IT Risk Tops List of Concerns for Board Members

October 12, 2011 1 Comment

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology (“IT”) related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

  • They are not satisfied that their oversight of various IT risks is effective, or that the company’s strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company’s risks and control environment, or rate their company’s crisis response plan as “robust and ready to go.”
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC’s whistleblower “bounty” program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.

Filed under Information Technology Tagged with , , ,

Wheelhouse Announces New Strategic Alliance

May 16, 2011 Leave a comment

Wheelhouse Advisors and Xactium are pleased to announce their new strategic alliance for the implementation of Xactium’s Force.com Governance, Risk and Compliance applications.

Wheelhouse, a professional services firm specializing in Enterprise Risk Management & Control will be Xactium’s first US-based partner, operating in Atlanta, Georgia.

John A Wheeler, founder and Managing Principal of Wheelhouse Advisors brings over twenty years of strategic, operations and risk management professional to the firm. Prior to founding his company, John served as a Senior Vice President within the Corporate Risk Management division at a major U.S financial services company.

Dr. Andy Evans, Managing Director of Xactium, said: “This is a great opportunity for collaboration and signals the widening interest in our Force.com GRC Suite. Working with Wheelhouse will enable us to extend our reach to American markets and reinforce our position as a leading cloud risk solution provider. ”

John added: “We recognise the power of Xactium’s cloud-based solutions to provide clients with a complete, robust solution in a time frame they want. We look forward to extending our level of customer support with our new implementation services.”

The partnership follows a period of growth from Xactium, whose customer numbers have more than doubled in the last year. The potential for a future Xactium North America division will also be considered.

About Xactium: Xactium is a leading cloud-computing software company specialising in Governance, Risk and Compliance (GRC) solutions. Xactium helps customers efficiently and effectively access and manage risk and compliance activities without the need for complex, expensive risk software. Recent significant business wins include insurance brokers Jardine Lloyd Thompson; insurance and reinsurance group, RiverStone Europe; and Scottish water retailer, Business Stream.

About Wheelhouse Advisors: Founded in 2007, Wheelhouse Advisors serves corporate clients across the United States with the implementation and continuous improvement of their Enterprise Risk Management (“ERM”) programs. Their service offerings include: Bespoke Enterprise Risk Assessment, Independent Risk & Control Program Analysis, Financial Process Compliance; and Governance, Risk & Compliance Automation.

Filed under GRC Software, Information Technology Tagged with , , , ,

The Path to ERM Success

May 12, 2011 Leave a comment

The path to success in implementing an Enterprise Risk Management (”ERM”) program can be found in greater integration and better technology – that’s according to a recent survey presented at the 2011 Risk and Insurance Management Society (”RIMS”) Conference in Vancouver, British Columbia. Entitled “Excellence in Risk Management VIII”, this is an annual independent survey of executives conducted for RIMS by Marsh. The most common focus area noted in the survey is a desire to strengthen enterprise or strategic risk management approaches. While more than half of the survey respondents indicated this desire, a majority saw the primary barrier to achieving this goal was a lack of understanding of the risk landscape across numerous silos of information.

As a result, 55% of the respondents expect to integrate risk management deeper into and across operations and 54% of respondents expect to perform day-to-day risk management activities more efficiently. To meet these expectations, organizations will need to improve the way they gather and report risk data through more cost-effective technology. The survey report supports this notion through the following observation. “It’s worth noting to risk managers that their counterparts in the C-suite were the most likely to view technology upgrades as a focus area. This should help pave the way for technology that can ease the time spent on mundane tasks and open the door to developing the deeper integration of risk management with other departments.”

Source: Risk & Insurance Management Society, Excellence in Risk Management VIII

Filed under Enterprise Risk Management, GRC Software, Information Technology Tagged with , , , , ,

How to Strengthen Your IT Risk Management Program

April 28, 2011 Leave a comment

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.

Filed under Enterprise Risk Management, Information Technology Tagged with , , , ,

Cloud Security Concerns Are Diminishing

April 20, 2011 Leave a comment

As software vendors look for ways to improve their product offerings, many are venturing into the cloud. However, for the most of the last decade as cloud computing (also known as Software as a Service or “SaaS”) has evolved, some companies would not even consider the notion of using these products due to fears about data security. Now that the major cloud providers have refined their technological infrastructures, that fear is unwarranted. In this month’s issue of Treasury & Risk Magazine, more evidence is provided to support the integrity of cloud-based software products. Here’s an excerpt:

As cloud vendors mature, Web-based delivery of applications, storage and infrastructure is getting more secure and trustworthy. That doesn’t mean that the risks are gone—they’ve just migrated to a more difficult-to-manage form. Today, big-name cloud providers like Salesforce.com offer top-notch security, auditability and compliance. Even Google provides a compliant e-mail hosting solution for regulated industries such as healthcare and finance.

In fact, clouds can offer a security advantage over traditional software, since cloud providers specialize in making their application as secure as possible, spreading the costs of that effort among many customers. On their own, companies might not be able to afford the same level of security.

Coupled with the benefits of little or no maintenance as well as the minimal initial investment, the fact that cloud-based software is highly secure makes the business case for moving to the cloud a no-brainer for businesses looking for efficient and effective software solutions.

Filed under Information Technology Tagged with , , , ,

Risk Won’t Wait

February 1, 2011 Leave a comment

After several years of delaying funding on risk management and IT security due to economic pressures, more and more companies are realizing that they cannot wait any longer. The stakes are simply too high to rely on outdated technology and a bare-bones approach to addressing ever-increasing risks.  Here is what was reported in InformationWeek magazine earlier this week,

A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies’ IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

Don’t be left behind. With leaps in technology occurring in a matter of months rather than years, no company can afford to delay their improvements in risk management.

Filed under Information Technology Tagged with , , ,

Information Technology is a Core ERM Building Block

November 30, 2010 Leave a comment

As the year nears an end, many folks are looking to 2011 in anticipation of the regulatory impact beset by the Dodd-Frank Act of 2010. One of the primary impacts discussed today in Bank Systems & Technology magazine is the specter of the new Office of Financial Reform. Financial services companies of all shapes and sizes will soon be subject to the requests for data from this new agency to support its mission of reporting emerging risks to the U.S. Congress. Here’s an overview of what companies can expect.

The Dodd-Frank legislation establishes the Office of Financial Reform (OFR), a new department within the U.S. Department of the Treasury that is tasked with gathering and reporting to lawmakers information regarding potential risks and threats within the nation’s financial industry. To accomplish this, the OFR’s director can use his or her subpoena power to gather data from any financial institution.

Simply, says Michael Atkin, director of the Enterprise Data Management Council, a nonprofit trade association focused on managing and leveraging data, the regulation gives banks’ corporate leadership a new opportunity to examine the growing problem of managing skyrocketing amounts of data and finally to budget appropriately to meet the challenge. “It kicked the practice of data management into high gear,” Atkin says. “We’re now set up for addressing the data dilemma that we have because we finally have a reason that is not subject to the whim of a business case. It is a regulatory requirement.”

The OFR director, who has not yet been appointed, will make his or her report to Congress in 2012, adds Atkin. But that initial report, he notes, likely will be more on the state of the industry than a detailed analysis of its data, giving financial institutions a window of several years to prepare for potential requirements. “The implications from an infrastructure perspective are about getting the core building blocks of risk management in place,” Atkin relates.

Now is the time, as Atkin says, to get your “core building blocks of risk management in place”. Wheelhouse Advisors can help. Visit www.WheelhouseAdvisors.com to learn more.

Filed under Government Regulation, Information Technology Tagged with , , ,

Fear of Innovation is a Huge Risk

October 21, 2010 Leave a comment

At a time when crisis management has been the primary focus, no other industry is better positioned for an innovation leader to emerge than is financial services. Most financial services companies have retrenched and allowed their product development and technology to wither on the vine. Customers have suffered from sharp declines in service quality as a result. The company (or companies) with the fortitude to make significant investments in innovation will capture significant market share and greater profits. Three areas of innovation have been hot topics at this week’s 2010 Bank Administration Institute’s Retail Banking Conference.

1) The mobile phone is the new branch. Twenty-five percent of consumers have ditched their wireline phone and gone completely wireless. This of course puts increased pressure on banks to invest in mobile banking and payments. Yet except for remote check capture via mobile phones from banks like USAA, real innovation remains elusive. Most of the industry innovations are being driven not by banks, but by specialist companies like mFoundry, ClariMail, Monitise, Mocapay, PayPal, Bling and Obopay.  This while bankers complain that their major tech suppliers, including First Data, Fidelity, Fiserv and Jack Henry, are just not moving fast enough to meet their needs.
2) Social Networking is a dangerous tool for customer interaction but necessary. Banks get that social networking are here to stay. And many believe it has the potential to be something other than a digital version of a call center. But social networking is not a controlled environment and that scares bankers. It should. Sites like Twitter and Facebook provide a podium for every whack job to speak his or her mind. The benefactors of the uncertainties that retail banks have about how to use and measure social media effectiveness are likely IBM, SAS, SAP and Microsoft and could provide a watershed year for a slew of nimble-footed specialist firms who are building business to consumer (B2C) enterprise grade measurement and engagement tools.
3) Cloud Computing: the outlook remains cloudy. Instinctively it would seem that cloud computing technology would be a critical weapon to break down the line of business silos that exist in retail banks. This seems especially true given consumer demands to have an experience they value, on their terms, on the bank interaction channel of choice — online, mobile, ATM or branch, irrespective of the type of business a consumer wants to transact with the bank. Consumers value convenience and they want to define what convenience looks like. But banks seem crippled to navigate the abyss of implementation schemes, cost sharing, regulatory compliance, security and customer ownership issues.

Fear of innovation is a very real risk that many companies face in today’s uncertain environment. The value of innovation is at its maximum during times of complexity and chaos. Those companies that work to escape the fear and embrace innovation will be the ultimate winners, while those that do not will suffer a painful fate.

Filed under Competitive Advantage, Information Technology Tagged with , , ,

The Risks of Cloud Computing

August 19, 2010 1 Comment

As we emerge from the economic downturn, more and more companies are considering “cloud computing” solutions as a way to keep information technology costs in control.  However, some companies are fearful of the unknown aspects of managing information within the cloud.  These fears may be justified, but they can certainly be alleviated by conducting a thorough risk assessment and vendor due diligence exercise prior to venturing into the cloud.

It all starts with what the company is looking to achieve through cloud computing and whether the investment is worth the risk.  For example, will the application hosted in the cloud be customer facing and subject to strict regulatory standards?  If so, then the risk assessment should include the probability and impact of events such as a data breach or unplanned downtime.

Once the risk assessment has been completed and the investment decision has been made, then a comprehensive due diligence exercise should be conducted.  Some vendors may suggest simply relying on their SAS 70 report from their external auditing firm rather than performing a due diligence exercise.  While SAS 70 reports are useful, they are not specific to the relationship between the two companies.  It is imperative that the following areas are examined in relation to a company’s current information security policies and overall operating expectations.

  1. Organizational and Human Resource Security
  2. Access Control
  3. Asset Management
  4. Physical and Environmental Security
  5. Operations and Change Management
  6. Disaster Recovery and Business Continuity
  7. Privacy
  8. Regulatory Compliance

Like any other partnership or outsourcing agreement, the time to address potential risks and issues with cloud computing is at the very beginning of the relationship.  By doing so, both the company and the vendor will benefit from the opportunity to understand each other’s expectations.  It will also serve as the foundation for a successful cloud computing solution.

If your company would like to learn more about performing a cloud computing risk assessment and due diligence exercise, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Filed under Information Technology Tagged with ,

CFOs and CIOs Find Common Ground

January 26, 2010 1 Comment

A recent article in CFO magazine discusses the critical partnership between corporate CFOs and CIOs.  As is often the case, these two executives have difficulty speaking the same language.  CFOs are certainly more focused on the financial and risk aspects of any major information technology undertaking.  On the other hand, CIOs tend to focus on the innovation and efficiencies that they can bring to the business through greater automation.  Here is what CFO magazine noted from a recent roundtable discussion with CFOs and CIOs.

If one trait of CIOs could be changed, the executive said bluntly, they would develop more appreciation for prudent risk-taking. “They’re always coming up with these very capital-intensive programs that are essentially faith-based initiatives. The projects are not well supported with metrics, the numbers don’t work, but they want to run off and take the risk.”  Similarly, one CFO at the table, who also asked not to be named, chimed in: “Stop saying that it’s going to produce 2,000% ROI. Nobody believes you.”  The first executive did allow, though, that there are two sides to the issue. Finance leaders, he acknowledged, often lose sight of the fact that “we have to have some vision, too.” Rather than being just numbers-driven, CFOs have to find room for belief in innovation and “understand the power of a better idea.”

To be truly successful, the two executives must find common ground.  Wheelhouse Advisors provides practical solutions to bridge the gap between CFOs and CIOs leading to stronger business results.  To learn more, visit www.WheelhouseAdvisors.com.

Filed under Information Technology Tagged with , , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 40 other followers