IT Risk Tops List of Concerns for Board Members

A recent survey of Public Company Audit Committee Board Members about risk highlights the desire to focus more heavily on Information Technology (“IT”) related risks. This is not surprising given that technological innovation continues at a rapid pace while it is also increasingly impacting every key facet of business today. The survey, conducted by the National Association of Corporate Directors and sponsored by KPMG, uncovered the following common board-level views about IT and other risk areas.

  • They are not satisfied that their oversight of various IT risks is effective, or that the company’s strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company’s risks and control environment, or rate their company’s crisis response plan as “robust and ready to go.”
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC’s whistleblower “bounty” program of particular concern.

An integrated, enterprise-wide risk program is the key to addressing these items in a holistic and practical way.  If your company has not implemented such a program, meeting the demands of the board will be challenging.


Information Technology is a Core ERM Building Block

As the year nears an end, many folks are looking to 2011 in anticipation of the regulatory impact beset by the Dodd-Frank Act of 2010. One of the primary impacts discussed today in Bank Systems & Technology magazine is the specter of the new Office of Financial Reform. Financial services companies of all shapes and sizes will soon be subject to the requests for data from this new agency to support its mission of reporting emerging risks to the U.S. Congress. Here’s an overview of what companies can expect.

The Dodd-Frank legislation establishes the Office of Financial Reform (OFR), a new department within the U.S. Department of the Treasury that is tasked with gathering and reporting to lawmakers information regarding potential risks and threats within the nation’s financial industry. To accomplish this, the OFR’s director can use his or her subpoena power to gather data from any financial institution.

Simply, says Michael Atkin, director of the Enterprise Data Management Council, a nonprofit trade association focused on managing and leveraging data, the regulation gives banks’ corporate leadership a new opportunity to examine the growing problem of managing skyrocketing amounts of data and finally to budget appropriately to meet the challenge. “It kicked the practice of data management into high gear,” Atkin says. “We’re now set up for addressing the data dilemma that we have because we finally have a reason that is not subject to the whim of a business case. It is a regulatory requirement.”

The OFR director, who has not yet been appointed, will make his or her report to Congress in 2012, adds Atkin. But that initial report, he notes, likely will be more on the state of the industry than a detailed analysis of its data, giving financial institutions a window of several years to prepare for potential requirements. “The implications from an infrastructure perspective are about getting the core building blocks of risk management in place,” Atkin relates.

Now is the time, as Atkin says, to get your “core building blocks of risk management in place”. Wheelhouse Advisors can help. Visit to learn more.

The IT Risk Paradox

Companies working to integrate and improve their Information Technology (“IT”) applications are also inadvertently increasing the risk level across the entire enterprise.  Two professors from Carnegie Mellon University discuss this paradox in an article written this month for the Harvard Business Review.  Here is what they have to say about the problem.

Standard risk-management strategies are too outmoded to help companies contain catastrophic IT-linked risks. These strategies tend to assume that the risks are well understood and that the possibility of extreme events is tiny. As a result, organizations typically concentrate on ensuring that they have good policies and procedures for managing known risks and are using high-quality processes for creating and operating IT. But this old-fashioned focus can prevent firms from seeing new risks.

How do you identify events that, by definition, are hard to anticipate? Start by instilling from the top down an organizational culture that encourages employees to take ownership of risks and weigh their potential rewards and hazards. This means modeling risks and analyzing their business impact and, even more important, making the process integral both to corporate risk management systems and to every stage of IT system development. The culture must encourage employees to bring concerns about risk forward early, particularly when IT is being applied in new ways. 

Developing the proper organizational culture is critical not only for managing IT risks, but for all risks. Wheelhouse Advisors can help your company develop the frameworks and methodologies to create the optimal risk management culture.  Visit to learn more.