Managing Risk from a Board`s Eye View
Intensified concerns about risk management, auditing and fraud detection, and corporate governance have sensitized boards and top management teams to adopt an even more active role in the oversight of business strategy and key enterprise activities. Significant regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the Patriot Act have further raised the stakes.
The failure to meet the required attestations, the unintended violations of privacy and confidentiality, or the heightened vulnerabilities to identity thefts are likely to invite adverse reactions from regulators and from the stock market. As business technology becomes embedded in core organizational processes, control systems and decision support systems, it is vital that boards appreciate the material risks due to technology and understand the risk-mitigation strategy.
An enterprisewide perspective is needed to guide the use of business technology in implementing effective, economical enterprise risk management systems that facilitate both management control and performance auditability. With greater complexity in the processes and structures for managing business technology (as a result of outsourcing, offshoring, and applications and Web site hosting, for example), there is a need for more sophisticated models of enterprisewide risk assessment that factor in not just the internal risks, but also the risks inherent in sourcing and external partnering.
Boards and top management teams must provide active oversight over the impact business technology risks have on the business, and ensure the effectiveness of the governance systems in mitigating these risks. Boards must remain vigilant, always looking at both the business and technology sides of their organizations.
Dr. Leslie Willcocks, professor in technology work and globalization at the London School of Economics, observes many companies, and has a deep understanding of the risks they face and how well they manage them. According to Willcocks, one of the most common risk-related issues organizations face is strategic in nature, caused by a disconnect between technology and the business. He explains:
A frequent problem I see is that the business doesn’t understand how technology can be used. They don’t have a technology view of their business. People very often accuse IT people of not being business-focused. But I think there’s an alternative accusation: Business managers and business strategists don’t really have a technology view of their business, and yet this stuff is absolutely in the skeleton of the operation. It’s a two-way thing, and quite frequently, technology gets blamed for things that business people are not actually doing themselves.
Strategic risk refers to the vulnerabilities companies face because of poorly envisioned or executed business strategies. Within business technology management, the focus is on risks at the intersection of business technology and business strategy. Regulatory compliance refers to corporate adherence to different regulatory expectations related to financial reporting and data management. Poor regulatory compliance invites liabilities of civil or criminal punishment and shareholder lawsuits. Other forms of risk include systems and sourcing risks. Although business and technology executives are likely to manage those forms of risk, the management of strategic risk and regulatory compliance must reside at the board level.
The following strategic risks must be managed at the top:
• Business model risk refers to the robustness of the business model and how well it is being executed.
• Competitive risk pertains to the ability to sustain competitive action and retaliation.
• Investment risk relates to the ability to manage business technology spending in a business environment in which capital is scarce and technologies are volatile, expensive and not easily understood.
• Integration risk refers to the risks of inadequate integration between business technology investments and business processes.
• Misalignment risk pertains to inadequate alignment between business technology spending and business priorities.
• Governance models risk relates to the risks of inadequate participation and involvement of business and technology executives on key business technology management decisions.
The management of regulatory compliance has always been an area of board oversight. However, the strategic importance of information and the nature of current business technologies have raised the stakes regarding the privacy, security and confidentiality of information. In particular, there is heightened sensitivity to safeguarding not just sensitive corporate transaction data, but also data about customers, employees and business partners.
The pervasiveness of business technologies has made it far easier for unauthorized pilferage of such information and data. In addition, with heightened concerns about terror, regulations increasingly compel organizations to furnish more data than before. The management of compliance requires attention to the following:
• prevailing regulations;
• maintaining and protecting data about transactions, customers, employees, and business partners;
• alerting stakeholders about incidents of unauthorized access;
• providing the affected stakeholders with assistance;
• the potential for economic sanctions and the threats to business continuity due to noncompliance;
• effectiveness with regard to managing data in conformance with the regulations and stakeholder expectations; and
• the cost of responding to the compliance expectations.
Faisal Hoque is chairman and CEO of BTM Corporation. BTM innovates business models and enhances financial performance by converging business and technology with its unique products and intellectual property. © 2008 Faisal Hoque