• United States



by No Analyst or Consultant

Rethinking Your Approach to Data When It Comes to Risk Management

Jul 21, 20045 mins
CSO and CISOData and Information Security

By Michael Schrage,

Co-Director of the MIT Media Lab’s

eMarkets Initiative

and Jeffrey Brashear,

Managing Director,


Making virtue of necessity, much like turning bugs into features, poses a difficult technical and business challenge for chief information officers (CIOs). But there is no escape. A surge of legislation, litigation and regulation – Sarbanes-Oxley, Basel II and the PATRIOT Act being the most obvious impose potentially costly demands for new architectures of corporate transparency and accountability. “Nice-to-have” databases have become “required-to-have” reporting systems.

The result? Enterprise IT portfolios can no longer cavalierly divorce competitiveness from compliance. The costs are just too high. Traditional “path-of-least-resistance” notions that firms should simply build Sar-Box servers to satisfy governance legalities; Basel II boxes to manage capital reserves and risk regulations; and Discovery WANs to cope with shareholder and/or liability litigation are dysfunctional invitations to silo-ize data that might more appropriately and more economically be shared.

Instead of being managed as unavoidable administrative overhead, global compliance can and should be managed as a strategic business platform. To accomplish that, a fundamental C-level “rethink” of data convergence and integration becomes an organizational imperative. CIOs need to make the business case that the compliance conundrum offers a migration path for cost-effective consolidation of data servers and the opportunistic integration of data models. The compliance challenge alters the economics of realigning technical architectures with real-time business processes.

In theory, the Corporate Counsel, the Chief Executive Officer (CEO), Chief Risk Officer (CRO), or even a lead director could own compliance and drive IT to reconfigure systems enterprise-wide. The practical reality, however, is that these individuals rarely appreciate let alone understand the technical trade-offs associated with alternative approaches to data integration.

More dangerously, they typically bring a “conformance-to-requirements” mindset that makes it far more difficult for IT architects to explore low-cost ways to creatively link databases and innovatively rethink data models. The CIO becomes less a partner than a general contractor responsible for making sure the lawyers and the board know that the compliance schedule is being met. In other words, compliance is treated as a problem to be solved as opposed to a platform for business process management.

Conversely, some CIOs strategically partner with counsel, the CFO, or the CRO and collaboratively design systems that effectively balance both their business needs. The inherent problem remains that these bilateral negotiations leave the organization with a series of compliance silos that satisfy the particular needs of their corporate constituencies. Data convergence and integration are creatively managed within the business unit rather than between them. These 1:1 CIO partnerships are seductively effective precisely because IT is dedicating itself to a single internal client and optimizing solutions with which it is concerned rather than being forced to design digital compromises between, say, the needs of the CRO, the CFO and legal.

That said, the transition from bilateral agreements between IT and internal clients to more multilateral negotiations between C-level managers with board of directors oversight -is a journey that CIO leadership must be prepared to take. Only the CIO has the knowledge and skill to explain how business processes, data integration and technical architectures can most cost-effectively co-evolve. Only the CIO has the direct responsibility for assuring that the organization has the appropriate technical capacity for the business capabilities it says it requires.

Most importantly, the CIO is charged with translating the confusing legalese of compliance and the real-time analytics of risk management into digital systems robust enough to reliably perform and transparent enough to be readily accessible. The fact is, CIOs are in the best position of anyone in the enterprise to transform what could be margin-deadening overhead into a rich resource of competitive capability.

For example, there is little technical reason why customer relationship management (CRM) software cannot be designed with privacy and anti-spam regulation in mind. Similarly, blending risk-management analytics with financial reporting tools gives financial services firms,- in theory,- the ability to both satisfy regulatory requirements while being better able to assess their own opportunities for managing credit relationships with key clients.

While the possibility exists that business unit managers will take the lead at integrating compliance concerns with their mission-critical business processes, what is more likely is that CIOs will be convening ongoing internal compliance summits where the needs of the business are realigned with the requirements of the law. Compliance will increasingly become one of those areas where key centralization/decentralization issues are defined and threshed out in the digital systems IT designs and implements.

In this scenario, the CIO becomes the Compliance Integration Officer – a position representing a healthy extension of the more traditional title and role. This CIO succeeds not just by making a technical virtue of legal necessity but by making it easy for technical necessity to become a business virtue.

About the Authors

Michael Schrage is a co-director of the Massachusetts Institute of Technology’s (MIT) Media Lab’s eMarkets Initiative and senior advisor to MIT’s Security Studies Program. Schrage researches the economics of innovation. He consults widely on innovation management issues and, until its acquisition by IAC, served on the board of Ticketmaster. A columnist for CIO and Technology Review magazines, he is author of “Serious Play, “Harvard Business School Press 2000, which explores the role of models, prototypes and simulations in managing corporate innovation and risk.

Jeffrey Brashear is a managing director with BearingPoint, Inc. (NYSE:BE), one of the world’s largest business consulting and systems integration firms.. He leads the Financial Services business unit’s Information Strategy and Architecture group. Brashear has more than 17 years of experience working in various senior positions within the information technology industry specializing in the management, architecture, design and implementation of large-scale, advanced technology solutions. His current focus is enterprise architecture transformation, specifically focusing on data convergence.