It’s not an accident that risk and compliance are steadily gaining ground as concerns in the IT industry in light of the financial and regulatory scandals over the past decade. Companies are increasingly turning to enterprise software to help with these problems. But, as Forrester points out in a recent paper, software without planning is just an unnecessary financial burden.

The paper, entitled Navigate the Future of Compliance and Risk Management, argues that even without the financial scandals better compliance was going to be necessary.

Increased regulation saw, for example, the introduction of the Sarbanes-Oxley Act, while the continuous development of malware, like the recent Flame worm, means that security is still a major problem.

An interesting figure emerged recently from a survey by Accenture, which the Forrester report cites, indicating that 45% of executives report that their company has a chief risk officer, up 33% from just two year prior to that.

This was underlined by Forrester’s own research across 1,800 business decision makers, 25% of whom listed a tougher regulatory environment as one of their primary IT issues.

The Role of Risk Professionals

Not the first time we have heard this, you’ll admit, but what does that mean? What exactly do risk professionals do? And more to the point, what are they doing anywhere near IT departments?

Before looking at this, we are not here to promote risk professionals, but simply to point out that many companies now have one.

First thing to say about this is that risk professionals are responsible for the risk and compliance management of a company including their risk and compliance software.

Generally speaking, while this this kind of software is probably good for some companies, the implementation of these kind of solutions could be happening too quickly (we never thought we’d ever say that about any software package here!).

According to Forrester, it takes a high degree of discipline and strong execution to run risk and compliance programs on the broad scale currently asked of them. The conclusion from this is that businesses need to look ahead at how business and expectation of IT risk management are changing.

Navigating Business Change

For risk managers, what does this mean? The problem is that the problem is not always the same; in fact, it changes all the time. Risk managers are supposed to enable businesses to meet their maximum potential without having to worry about the nasty side of software.

To do this, they have to understand how business parameters and goals are changing. According to Forrester, three major business trends will have a serious impact in this respect over the next five years:

  • Individuals and Power
  • Exposed organizations
  • Business Complexity

Individuals and Power

The problem is that, once you get a disgruntled employee into your network, you potentially have a serious problem. The list of rogue traders, for example, is a long one, with a rogue trader at UBS costing the company US$ 2.3 billion in losses.

Here in France at the moment, the case of Jerome Kerviel’s illicit trades, which cost Société Générale $6.7 billion less than three years earlier, is still going through the courts. While he personally has received all kinds of reprimands – prison sentences included -- Société Générale is still getting hammered over this. And the list goes on.

But there are tools that could have caught many of these people with their hands in the dirt. Forrester recommends in this respect:

  • Improve controls with better monitoring with tools such as transaction monitoring and social listening platforms
  • Push greater individual accountability with, for example, marketing teams understanding that they too are responsible for customer interactions 

Unchecked Business Complexity

As businesses gain more complexity, they also develop more dependence on third-party eco-systems that have led to the untested assumptions and techniques that lead to uncontrolled business transactions.

However, it is possible to mitigate this risk by earlier involvement in decision processes with the involvement of risk managers before decisions are made and not after.

Exposed Organizations

Employees with concerns about their organizations now have a formal outlet and substantial incentives for reporting issues that led to enforcement actions with the Securities and Exchange Commission’s whistle-blower program announced in 2011.

Forrester recommends that enterprises improve their business intelligence capabilities to ensure you can monitor when information leaves the company, as it inevitably will. It suggests enterprises:

  • Maintain a focus on a strong risk and compliance culture: This will create a culture where employees spot and remediate problems quickly and make decisions that will be commendable if they eventually reach the light of day. Make sure that from top to bottom of the organization, employees and key stakeholders understand the reasons your organization follows the values it does.
  • Risk remit: The risk officer over the coming five years will also be expected to take on a wider remit around risk and compliance. In order to deal with the challenges of this, Forrester recommends that risk officers:
  • Delegate the responsibility of risk: There are so many risk and compliance domains that need to be covered that the governance and oversight needed for successful risk and compliance needs to be spread among a number of people.
  • Use standardized processes and tools: While risk officers may not be able to standardize all risk assessment and reporting processes they should be able to make these processes compatible with your risk and compliance objectives.

The bottom line here is that compliance professionals often enforce stringent compliance rules without understanding the way the business works. When implementing new processes and policies it is important that compliance and risk guidelines take into account the way the business works, Forrester recommends.