Effective Board And Audit Committee IT Risk Management

Monday, October 1, 2007 - 01:00

Editor: Please tell our readers about Amper's Technology Risk Services Practice.

Schroeder: Our practice delivers services to help our clients understand and control technology related risks associated with financial and operational governance. Our clients typically have technology intensive business models in industries such as insurance, banking, service providers, and supply chain companies.

Editor: What are the inherent risks that companies face from the use of technology?

Schroeder: We live in an era where technology is pervasive and companies depend on it to conduct their businesses. Technology is the ultimate double-edged sword because the more that a company seeks to leverage it, the greater the risk it poses to their business.

Technology risk usually manifests itself in one of four primary categories. First, financial governance risks are associated with the risk of loss of integrity in transactions and in financial reporting. Second, business process risks result when a company risks not leveraging technology to support its needs in order to compete effectively and efficiently. Third, compliance risks are risks associated with not fulfilling regulatory requirements relative to the safe operation of information technology. Finally, security and privacy risks are the risks that the IT infrastructure and/or confidential data is compromised in some manner, whether from internal or external sources.

Editor: Which of these risks do you encounter most often when working with clients?

Schroeder: All of these risks are very common in companies. Our clients have found that by addressing the root causes of these risks, they get significant leverage to drive cost-effective solutions. For example, poor alignment of business applications to business needs typically results in risks to financial governance, operational governance and perhaps also compliance and security risks. By finding and fixing the root cause, and aligning technology to fit the business, the company can get the best bang for their buck. In most cases, we can trace significant instances of IT risk back to how IT is governed at the executive level.

Editor: How do you work with clients to mitigate these risks?

Schroeder: We typically begin by helping the client understand what their needs are. They often do not know the specific risks they face but their instincts tell them that there is a problem and they want to work with someone who can help them articulate those risks. We look at how technology is, or is not, being used in the business, and from there we take a comprehensive approach, looking across each risk dimension, to identify the inherent risk represented by the technology the company employs. We then look at the controls in place to mitigate those risks, and, when appropriate, we suggest changes in those controls to effectively manage IT risks. Most importantly, we evaluate how our clients manage technology, and whether they have the proper governance controls. This is akin to a top-down approach to financial controls.

Editor: Does this process take place as part of a periodic review or do you come in when a problem is detected in an organization?

Schroeder: We typically are engaged when a client is experiencing a serious compliance or operational problem. It is generally at the time a problem arises that management recognizes it would have been best to have taken a preventative approach to manage their IT environment, and that they need to improve the overall governance that they have in place to prevent the occurrence of such control problems. After we have resolved the immediate problems and established a more effective control environment, our clients frequently ask us to engage in periodic monitoring to make sure they stay on track.

Editor: What are the costs associated with operating with inaccurate and ineffective IT systems?

Schroeder: The costs are both tangible and intangible and can be quite severe. It is not uncommon to see front-page headlines such as restatements due to financial IT control gaps, breach of networks impacting company security and client privacy, etc. Typically, companies do not see the costs of poor IT controls until a problem arises. Many companies struggle with financial integrity and institute costly work-arounds, or IT does not effectively meet business needs and they have work-arounds, or they take chances with compliance and security risks.

Editor: How often should companies test internal IT controls and train staff to mitigate these risks?

Schroeder: It depends on the risk associated with the controls. We encourage companies to take a risk-based approach to establishing IT controls and then to establish a program for periodic testing of those controls. Controls for functions that are deemed to be more mission critical should be tested very frequently whereas controls with lower risks should be tested less frequently. We also encourage companies to deploy ownership and accountability for effective controls to the people that are most closely responsible for the execution of those controls. This helps to ensure that controls are executed when they need to be and that you have the right level of awareness and understanding to make the control environment as effective as possible.

Staff training should also be part of those controls. There should be an understanding of the risks represented by particular technology and the responsibilities associated with the testing of controls so that training is targeted towards each group in the organization.

Editor: Why should the board of directors and audit committee of a company be charged with overseeing IT risk management?

Schroeder: The issues and the impact of IT risks encompass the entire company. The CIO or IT department may have responsibility for the acquisition or deployment of technology, but it is senior management's responsibility to change business models and business processes to effectively leverage technology for a competitive advantage. Management of IT risk is an extension of the management of the strategic dimension of technology. For example, if management is committed to leveraging technology to achieve a set of objectives, then it becomes incumbent on them to also understand and manage the resulting risks represented by the technology.

Editor: How should a company structure the reporting of IT risks to the board of directors?

Schroeder: An independent reporting relationship is often most effective. Whether that function is carried out by a chief internal auditor, a chief risk officer or a compliance officer, we encourage our clients to institute an independent monitoring function which oversees IT risk management and reports into the audit committee. In some cases it makes sense to tie that independent function into the general counsel's office or the compliance department.

Editor: What advice do you have for directors and audit committee members to ensure effective oversight of a company's IT risks?

Schroeder: They should commit themselves to increasing their awareness of the IT risks, and we expect that just as board members have become more savvy with respect to financial and corporate governance issues, they will now take time to become more familiar with IT governance. It is going to take a commitment on their part to recognize that if they lack subject matter expertise, they will need to take steps to remediate that.

Editor: How tech savvy do directors need to be?

Schroeder: Directors should become more tech savvy than they were in the past due to the fact that technology has moved so rapidly over the last decade. There are not a great number of board members with the needed technical expertise. As businesses become more technology dependent, it is critical that boards include one or more individuals that are tech savvy. This does not mean that board members have to become proficient technical experts but they certainly need to be proficient enough to understand how technology shapes their business and what it takes to effectively manage technology. They also need to understand how technology creates risks and the effective approaches to manage those risks so that they can better leverage the benefits of technology.

Editor: Does it make sense for directors to rely on an expert's report of IT risks without taking the time to make their own independent determination about those risks?

Schroeder: There is a parallel with what is expected of directors in terms of financial governance and financial controls. Even though they would be able to rely on and leverage internally generated reports, given the significance of the risks associated with technology, it makes sense for our clients to have an independent review function over those reports.

Editor: How involved should directors or audit committee members be in the selection and review of IT solutions?

Schroeder: Depending on the nature of their business model and the role of technology in the company, the audit committee and the board should be very involved. For example, we have clients whose business model and ability to compete depends entirely on how well they select and deploy appropriate technologies. In these situations we know the board is very involved in evaluating alternatives and then monitoring deployment of technologies against strict deployment methodologies. In general, we would expect the audit committee to have ensured that the company has effective methods and controls for selection and deployment of IT solutions and that they have independent monitoring in place to ensure that these controls are operating effectively.

Editor: What IT integration risks do companies face when they engage in M&A transactions?

Schroeder: Successful transactions are dependent on the ability to leverage the joint companies. This is typically dependent on the ability of management to integrate the systems and processes from the merged companies. There is always a risk that the systems and data will be more costly to integrate than anticipated.

Editor: How can these risks be mitigated?

Schroeder: The risk can be mitigated by extending the due diligence procedures to understanding what the requirements are for an integrated information system to enable a successful merged company. Typically that will be dependent on the ability to leverage solutions to get some synergy out of joint business processes. The due diligence would extend to understanding the steps it would take to get the data and the information systems integrated and merged to yield the benefit that they are expected to get out of the merger.

Editor: Should the ultimate goal be system integration or can a global company operate effectively with disparate IT systems?

Schroeder: There are integration technologies and advanced middleware logic that our clients have deployed that have enabled them to leverage disparate legacy systems as opposed to adopting more of a unified enterprise information architecture. Every situation is different, but our approach is if individual business units are effectively being fulfilled by their information systems, then the company should look seriously at integration technologies that will enable them to protect the investment associated with those existing legacy systems. They should also expedite the time by which they can begin to realize the benefits of integrating the data and the processes across the business units.

Please email the interviewee at dschroeder@amper.com with questions about this interview.