CEOs can today land in jail not only for raiding the corporate cookie jar, but also for failing to prevent the office pervert from loading images of child abuse onto the server.
Compliance legislation and regulation, such as the US Sarbanes Oxley Act that applies to multinationals like South Africa`s Gold Fields and SAB Miller because they are listed in New York, is mainly a state response to corporate shenanigans such as those that brought down Leisurenet and Fidentia.
CORPORATE GOVERNANCE REDUX
Governments, worldwide, and for as long as one can remember, have been reluctant to interfere in the business of business. As a result, compliance measures, when promulgated - normally as a result of public pressure, actual or anticipated - have been the classic exercise of closing the door after the horse had bolted.
South Africa currently has nothing comparable to Sarbanes Oxley, although the Companies Bill, expected to become law next year, and new legislation governing the auditing and accounting professions may leapfrog this country ahead of the US. However, all of these still prescribe a large dose of self-policing, which brings us to corporate governance.
DEFINITIONAL ISSUES
Derek Hitchman, operations manager at Guideline Risk Technologies, says the concept of risk management has expanded to include all types of threats, including fraud, poor quality products, legal suits, poor performance, bad contracts and decreasing profits.
Wikipedia notes that ERM is similar to operational risk management (ORM), but also includes credit risk and market risk. ORM, it says, is the oversight of many forms of day-to-day operational risk, including the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.
RISKY BUSINESS
Within the context of business - and this feature - the operational aspects of corporate governance and regulatory compliance can be lumped under the ERM rubric. ERM is itself a vast field and includes substantial overlap with identity management, disaster recovery and business continuity planning.
ERM is ultimately about business survival, not technology. Obvious perhaps, but many miss this point, says Magix Integration director Amir Lubashevsky. "Many people seem to think risk management means IT risk management, but this is not the case," he argues. "Including IT in the ERM framework is obviously necessary, but companies also need to include every operational area in their risk mitigation exercises if they realistically want to protect the organisation." Leaving something out is "akin to installing a safe but never locking its door", adds iLAYO Software Solutions MD Inana Nkanza.
The risks organisations today face come from so many different areas, angles and people that no company can realistically expect to avoid damage if it does not have a holistic ERM framework in place, Lubashevsky says. "Most companies have some type of risk mitigation strategy, but they all leave gaps through which staff or external entities can gain access to restricted data or applications."
Lubashevsky cautions that "there is no area of business that is not vulnerable"; therefore organisations need to examine all their processes, applications and operations.
Ignoring ERM is as dangerous as over-investing. It is a balance between the possible and probable.
GETTING GOING
"The first step in any ERM strategy is to acknowledge that one is at risk," says Lubashevsky. "The next logical step is to open all corporate processes on the micro and macro level to scrutiny and analyse them individually and in functional groups. Once risks are identified, a value must be attached to every one and the probability of a worst-case scenario happening calculated," he says. "Management then needs to decide which risks need to be dealt with immediately and which they can live with."
Lubashevsky adds that this may seem very simple, "but in corporations with political camps and personal empires, it can be very difficult to implement unless there is a concerted effort made to change the culture of the organisation".
Nkanza adds that companies first need to understand the risk and compliance issues affecting their industry and discipline. "Once understood, they can be more effectively addressed and better decisions can be made regarding the tools to use in mitigation. There is no one-size-fits-all solution," he warns.
CURIOUS CULTURE
Risk mitigation, Lubashevsky says, succeeds in an open, cooperative culture; while a secretive organisation is paradise for criminals. Adrian Risi, a regional technical specialist at Compuware Southern Africa, agrees. "Today, the biggest security threat facing organisations is internal, and companies need to protect both their customers and their business from crooked staff," he says.
ContinuitySA director Jorgen Nielsen adds that companies need to focus on the ethics and morals of conducting business and combine that with the traditional rules, processes and methodologies. "Governance rules will only be effective in an environment where the ethics of conducting business are respected," Nielsen says. "And, as always, the process needs to be driven from the top down. If management is not committed, nobody else will be."
GETTING IT
Technology is everywhere in today`s business environment, says Lubashevsky, and increasingly also in the social - and therefore plays a critical role in ERM. "To attempt to manage risk without including IT is a sure-fire route to disaster, as this approach will leave enormous gaps in the ERM strategy," he cautions. "In addition, technology needs to be part of any risk management implementation if it is to succeed. IT is fundamental to ERM, agrees iLAYO`s Nkanza, "IT is a critical component of ERM, it is the enabler."
Nielsen concurs but argues that IT cannot take over the ERM function. "IT plays a role in ERM as there are many tools designed to make the process easier, but from a big picture point of view, IT is a vital area of the business that needs ERM - along with many other areas," he says.
Lubashevsky adds: "It is critical that companies do not fall into the trap of resorting to technology to secure their IT infrastructure. The temptation is there to buy a few applications, install them and hope nothing bad happens. These point solutions can play a vital role in the overall risk management strategy, but they must be used as components of an overall solution, not the solution itself."
Risi at Compuware Southern Africa says it`s best to trust no-one: "Even if a company has a plan in place to prevent unauthorised users from accessing data, it needs a solution that provides insight into the actions of [otherwise] trusted users." Laxity invites corruption, "potentially on a massive scale", says Fraxion CEO Stanton Jandrell, which brings the focus back to "best practice".
GOVERNANCE
"At the moment, best practices and standards are a minefield," says ContinuitySA`s Nielsen. Lubashevsky, at Magix, says best practice "first depend on the industry one operates in, the culture of the organisation and the country the business is located in. Second, they depend on a company`s willingness to acknowledge risk and make the changes necessary to mitigate it. Thirdly, the best practices chosen will depend on what risks management is willing to live with."
"Implementing some form of `IT Governance Lite` that does not cover the entire organisation is a waste of time and money, as it will leave gaping holes through which criminals will dismantle your company," warns Lubashevsky.
Hugo Winterbach, CIO of Business Connexion, defines governance as a "framework that allocates decision-making rights and accountability, and defines policies, procedures and best practices." He points out that although compliance with appropriate or chosen standards is often not a legal requirement, it goes a long way towards strengthening a business`s reputation. "Displaying your compliance and showing that your house is in order can give your business a competitive edge." he says. And that`s where the focus again turns to IT governance.
GUARDING THE BACKBONE
Nkanza says IT governance is a fundamental building block of any ERM strategy since business is beholden to IT. "Businesses do very little today that does not involve IT and an enterprise governance strategy will, therefore, have an impact on technology and visa versa," he says. "Similarly, since the whole enterprise is dependent on technology, IT governance must be implemented across the entire organisation to ensure all risks are mitigated."
He continues: "IT governance is the backbone of enterprise governance, as mentioned before. Enterprise governance covers all areas of the company, including IT, while IT governance makes sure the tools and technical processes needed to underpin the enterprise, function effectively and according to the best practices the organisation has previously defined."
Nielsen says the starting point on the journey to getting to good IT governance "is to get the company`s ethical and business culture right and ensure a well-planned, practical implementation of the technical processes." Nkanza takes a more involved view: "Firstly, the IT governance strategy must be aligned to the enterprise governance strategy since IT is the enabler of organisation-wide ERM," he says.
"Secondly, the IT governance process must also include an asset management component since corporate governance relates to how the company will use and maintain its assets to help it achieve its objectives. Finally, an IT service management strategy must also be included. IT provides a service to business (which is IT`s customer). This means there must be clear metrics of how it aligns its technical services to corporate objectives."
And that`s the rub. ERM, like everything else, requires realistic, measurable objectives, a roadmap to get there and necessary will to make the journey.
|
Post a comment
|
Login.
Business Best Practise
