How to Strengthen Your IT Risk Management Program

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

A recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.

SEC Releases Long-Awaited Study on SOX

This week, the U.S. Securities and Exchange Commission ("SEC") released its study on the impacts of section 404(b) of the Sarbanes-Oxley Act ("SOX"). The SEC concluded that section 404(b) which requires an external auditor to issue an opinion on a company's internal control over financial reporting should remain effective for mid-sized companies with a market capitalization of $75 to $250 million. Here is a summary of their conclusion and recommendations:

The work performed by the Staff reinforces our understanding that the costs of Section 404(b) have declined since the Commission first implemented Section 404, particularly in response to the 2007 reforms, that investors generally view the auditor‘s attestation on ICFR as beneficial, and that financial reporting is more reliable when the auditor is involved with ICFR assessments.

1. Maintain existing investor protections of Section 404(b) for accelerated filers, which have been in place since 2004 for domestic issuers and 2007 for foreign private issuers.

2. Encourage activities that have potential to further improve both effectiveness and efficiency of Section 404(b) implementation.

Since the Dodd-Frank Act exempted small companies with a market capitalization less than $75 million from section 404(b), this study should effectively end the debate over Sarbanes-Oxley section 404 requirements. For mid-size companies looking to gain efficiencies in complying with section 404(b), Wheelhouse Advisors can help. Email us at NavigateSuccessfully@WheelhouseAdvisors.com to learn more.

Cloud Security Concerns Are Diminishing

As software vendors look for ways to improve their product offerings, many are venturing into the cloud. However, for the most of the last decade as cloud computing (also known as Software as a Service or "SaaS") has evolved, some companies would not even consider the notion of using these products due to fears about data security. Now that the major cloud providers have refined their technological infrastructures, that fear is unwarranted. In this month's issue of Treasury & Risk Magazine, more evidence is provided to support the integrity of cloud-based software products. Here's an excerpt:

As cloud vendors mature, Web-based delivery of applications, storage and infrastructure is getting more secure and trustworthy. That doesn’t mean that the risks are gone—they’ve just migrated to a more difficult-to-manage form. Today, big-name cloud providers like Salesforce.com offer top-notch security, auditability and compliance. Even Google provides a compliant e-mail hosting solution for regulated industries such as healthcare and finance.

In fact, clouds can offer a security advantage over traditional software, since cloud providers specialize in making their application as secure as possible, spreading the costs of that effort among many customers. On their own, companies might not be able to afford the same level of security.

Coupled with the benefits of little or no maintenance as well as the minimal initial investment, the fact that cloud-based software is highly secure makes the business case for moving to the cloud a no-brainer for businesses looking for efficient and effective software solutions.

How the Dodd-Frank Act Could Impact Your Weekend

On a Friday like today, most folks are looking forward to a relaxing, fun-filled weekend away from work and the myriad of regulations with which we have to comply.  Now, it looks like the new financial reform regulations may have an impact on our leisure time activities.  What you say?  How could that be?  Well, according to an article this week in the Wall Street Journal, the Dodd-Frank Act could force companies who use derivatives to hedge commodity price fluctuations to provide cash collateral on the transactions.  If that happens, then the cost will be transferred to the consumer in the form of higher prices.  One company that anticipates price increases is MillerCoors LLC.  Here's what the head of risk management at MillerCoors had to say according to the Wall Street Journal.

Craig Reiners, director of risk management at beer giant MillerCoors LLC, said the derivatives rules were designed to reduce threats to financial stability, whereas companies such as his "pose no systemic risks." If end users aren't shielded, the rules "would have a very harmful effect on our risk-management of the business and for that matter ultimately the cost of a six-pack of beer." MillerCoors uses over-the-counter derivatives to hedge against price volatility in areas such as aluminum, hops and energy.

So, as you head out to a sporting event or simply plan to kick back with a cold beverage in your back yard this weekend, beware of the possible negative and unintended impact to your wallet as a result of financial reform.

U.S. Senate Releases Financial Crisis Report

Yesterday, the United States Senate Subcommittee on Investigations released its report covering the events leading to the financial crisis of 2008. The Subcommittee began its investigation in November 2008 and held several high-profile hearings in April 2010.  The lengthy report includes an analysis into all of the major players involved in the crisis - Mortgage Lenders, Investment Banks, Regulators and Credit Rating Agencies. What is notable about the report is the fact that it received full, bipartisan support unlike the report issued recently by the Financial Crisis Inquiry Commission. In addition, the report is clear and specific in its recommendations.  As noted in the following excerpt, the focus of the report is to prevent a repeat occurrence of a painful shock that could have been averted.

Nearly three years later, the U.S. economy has yet to recover from the damage caused by the 2008 financial crisis.  This Report is intended to help analysts, market participants, policymakers, and the public gain a deeper understanding of the origins of the crisis and take the steps needed to prevent excessive risk taking and conflicts of interest from causing similar damage in the future.