Embedding risk management within IT to deliver business value while maintaining compliance

IT organisations have long been subject to a wide range of rules and regulations mandating control over information, technology and processes. These rules and regulations are often created as a counter-measure to some major scandal. Within IT, management is often faced with a “bull-whip effect”, where every small risk must be managed, controlled and minimised. This not only drives significant costs but also undermines IT’s ability to deliver on already stretched IT targets.

“Rules are a funny thing. We like some of them because they make us feel protected, aligned, and perhaps operating on a fair playing field. We dislike them because they can protect us to the point of being smothering, align us to the points of being constraining, and fair to the point of being unfair.”

- Kevin Meyer, The Engagement of Risk

Regardless of good intent, external rules tend to be interpreted overzealously and become over-engineered

The initial interpretations of section 404 of Sarbanes-Oxley Act of 2002 created an enormous focus on internal controls. Following the collapse of Enron and WorldCom, almost every process within companies listed on the US stock markets (i.e. under SEC authority) became objects of control. Companies were over-flooded with auditors doing management testing and compliance audits, which lead to massive indirect and direct costs. Since then there has been an ongoing discussion on the costs versus benefits of this regulation. In the Forbes article ‘The Costs and Benefits of Sarbanes-Oxley’, the authors note that the cost of internal control’s relative earnings has decreased over the years since its inception. This means that internal control processes have become more efficient – and companies which approach risk management as continuous improvement and ongoing operational development can still generate cost advantages (and business benefits) without having to belabour it.

As internally focused projects compete for the same funds, excessive resources spent on control can lead to missed business opportunities. The key is to embed internal control in all development initiatives in the strategy and design phases instead of viewing it as discrete one-off events.

Insight and transparency enable decision-making, valuation and acceptance of risk levels

Failure to embed risk management and control often becomes apparent in IT sourcing initiatives. As in any business transaction, it is crucial to understand the scope of the service that is being bought and appreciate the risk dynamics. Without a proper business-oriented definition and understanding of the service in terms of functional and non-functional features (e.g. risk) the business relationship becomes asymmetrical and the quality of the service will be negatively impacted. Either the service becomes too expensive or is misaligned with client expectations.

Understanding risk and its dynamics is not something that is done through discrete one-off activities such as a single risk workshop during the course of a project – it is a decision process that requires data, diligence and analysis. The risk management process needs to be embedded in the transformation initiative.

In IT outsourcing, the client often seeks to shift the risk to the vendor through the use of open-ended clauses such as “the responsibility included, but is not limited to…” This approach is particularly common among new external regulations where the client demands tighter risk commitment and compliance from its vendors. The problem with this approach is the bull-whip effect it creates; the vendor, at the back of the value chain, needs to cover all the bases as the risk has entirely been transferred to them. This often leads to a situation where the quality of the service is undermined because it was poorly designed from a technical and functional perspective – overzealously controlled and laden with overhead.

To avoid this pitfall, the outsourcing organisation needs to include a proper analysis of the sourcing object (i.e. the service/group of services) in the service design phase including suitability, readiness, risk and potential – as well as determine the business’ risk tolerance. An integral part of IT outsourcing is understanding how IT organisations and IT executives make decisions, value risk and manage risk. Balancing the alignment of the retained organisation, IT’s capabilities, the vendors’ capabilities, and the technical prerequisites of the services, is imperative. This then needs to be operationalised in the delivery processes.

Companies should approach implementation through an iterative approach and continuously improve

To summarise, two key points have been covered above:

1. There is a clear risk of over-controlling processes within IT as IT is at the far end of implementation of new control frameworks
2. Risk management is not discrete one-off events. IT needs to continuously revisit the risk analysis and embed it in all processes

This signals a new approach to IT risk management. Risk management – including implementation of internal controls – should be approached in an iterative manner. Moreover, companies should strive to embed it in the strategy, design, implementation and development processes. This approach will reduce costs, allow for better allocation of scarce IT resources and ultimately lay the foundation for more effective IT delivery processes.

Jens Ekberg
Head of Group Insights
jens.ekberg@3gamma.com