're trying to push companies to get out of anecdotal and into modeling. If you are going to change your distribution network, as another example, we had one scenario where the guy says we want to ship every product from anywhere. But if you give them the freedom to ship any product from everywhere, you create chaos in the supply planning system. And there are other little items inside of all these systems that directly affect the model.
Sen: If we look at that from a framework point of view, what is it we need to establish? The first thing to establish is a foundation, an understanding of the current infrastructure, current applications and business process and how they're implemented. The second leg in the framework is a process that's a change-management process or overall risk management process that has IT as a core participant in the process and that is managed and addressed globally. The third thing is to create a risk-awareness culture. Sometimes people tend to forget IT organizations as a significant player in managing the risk in an organization. That has to change, and IT people responsible for IT applications and processes have to be included and get more aware of what a risk awareness culture is and how that brings value.
So when you model risk, are you taking a worst-case scenario, or is there some amount of risk that's acceptable here?
Vaughan: Anytime you introduce a change, you do risk vs. reward. So what we recommend is, they have to understand what the core levers in your business model are. So if you are a wholesaler, maybe it's break bulk [shipping]; banks, it's around leverage. You have to know what your key lever points are. You really have to model it. If it's too complex to model it, you have to reach out. We formed a partnership with some folks at MIT. So if we have a business model that someone wants to make changes to or change the automation system, and it's very complex and global, we'll reach out to a research partner. So you just have to make sure that the change you're going to make really is backed up by, one, where's the industry headed; and two, what the research shows; and three, we see that it does not introduce new risk into the business model.
I don't think you ever want to increase the risk on the business model. All of your projects should focus on reducing the existing risks and costs. You have to do it empirically and understand what really happens. … I wouldn't take on many programs that introduce risk to a core business model. The whole point of bringing up the GRC process, if you put a process in place, you understand which ones increase risk and which ones reduce risks. But most of the IT people running those process automations don't understand whether or not they're increasing risk. All they are trying to do is deliver on requirements.
Sen: Can there be life without risk? I don't think that's necessarily possible, or desirable. However, what we need to understand is where are we are introducing risks, and the risk is understood and planned and not a byproduct of a lack of knowledge or visibility into what actually goes on in the organization. We find time and again that the IT organization is not well integrated into this process. Overall risk management and risk mitigation is still not taken seriously.
Who leads this process? Is this outside of IT and if so, what kind of relationship does that person have with IT?
Vaughan: We're at a unique point of history. What's happened in the last 10 years is you have an IT landscape that is dominated by ERP solutions, which drive a lot of process automation. You've actually done a transfer of knowledge from the business department into the IT department of how the business is
actually running. You end up with a lot of the process knowledge in the IT department now because they are so tied into these pieces of software that we feel the leadership has to come outside of the realm of IT. They really own the process now, because that's what runs. You can automate a process that could cause you to lose money for years and may not know it, there's so much data. We're trying to adapt, so that if you take the strength of GRC, it should have roles in product portfolio and management. What we'd like to do is adapt that role to look at business model risk. We would team up with either an outside consultancy or an outside research partner like we have been able to do with some of the universities, so you can produce an independent voice on what's going to happen to the business model when changes are introduced.
Sen: There's talk in our industry now: Is the role of the CIO changing. To me it has already changed. The CIO is more of a "CPO," a chief process officer. That has always been the true role of the CIO. Because of ERP and wide adoption of ERP applications, that is the single most important role in any organization that truly has an end-to-end view of what actually goes on in an organization. They also have the data they can pull in; they can slice and dice and look at the processes going on, and all the implications that come with it. It's time to make that to a certain extent formal and responsible to not only execute a process, but truly understand the implication of it on the business model ... and enable the organization to understand the risk and react to it. It has to start with the CIO's office, but it needs the proper alignment with the rest of the executive team. And there has to be visibility of this at the board level as well. There's a certain level of education that has to happen, and the responsibility lies with the process and an understanding that what really goes on is really there.
When you introduce partners into this process, do you have to introduce a separate process, some kind of a partner management program, to vet them for the kind of risk they would introduce into the system or to the business model?
Vaughan: Yeah, you definitely need to box your partners in, in a way that they can perform services well for you. Most IT projects or initiatives have a couple very strong sponsors. Those sponsors have bought into a vision, so what you are trying to do is introduce some kind of objective third party, whether it's the GRC office itself or a research firm or a consulting firm to vet it out and make sure it doesn't impact the model. You have to have a special relationship with those partners to make sure that [the relationship] is not accelerating risk.
At a minimum, we want people to actively manage it so it doesn't look like a due diligence problem. … We're just trying to say we need to be more careful with our automation process and we really need to benchmark them against their effects on the core business model. And if you do see risk you have to manage them. So the metrics have to be defined up front, and how do you incent people to succeed when it's a function you had and then you outsourced.
Sen: IT risk is business risk. Businesses can't afford to assume IT risk is contained within the IT walls. As we go through this process of replacing a technology-driven approach and a fragmented view of IT risk with more of an integrated view, that starts the understanding of the business risk and consequences that come from certain IT decisions. Three thoughts I want to leave everyone with: Beef up your IT governance. A lot of our understanding, or lack of, starts there. No. 2: Manage complexity of your processes and systems, so it's easier for the IT organization to understand business issues. And three, create a risk-aware culture, that there are certain business impacts that happen from certain [IT] decisions or the things they undertake.
Let us know what you think about the story; email: Scot Petersen, Executive Editor