Wednesday, 20 March 2013 00:00
Tichaona Zororo, EGIT
Enterprise risk management (ERM) must not be driven by events, as this approach usually does not result in an organisation getting the desired results.
So said Tichaona Zororo, director of EGIT, in a keynote address during the ITWeb Governance, Risk and Compliance Conference in Johannesburg recently.
According to Zororo, rather than being reactive, organisations must be proactive when putting ERM measures in place.
“EPM is not about patching up holes,” he said. “It is also not about taking a ‘stove pipe’ approach that only fixes short-term problems.”
According to Zororo, ERM is a central part of the strategic management of any organisation. “It is the process whereby organisations methodically address the risks attached to their activities.
“Risk management should be supported by an appropriate structure to the organisation and its external environment like size, nature and complexity. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances.”
Nerushka Deosaran, Norton Rose
Mike Jarvis, CEO of OverSight Solutions, also spoke of the importance of board buy-in for governance. He says local organisations fall behind when it comes to IT governance and see the practice as a cost imposition, instead of a value proposition. This is the wrong approach.
A board of directors’ primary function is to maximise value for all stakeholders. Governance is the process by which value is evaluated, directed and monitored. “Why then does IT’s performance always disappoint?” he asks.
It is his view that a radical mindset change is needed when it comes to IT governance. He says the value of IT and how to maximise it are not being adequately addressed.
Another problem, he says, is that most directors and executives have little understanding of IT and don’t know how it can solve problems, what value drivers are critical to technology, and what measures are relevant. Similarly, he says most CIOs and IT executives place too little value on the business value to be gleaned from technology.
Most CIOs do not know how to report value comprehensively and in a way that directors understand, especially when it comes to what services produce value, what drives consumption, and what trade-offs exist between service, quality and cost.
Vincent Mello, manager: system administration and risk management for IT infrastructure and operations at Rand Water, agreed that proving business value is a stumbling block for organisations.
According to Mello, measuring the value of IT in a business has never been an easy task for many organisations. “IT expenses are usually seen as a black hole by many enterprises,” he said.
He said that to provide a single recommendation about how to measure IT and what metrics to use is difficult because business executives have very different goals for IT, which means the context or environment in which IT operates is a key factor and should be considered when researching IT payoffs.
However, Mello said IT reporting and measurement is critical in keeping businesses up to speed and can be a competitive differentiator.
Therefore, he urged IT to establish outcome and performance measures, supported by metrics and targets that assess progress towards the achievement of enterprise and IT objectives as well as the business strategy.
Mello also pointed out that performance measurement has to be in line with the organisational strategic objectives, while IT reporting has to be relevant to what is key to the organisation in order to make informed decisions.
Another challenge to GRC, according to Paul Jacobson, director at WebTechLaw, is reputation management. Transparent and effective communication with stakeholders is essential for building and maintaining client trust and confidence.
Transparent and effective communication is of critical importance, especially today, as consumers have been empowered by social media and technology to such an extent that they can easily damage the reputation of an organisation, he said.
“The perceptions of these stakeholders to an organisation should be taken seriously,” Jacobson explained. Stakeholders’ overall assessments and, therefore, aggregate perceptions of companies result in the formation of corporate reputations. He also noted that constructive engagement with stakeholders could provide companies with valuable information about stakeholders’ views, as well as external events, market conditions, technological advances, and trends or issues.
He added that stakeholders who could materially affect the operations of the company should be identified, assessed and dealt with as part of the risk management process.
According to Jacobson, the board should be the ultimate custodian of the corporate reputation and stakeholder relationships. One serious reputational risk to a company is the security, or lack thereof, of its information. According to Nerushka Deosaran, an associate at Norton Rose law firm, the imminent Protection of Personal Information (POPI) Bill will make life easier for the IT industry.
According to Deosaran, the proposed law seeks to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction of personal information and the unlawful access to or processing of personal information.
Among the security safeguards of the proposed legislation, she pointed out that POPI aims to identify all reasonably foreseeable internal and external risks regarding personal information.
“The Bill also will ensure that organisations that deal with personal information establish and maintain appropriate safeguards against risks identified as well as regularly verifying that the safeguards are effectively implemented.
|
Post a comment
|
Login.
Business Best Practise
