Risk Governance Understood

Governance mandates such as Sarbox, the events of 9/11 and their aftermath, along with the continuing uncertainty of the business-economic environment, have made it compulsory for corporations to rethink their approaches to identifying and managing risk. The need for effective enterprise risk management and governance (ERM&G) has never been greater or more urgent.

While there is no universally accepted definition of corporate governance, it is generally defined as the system by which companies are directed and controlled. The Organisation for Economic Co-operation and Development (OECD) definition of corporate governance, which many international organizations subscribe to, is that it "involves a set of relationships between a company's management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined" 1.

Risk governance is integral to a corporation's complete process of governance. An assumption of good governance practice is that an effective risk management process exists that can ensure that the plethora of corporate compliance risks is addressed.

Risk governance is approached in a predominantly top-down fashion (that is, examining risks from the senior executive and board of directors' perspective). This is different from the ERM view, which is more of a "top-down-directed" but "bottom-up-implemented" approach that views risks from the line manager's perspective. It should be clear that both risk governance issues and ERM issues can and often do overlap. These overlaps concern what I call "gray-space" risks. For example, if an IT project looks as if it will incur a major financial overrun that will materially affect, say, the corporation's profitability, then the project becomes a governance issue. In addition, there are several gray-space risk areas that some corporations view as risk governance issues, and some as ERM issues, such as the risks to corporate reputation or brand.

Regardless, almost every corporate governance regime requires that:

Major business risks those that are mostly financial or legal in nature must be identified, assessed, and actively managed.

The systems that management implements to manage those risks must be reviewed regularly to ensure that they are not sources of risks themselves (i.e., that these systems are not bypassed or manipulated).

The processes needed to ensure compliance with regulatory, legal, or financial risks are also reviewed regularly.

The effectiveness of internal controls, including internal audits, is assessed.

The fourth requirement may prove difficult to demonstrate, because in many cases, it involves proving a negative (i.e., demonstrating that a risk failed to occur because of the effectiveness of internal controls).

Risk governance is typically implemented through a set of organizational structures, procedures, and measures. Many corporations have organized a risk governance committee that reports to the CEO but also is accountable to the board of directors. (These committees are often extensions of the corporation's original audit committees, including internal IT audit groups.) Risk governance committees help define and identify which risks are being taken as well as the opportunities that the corporation has not adequately pursued. The committee also sets risk management policy and oversees the way in which risks are managed. Finally, the committee ensures that all four points listed above are correctly implemented.

Risk governance committees normally assess risk using a standard risk management process that is tailored to meet the industry's regulatory and legal regime in which it operates. Every process, however, ultimately follows the classic steps of identifying, assessing, prioritizing, and managing risks. The risk management process may or may not be the one used for ERM, although many corporations are shifting toward the use of risk management frameworks that can apply to both. Having a standard risk management framework/process allows risks to be assessed and managed consistently, and it makes the process easier to review for effectiveness. We should note that for US corporations, Sarbox requires that a corporation's internal control processes (i.e., its risk governance procedures) are benchmarked against some recognized standard, such as the 1992 Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework officially known as Internal Control Integrated Framework (see "A Guide to Corporate Governance" 2). Typically, a corporation's board of directors defines the corporation's risk appetite, which the risk governance committee then monitors.

Risk Governance and the CIO

Many corporations' boards and senior management do not believe that the CIO should be concerned with corporate governance. This is a grave blunder, and I pity the CIO and the shareholders of any corporation with this attitude.

Many risk governance-related risks have now fallen directly into the CIO's sphere of control. While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation.

For example, to abide by the requirements of Sarbox, corporations must be able to demonstrate the transparency of their financial transactions and the decision-making processes underlying financial transactions. Ultimately, it's up to the CIO to ensure that this transparency is possible. This means that how every financial transaction was generated and why must be possible to reconstruct. Anyone (and any system) with potential access to a financial transaction also must be able to be identified across the whole of the value chain. Can your enterprise resource planning (ERP) system easily do that?

The reason for this level of scrutiny is that, in the US, when companies such as Enron and WorldCom went belly-up, it reflected the fact that everyone in the compliance chain executives, boards of directors, outside auditors, and regulators had failed to do their job. Each believed that others were performing the necessary checks. And because of this widespread breakdown, the US Congress imposed draconian criminal and civil penalties to ensure that now all parties do. In their pursuit of corporate malfeasance, regulators have also changed from being reactive to being proactive. US regulators and federal prosecutors have been open about their desire to make examples of corporations and executives who don't follow the rules. I don't envy CxOs caught in the crosshairs of an SEC or congressional investigation. If the SEC decides to investigate a corporation, or if a corporation must restate its financials, shareholder lawsuits are almost a given. It will be interesting to see what happens on 16 November 2004, which is the deadline for large corporations to comply fully with Sarbanes-Oxley; the deadline for everyone else is July 2005.

Further, Sarbox requires accurate and timely disclosure of events that materially affect the business. How quick and, more important, how accurate these disclosures are largely depends upon how well a corporation's IT systems can produce the information. In some cases, data on these transactions may need to be kept and remain searchable for a period of 10 years or more. E-mail messages must be searched, which means that e-mail must be saved as well. While corporate lawyers may be the ones who set data or e-mail retention policy, it is the CIO's responsibility to ensure that the policy is enforced to prevent unauthorized destruction of e-mail (or other data).

The real change is that the CIO can no longer be satisfied with merely improving the capture and dissemination of information; now he or she must be concerned about the content of that information as well. Most CIOs probably disagree with this statement, asserting that CIOs should not be responsible for the information in their corporate IT systems [3]. However, CIOs must put themselves in the shoes of a CEO or CFO: would either sign off on the accuracy of the corporation's financial statements without assurance about the information in his or her system? If the answer is no, the CIO and the corporation have a risk governance issue to deal with.

In a future Advisor, we'll discuss ways to determine whether your corporation has good risk governance.

Robert N. Charette, Fellow and Director, Enterprise Risk Management & Governance Practice, Cutter Consortium


1Principles of Corporate Governance, OCED, 2004, p. 11.

2COSO and the National Commission on Fraudulent Financial Reporting. Internal Control Integrated Framework. National Commission on Fraudulent Financial Reporting, 1992.

3Berinato, Scott. "Take the Pledge: The CIO's Code of Ethical Data Management."CIO, 1 July 2002, pp. 57-70.

Copyright © 2005 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022