Of Risk and Regulations

RFG believes risk and regulatory compliance are inextricably linked. Since one cannot typically prove compliance, one must have a way to measure, manage, and mitigate the risk of noncompliance. Businesses are formed and run to create shareholder value, which means delivering value to customers representing a market. Anything that doesn’t further this goal, such as compliance with government regulations, may be viewed as a costly distraction. To ensure that responses are appropriate, IT executives must develop procedures for evaluating regulatory requirements, based on the risk tolerance profile of the enterprise and a thorough understanding of the costs and consequences of noncompliance.

Business Imperatives

• Managing incompatible or overly ambitious requests for IT resources is an ongoing responsibility for IT executives. Understanding the relationship between risk and regulations is now a critical skill, which can be honed by learning to classify and quantify risk. To manage their application portfolio more effectively, IT executives should include a formal risk assessment process when evaluating compliance efforts.
• IT is often at the center of corporate responses to new regulations, and equally often included in planning only as an afterthought. IT executives should take an active role in evaluating the impact of new regulations by participating on cross-functional teams to review new requirements. The nature of the regulation(governance, privacy, security, etc.), and its associated risk whether internal, external, or to an enterprises reputation will dictate the appropriate composition of such a team.
• Placing a value on the risk to the enterprises reputation is the wild card in managing compliance efforts. IT executives must collaborate with their peers in finance, legal, and general management to determine the probable impact of noncompliance across a range of potential outcomes in order to prioritize solutions effectively.

The business process reengineering movement of the 1990s saw wholesale restructuring of businesses. These upheavals were performed in order to focus on core processes and deliver superior economic results, in terms of return on investment (ROI) and other discounted cash flow (DCF) metrics. Requests for new IT systems or initiatives were treated as potential portfolio investments, and budgets were allocated on the basis of the highest ROI for a given level of resource allocation. However, simply treating regulatory issues as requests subject to the standard ROI hurdle doesn’t work, as most will never pass the threshold.

For example, the CIO of one firm RFG interviewed indicated that governance regulations such as the Sarbanes-Oxley Act of 2002 (SOX) were actually helpful to his organization. Even though he had a high degree of confidence in his procedures, regulations gave him a justification to document those procedures to prove that his firm was in compliance. As his firm matured from an entrepreneurial collection of acquired companies integrating legacy systems, this exercise helped his team mature into a more formal business. When pressed about quantifying the results, however, he asserted emphatically that anybody who based SOX efforts on ROI was “trumping up the numbers.”

For most enterprises, traditional financial metrics alone are insufficient to justify compliance efforts. Also, no budget exists to fund complete compliance with all relevant regulations in a timely manner while funding initiatives that will sustain the business. How, then, can an IT organization reasonably respond to compliance requirements? Using risk management concepts as the basic tool for project selection and management is a good place to start.

In an ideal world, all regulations that affect IT could be viewed as straightforward requirements complete, consistent, and unambiguous. The regulation itself would provide sufficient detail to act as a guide to implementing its solution. In the real world, however, IT executives must deal with ambiguity, complexity, inconsistencies among regulations enacted in different jurisdictions, and resource constraints. All these factors contribute risk that must be managed because it cannot be eliminated.

The range of skills required to monitor and manage this risk come from different disciplines. A cross-functional team approach is therefore ideal. Before deciding on the ideal team, however, one must understand the nature of risk and the types of risk IT deals with, inherently and as a result of new regulations.

On the surface, the concept of risk is a straightforward application of the same probability originally used to evaluate gambling activities. If one understands the probability of an outcome and the value of that outcome, one can evaluate the risk inherent in “playing the game.” Clearly, the popularity of casinos, where all possible outcomes and values are knownincluding that the house always wins overallindicates that in practice, risk management includes intangibles that go beyond rational economic theory. When cultural issues and individual preferences come into play, absolute quantification becomes impossible.

In the case of regulations, typically enacted to prevent the reoccurrence of undesired events or outcomes, one rarely has the ability to completely comply or the information necessary to understand the complete impact of failure. Real world risk management scenarios include variables whose values cannot be determined a priori, compounding the level of complexity.

Some industries have well-established risk models that are essential to profitability. Firms in these industries are typically well positioned to extend their risk-management functions to encompass the new issues for IT risk management. Modern life insurance, for example, depends on the existence of actuarial tables that predict mortality with enough precision to ensure that rates are sufficient to pay out expected claims. External factors, such as natural disasters and acts of war, may be excluded because they don’t fit the model. Investment banking and venture capital depend on risk models that capture sufficient detail to ensure success, at least at a macro level. In both industries, the basic principles of risk management and mitigation carry over to the IT compliance efforts.

As a rule, the larger the impact of failure on the public at large, the more regulations are enacted. So, for example, industries such as the financial markets, nuclear power generation, and telecommunications have significant operational constraints. From construction and operating rules for power plants to regulated capital reserves for banks, relevant government agencies mandate what needs to be done and how.

After the attacks of Sept. 11, 2001, for example, the United States’ Federal Reserve Board, Office of the Comptroller of the Currency, and Securities and Exchange Commission (SEC) issued a document detailing requirements for business continuity and disaster recovery for the nation’s largest banks. This was an effort to ensure that the financial markets would survive future disruptions. The document can serve as a blueprint for business continuity efforts across industries.

The Bank for International Settlements (BIS)’s New Basel Capital Accord (or “Basel II”) regulations take into account three types of risk credit, operational, and market. While credit risk is central to financial services, market and operational risk issues pervade all businesses and can provide insights into processes that are appropriate for IT compliance strategies in all industries. IT executives, like their general management counterparts, must cope with internal and external risk sources. A formal risk management program requires measurement, monitoring, and compensating controls for all identified risk factors.

As outlined in Figure 1 below, the scope of these risks may appear daunting at first. Finding the right set of skills to rationalize the firm’s response is critical to making informed compliance decisions.

Required

Source: IT Compliance Institute and Robert Frances Group

External risks are those that occur outside the perimeter of the firm but which nonetheless affect operations. Mitigating these risks requires constant monitoring, planning, and “what-if” scenario analysis. This is not a technical role, but rather a strategic role by individuals with an appreciation of the IT impact of these events.

Internal risks are those that occur within the control, or scope, of the firm. There are also security issues at the boundary; this is the line of defense and it is typically viewed as the responsibility of the firm. Ranging from physical security often referred to as the “guards, guns, and gates” line through logical barriers in hardware and software, failures in security may trigger enforcement of privacy, security, or even environmental regulations.

A CFO isn’t likely to go to jail if an employee dumps a camera battery in a company wastebasket. However, a corporate policy of dumping old hardware in the trash exposes a firm to a plethora or real risks. These can range from violation of U.S. Environmental Protection Agency (EPA) rules (thanks to the multiple harmful components in modern computers) to identity theft if personal data hasn’t been effectively wiped from the discarded hard drives. Best practices for secure disposal are emerging, led by manufacturers and recyclers. Wise IT executives are well advised to use professionals for this inevitable disposal.

Risk to an enterprises reputation is actually a second-order or derivative category, and refers to the potential damage to the reputation of a firm when another category of risk event occurs. For example, in 1982, when Johnson & Johnson was the victim of Tylenol product tampering, the reputation of the firm was at stake even though the activities were beyond the scope of the firm’s value chain.

When banks suffer extreme losses due to changing conditions in overseas markets, their local reputations suffer. When General Motors Acceptance Corp. acknowledged last month that the theft of employee laptops had potentially compromised the security of more than 200,000 customer records, the immediate impact was the need to send out warning letters. The longer-term impact to reputation will be harder to evaluate, but the policies that could have prevented the problem are crystal clear in hindsight no local storage of critical data in unsecured locations. A secure remote-access policy would mitigate the impact of the hardware loss by separating relatively inexpensive hardware from the “crown jewels” of sensitive data.

A conceptually similar situation came to light when an executive at a financial services firm sold his Research in Motion, Ltd. (RIM) Blackberry wireless handheld on an auction site. The executive failed to ensure that the purchaser couldn’t use the device to retrieve sensitive information from the corporate servers of the seller’s employer. Again, policies and simple technology would have compensated for human error often the weakest link.

For regulated monopolies, in energy, for example, compliance costs are directly passed to customers via the rate base, and noncompliance is not an option. As the CTO of a large energy provider put it, the time for a debate on the reasonableness of a regulation is before it becomes law. Once regulated, compliance is expected. There is no further discussion or debate.

For other areas, however, such as business continuity planning, disaster recovery, and physical security, regulations are more open to interpretation. The gating factor tends to be the risk of public perceptions of failures and the resulting loss of support from a client base. The level of spending on these areas is typically viewed as discretionary. However, if confidence cannot be maintained, it may ultimately make the difference between a viable business and an acquisition target.

A real options approach is appropriate to continuously evaluate most investments in compliance to determine whether they are properly focused. Clearly, this is most appropriate for those regulations with primarily financial effects. Civil and criminal penalties are compounded by their contributions to the risk of an enterprise’s reputation. Regulations for which violations may have catastrophic results, such as those enacted and enforced by the U.S. Nuclear Regulatory Commission (NRC), should fall outside this recommendation.

As shown in Figure 2 below, the scope of impact varies greatly. Prudent risk management must assure that the most significant eventsthose requiring criminal prosecutionhave the most appropriate resources in place.

Figure 2: Potential Business Risks of Regulatory Noncompliance

Source: IT Compliance Institute and Robert Frances Group

The underlying problem is that no amount of money can eliminate all risk, and no firm has unlimited resources. As shown earlier in Figure 1, there are several distinct skill sets necessary to develop and sustain a meaningful compliance or risk management effort for IT. Some of these requisite skills are clearly technical in nature. Individuals trained in these specific skill areas should therefore report to IT management. Other skills, however, are best brought to bear as needed in regular planning meetings, and should not be maintained as line expenses within an IT budget. Examples include auditing, general strategy, and an understanding of the relevance of chaos theory on predicting global events that challenge local resources.

This cross-disciplinary approach is a cost effective way to use the skills in a “just- in-time” process. Ownership of such a team is likely to be through general or financial management, with “dotted-line” responsibility to a CIO or even a chief information security officer (CISO) in some organizations.

RFG believes the compliance risk management process must be iterative, and include continuing analysis of progress and emerging risks and regulations. IT executives should manage this process, supported by the cross-functional team described above. This team may provide an ongoing review of internal and external events likely to trigger enforcement activities. The good news is that most of these efforts will pay dividends in improved business performance. They can be used to focus attention on what matters to the customer as well as what matters to the regulator. To attain maximum business benefits, IT executives should integrate these activities into the project prioritization process, and not treat them as add-ons.

RFG analyst Adrian Bowles wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Dr. Bowles.