Editor’s Note: This is the first in a new subset of featured articles here at Corporate Compliance Insights called the CCI Interview Series. We will be conducting interviews with some of the most influential figures in governance, risk, ethics, and compliance for this feature, which began in April with Jeffrey Kaplan discussing the behaviorist approach to business ethics. If you are interested in taking part in the CCI Interview Series, visit the Write for CCI page for more details or contact our editor.
The following interview was conducted between CCI founder/Managing Director Maurice Gilbert and Cheryl Strackeljahn, a Senior Manager for Deloitte Consulting Technology Strategy & Architecture.
Premise of Interview: The current high-risk environment creates an imperative for IT leaders to exploit information technology to manage risks both to existing assets and to future growth. IT should be used to enable systemic risk management by delivering a high-quality, reliable continuum of information from dispersed operations for heightened awareness, improved decision making and enhanced business performance.
Maurice Gilbert: What is the impact of today’s economy on information technology as it relates to risk?
Cheryl Strackeljahn: While business and IT leaders are well aware that the current economic climate calls for greater attention to risk management, the challenge is even greater as IT budgets are now more constrained than ever. Leaders should remember IT is critical as it can enable the integration of operational, transactional, and financial information to proactively identify and resolve risk-related issues, which may be more likely to arise in the downturn.
If managed well, the automation and ubiquity of IT can help predict, prevent, detect, manage, and report both internal and external risks, but constrained or mismanaged resources can negatively impact compliance and security as well as the longevity of the organization. As IT budgets tighten and cost reductions become part of the process, a solid risk management process will help a company determine if new risks will be incurred and how best to mitigate these risks.
Deloitte’s concept of Risk Intelligence – or companies that are most effective and efficient in managing risks both to existing assets and future growth — can help companies adopt a broader definition of risk that the IT strategy should support. The IT strategy, goals, and objectives should have a pervasive impact on the business and provide support to the business units as it relates to the company’s overall risk program. Key Risk Indicators (KRIs) should be a component of IT project prioritization.
The current high-risk environment creates an imperative for IT leaders to exploit information technology to manage risks both to existing assets and to future growth. It’s important to preserve risk management effectiveness as organizations look for ways to control costs. And an effective IT risk management program may actually offer cost-reduction opportunities while improving business performance.
Maurice Gilbert: Privacy and data leakage issues continue to make headlines. How can information technology enable systemic risk management to minimize these types of organizational issues?
Cheryl Strackeljahn: Privacy and data leakage risks can be detrimental to the brand image of an organization. IT can be a process enablement mechanism for creating consistency and transparency of real-time information across the enterprise, which can help minimize privacy and data leakage issues. Information management processes and supporting technology support can help a company to determine the security and user access needed to protect a company’s data. A technology infrastructure supported by a risk-based integrated compliance architecture provides the foundational information needed to support any changes in the organization, thus limiting issues. Additionally, this architecture will help mitigate remedial risks typically incurred with siloed organizational support.
By breaking down organizational silos, exploring commonalities among processes managed by different business units, implementing managed technology such as workflow applications and automated controls, and ensuring governing bodies have a clear view into risk management practices, organizations can help make it easier for personnel to find the information they need and follow the rules to help control privacy and data leakage issues.
Maurice Gilbert: Who within the organization should champion IT risk management? What is the role of business leaders outside of the IT discipline as it relates to IT risk management?
Cheryl Strackeljahn: Simply put, all “C- level” executives should champion IT risk management with close alignment and collaboration with the organization’s Legal department. If the company has a Corporate Risk Officer or Chief Security Officer, this leader should provide direction with the support of the Chief Information Officer or Chief Technology Officer.
While IT leaders bear the primary responsibility for IT-related risks that originate within their operations, they are also responsible for related risks that transcend their function. They have the responsibility to develop and enforce company-wide policies, procedures, and controls to help mitigate IT risk, but they should also help other business units understand their processes and requirements for improved risk management.
Today’s business processes require the technological infrastructure for support, and the owners of these processes should understand how their business process risks are mitigated through the support of technology. This need makes them a major stakeholder in the IT risk management processes.
Maurice Gilbert: What are the risks and rewards associated with IT risk management? How quickly can the benefits be recognized and measured?
Cheryl Strackeljahn: IT risk management can be at risk if it is too “siloed.” Fundamentally, the technical infrastructure supports the business from an operational and administrative perspective. Therefore, management of IT risk must be aligned with business operations to assist in mitigating business risks. IT risk management must have the support of the organization’s governing bodies, senior management, and other business units. Transparency and accountability are critical for alignment and to help avoid issues associated with data security, privacy, compliance, and so on.
One of the biggest rewards with IT management is the ability to provide the infrastructure to support the growth and changes in the business’ strategy and goals. A Risk Intelligent EnterpriseTM should have the ability to show how Key Risk indicators (KRIs), Key Compliance Indicators (KCIs), and Key Performance Indicators (KPIs) interact through dashboards and/or reports, thus giving the Board, executives, and business unit leaders the understanding of their risk tolerances as the business moves to support its strategy and goals.
An effective IT risk management program enables the integration of operational, transactional, and financial information to proactively identify and resolve risk-related issues, helping to protect and improve business performance. It can also help to predict, detect, manage, report, and prevent both internal and external risks that may otherwise stealthily or overtly threaten an organization’s ability to fulfill its business objectives.
Such benefits may be recognized and measured as early as a few months after implementation, particularly as they relate to reduced exposure to fines, theft, data leakage, privacy leakage, etc, and employee and customer confidence in operational processes.
Maurice Gilbert: How can an organization develop an IT risk management program that is flexible enough to handle a diverse range of projects while also avoiding limitations on organizational innovation?
Cheryl Strackeljahn: An organization’s IT risk management program should be understood and supported by all appropriate stakeholders within the organization through open lines of communication. It should focus on the overall organizational governance policies in terms of risk management in order to be flexible, and include automated controls that promote transparency and potentially even incent innovation. A Risk Intelligent EnterpriseTM should encourage a culture that recognizes, exposes, and measures risk and openly discusses roles and ethical scenarios associated with IT systems and data.
If the management of IT risk is an integral part of the strategic planning process and the portfolio management process, it will be one of the measurements used in the support of the business’s portfolio management process. Keeping the desired balance in the support of risk without stifling organization innovation is further supported by a Risk Intelligent EnterpriseTM that reevaluates the organizations’ KRIs, KPIs, and KCIs for needed adjustments.
Maurice Gilbert: How should a company keep risk on the forefront without hurting their company’s performance?
Cheryl Strackeljahn: Risk management is a critical business function that should be an integral part of the company’s strategic planning and implementation process, portfolio management process, and daily operational and administrative support process.
To ensure it stays on the forefront, it may be beneficial to take a slow and steady approach by gently integrating risk management processes and practices into the culture and day-to-day operations of the organization. Improving communication and demonstrating to executives and business unit leaders how they are already contributing to the risk management strategy may make it easier for them to understand how a streamlined, technology-driven risk management infrastructure can deliver short, immediate cost reductions, increased transparency, greater cross-enterprise collaboration, and ultimately, greater business value for the organization. From there, explain what they can do further and hold them accountable for monitoring and reporting the effectiveness of the program.
Maurice Gilbert: How can an organization adequately train employees throughout the company on their role in protecting privacy and data leakage?
Cheryl Strackeljahn: A Risk Intelligent EnterpriseTM ensures personnel is aware and adequately trained to understand their role in protecting privacy and data leakage. A required security and privacy awareness program is one of the ways to help employees understand the impact of privacy and data leakage violations.
A formalized data privacy and security training program with retention testing and data management guidelines and rules should be in place for data owners, stewards, and users. Strict enforcement of data management guidelines and rules creates an environment which supports the training program. In fact, this is something we exercise at Deloitte to help build risk management practices into the culture of our organization by mandating a training program and demonstrating to personnel how basic controls that they currently use are already contributing to the process and that it isn’t, and shouldn’t be, burdensome.
Maurice Gilbert: How does the owner of IT risk management make a business case to obtain support and funding for IT risk management and training?
Cheryl Strackeljahn: The owner of IT risk management cannot take a tactical nor siloed approach to building a business case for IT risk management and training. The owner must show IT risk management supports the benefits from the mitigation of unrewarded risk and the gains of rewarded risk in alignment with the business strategy, goals and objectives. The ROI is improved not only by this alignment but by the supportive training that is provided for an organization that is risk aware, thus decreasing the costs associated with remediation of risk issues and increasing revenues associated with gains from taking rewarded risks.
The IT risk management owner should develop and present an IT risk framework that supports the organization’s strategies, initiatives, and structure. The owner should outline the qualitative and quantitative impacts of not supporting IT risk management, including the costs to brand value, operations, etc., based on historical impact, and extrapolate the impact over future strategic plans. The owner may even determine IT risk management creates sustainable process improvements for the greater organization – hence paying for itself.
Also consider tools like The Risk Intelligence Map™ to facilitate such discussions. This will help influence perspectives on risk overall and the imperative for organization-wide support of a Risk Intelligent IT risk management program.
Cheryl Strackeljahn is a St. Louis based Senior Manager in the Technology Strategy & Architecture Service Line specializing in Deloitte Consulting – Technology. She has over 24 years of experience in Technology services and project management, including technical Governance and Risk Management Services, Technical assessments, technical strategy and service delivery planning, software systems selections and implementations.