IT Risk Tops List of Concerns for Board Members

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology (“IT”) related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

  • They are not satisfied that their oversight of various IT risks is effective, or that the company’s strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company’s risks and control environment, or rate their company’s crisis response plan as “robust and ready to go.”
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC’s whistleblower “bounty” program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.


Wheelhouse Announces New Strategic Alliance

Wheelhouse Advisors and Xactium are pleased to announce their new strategic alliance for the implementation of Xactium’s Governance, Risk and Compliance applications.

Wheelhouse, a professional services firm specializing in Enterprise Risk Management & Control will be Xactium’s first US-based partner, operating in Atlanta, Georgia.

John A Wheeler, founder and Managing Principal of Wheelhouse Advisors brings over twenty years of strategic, operations and risk management professional to the firm. Prior to founding his company, John served as a Senior Vice President within the Corporate Risk Management division at a major U.S financial services company.

Dr. Andy Evans, Managing Director of Xactium, said: “This is a great opportunity for collaboration and signals the widening interest in our GRC Suite. Working with Wheelhouse will enable us to extend our reach to American markets and reinforce our position as a leading cloud risk solution provider. ”

John added: “We recognise the power of Xactium’s cloud-based solutions to provide clients with a complete, robust solution in a time frame they want. We look forward to extending our level of customer support with our new implementation services.”

The partnership follows a period of growth from Xactium, whose customer numbers have more than doubled in the last year. The potential for a future Xactium North America division will also be considered.

About Xactium: Xactium is a leading cloud-computing software company specialising in Governance, Risk and Compliance (GRC) solutions. Xactium helps customers efficiently and effectively access and manage risk and compliance activities without the need for complex, expensive risk software. Recent significant business wins include insurance brokers Jardine Lloyd Thompson; insurance and reinsurance group, RiverStone Europe; and Scottish water retailer, Business Stream.

About Wheelhouse Advisors: Founded in 2007, Wheelhouse Advisors serves corporate clients across the United States with the implementation and continuous improvement of their Enterprise Risk Management (“ERM”) programs. Their service offerings include: Bespoke Enterprise Risk Assessment, Independent Risk & Control Program Analysis, Financial Process Compliance; and Governance, Risk & Compliance Automation.

The Path to ERM Success

The path to success in implementing an Enterprise Risk Management (”ERM”) program can be found in greater integration and better technology – that’s according to a recent survey presented at the 2011 Risk and Insurance Management Society (”RIMS”) Conference in Vancouver, British Columbia. Entitled “Excellence in Risk Management VIII”, this is an annual independent survey of executives conducted for RIMS by Marsh. The most common focus area noted in the survey is a desire to strengthen enterprise or strategic risk management approaches. While more than half of the survey respondents indicated this desire, a majority saw the primary barrier to achieving this goal was a lack of understanding of the risk landscape across numerous silos of information.

As a result, 55% of the respondents expect to integrate risk management deeper into and across operations and 54% of respondents expect to perform day-to-day risk management activities more efficiently. To meet these expectations, organizations will need to improve the way they gather and report risk data through more cost-effective technology. The survey report supports this notion through the following observation. “It’s worth noting to risk managers that their counterparts in the C-suite were the most likely to view technology upgrades as a focus area. This should help pave the way for technology that can ease the time spent on mundane tasks and open the door to developing the deeper integration of risk management with other departments.”

Source: Risk & Insurance Management Society, Excellence in Risk Management VIII

How to Strengthen Your IT Risk Management Program

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.

Cloud Security Concerns Are Diminishing

As software vendors look for ways to improve their product offerings, many are venturing into the cloud. However, for the most of the last decade as cloud computing (also known as Software as a Service or “SaaS”) has evolved, some companies would not even consider the notion of using these products due to fears about data security. Now that the major cloud providers have refined their technological infrastructures, that fear is unwarranted. In this month’s issue of Treasury & Risk Magazine, more evidence is provided to support the integrity of cloud-based software products. Here’s an excerpt:

As cloud vendors mature, Web-based delivery of applications, storage and infrastructure is getting more secure and trustworthy. That doesn’t mean that the risks are gone—they’ve just migrated to a more difficult-to-manage form. Today, big-name cloud providers like offer top-notch security, auditability and compliance. Even Google provides a compliant e-mail hosting solution for regulated industries such as healthcare and finance.

In fact, clouds can offer a security advantage over traditional software, since cloud providers specialize in making their application as secure as possible, spreading the costs of that effort among many customers. On their own, companies might not be able to afford the same level of security.

Coupled with the benefits of little or no maintenance as well as the minimal initial investment, the fact that cloud-based software is highly secure makes the business case for moving to the cloud a no-brainer for businesses looking for efficient and effective software solutions.

Risk Won’t Wait

After several years of delaying funding on risk management and IT security due to economic pressures, more and more companies are realizing that they cannot wait any longer. The stakes are simply too high to rely on outdated technology and a bare-bones approach to addressing ever-increasing risks.  Here is what was reported in InformationWeek magazine earlier this week,

A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies’ IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

Don’t be left behind. With leaps in technology occurring in a matter of months rather than years, no company can afford to delay their improvements in risk management.

Information Technology is a Core ERM Building Block

As the year nears an end, many folks are looking to 2011 in anticipation of the regulatory impact beset by the Dodd-Frank Act of 2010. One of the primary impacts discussed today in Bank Systems & Technology magazine is the specter of the new Office of Financial Reform. Financial services companies of all shapes and sizes will soon be subject to the requests for data from this new agency to support its mission of reporting emerging risks to the U.S. Congress. Here’s an overview of what companies can expect.

The Dodd-Frank legislation establishes the Office of Financial Reform (OFR), a new department within the U.S. Department of the Treasury that is tasked with gathering and reporting to lawmakers information regarding potential risks and threats within the nation’s financial industry. To accomplish this, the OFR’s director can use his or her subpoena power to gather data from any financial institution.

Simply, says Michael Atkin, director of the Enterprise Data Management Council, a nonprofit trade association focused on managing and leveraging data, the regulation gives banks’ corporate leadership a new opportunity to examine the growing problem of managing skyrocketing amounts of data and finally to budget appropriately to meet the challenge. “It kicked the practice of data management into high gear,” Atkin says. “We’re now set up for addressing the data dilemma that we have because we finally have a reason that is not subject to the whim of a business case. It is a regulatory requirement.”

The OFR director, who has not yet been appointed, will make his or her report to Congress in 2012, adds Atkin. But that initial report, he notes, likely will be more on the state of the industry than a detailed analysis of its data, giving financial institutions a window of several years to prepare for potential requirements. “The implications from an infrastructure perspective are about getting the core building blocks of risk management in place,” Atkin relates.

Now is the time, as Atkin says, to get your “core building blocks of risk management in place”. Wheelhouse Advisors can help. Visit to learn more.