It’s not an accident that risk and compliance are steadily gaining ground as concerns in the IT industry in light of the financial and regulatory scandals over the past decade. Companies are increasingly turning to enterprise software to help with these problems. But, as Forrester points out in a recent paper, software without planning is just an unnecessary financial burden.
The paper, entitled Navigate the Future of Compliance and Risk Management, argues that even without the financial scandals better compliance was going to be necessary.
Increased regulation saw, for example, the introduction of the Sarbanes-Oxley Act, while the continuous development of malware, like the recent Flame worm, means that security is still a major problem.
An interesting figure emerged recently from a survey by Accenture, which the Forrester report cites, indicating that 45% of executives report that their company has a chief risk officer, up 33% from just two year prior to that.
This was underlined by Forrester’s own research across 1,800 business decision makers, 25% of whom listed a tougher regulatory environment as one of their primary IT issues.
The Role of Risk Professionals
Not the first time we have heard this, you’ll admit, but what does that mean? What exactly do risk professionals do? And more to the point, what are they doing anywhere near IT departments?
Before looking at this, we are not here to promote risk professionals, but simply to point out that many companies now have one.
First thing to say about this is that risk professionals are responsible for the risk and compliance management of a company including their risk and compliance software.
Generally speaking, while this this kind of software is probably good for some companies, the implementation of these kind of solutions could be happening too quickly (we never thought we’d ever say that about any software package here!).
According to Forrester, it takes a high degree of discipline and strong execution to run risk and compliance programs on the broad scale currently asked of them. The conclusion from this is that businesses need to look ahead at how business and expectation of IT risk management are changing.
Navigating Business Change
For risk managers, what does this mean? The problem is that the problem is not always the same; in fact, it changes all the time. Risk managers are supposed to enable businesses to meet their maximum potential without having to worry about the nasty side of software.
To do this, they have to understand how business parameters and goals are changing. According to Forrester, three major business trends will have a serious impact in this respect over the next five years:
- Individuals and Power
- Exposed organizations
- Business Complexity
Individuals and Power
The problem is that, once you get a disgruntled employee into your network, you potentially have a serious problem. The list of rogue traders, for example, is a long one, with a rogue trader at UBS costing the company US$ 2.3 billion in losses.
Here in France at the moment, the case of Jerome Kerviel’s illicit trades, which cost Société Générale $6.7 billion less than three years earlier, is still going through the courts. While he personally has received all kinds of reprimands – prison sentences included — Société Générale is still getting hammered over this. And the list goes on.
But there are tools that could have caught many of these people with their hands in the dirt. Forrester recommends in this respect:
- Improve controls with better monitoring with tools such as transaction monitoring and social listening platforms
- Push greater individual accountability with, for example, marketing teams understanding that they too are responsible for customer interactions
Unchecked Business Complexity
As businesses gain more complexity, they also develop more dependence on third-party eco-systems that have led to the untested assumptions and techniques that lead to uncontrolled business transactions.
However, it is possible to mitigate this risk by earlier involvement in decision processes with the involvement of risk managers before decisions are made and not after.
Employees with concerns about their organizations now have a formal outlet and substantial incentives for reporting issues that led to enforcement actions with the Securities and Exchange Commission’s whistle-blower program announced in 2011.
Forrester recommends that enterprises improve their business intelligence capabilities to ensure you can monitor when information leaves the company, as it inevitably will. It suggests enterprises:
- Endangered Species: The Corporate Intranet
- Beware Red Herrings: Intranet vs. ESN is a Sham
- Microsoft's New BI Tool Plays Nice, Even With 3rd Party Vendors
- Are These Vendors the Best at Social Media Monitoring?
- Discussion Point: Why Would You Buy a Proprietary CMS?
- Microsoft Shops Again: Buys LiveLoop, an Office Collaboration Start-Up
- Maybe Hadoop Providers Can Protect Your Data After All