Managing Risk Starts at the Top
Intensified concerns about risk management, auditing and fraud detection, and corporate governance have sensitized boards and top management teams to adopt an even more active role in the oversight of business strategy and key enterprise activities. Significant regulations including Sarbanes-Oxley, HIPAA, and the Patriot Act have further raised the stakes.
Failures to meet the required attestations, unintended violations of privacy and confidentiality, or heightened vulnerabilities to identity thefts are likely to invite adverse reactions from regulators and from the stock market.
As business technology becomes embedded in core organizational processes, control systems, and decision support systems, it is vital that boards appreciate the material risks due to technology and understand the risk-mitigation strategy.
An enterprise-wide perspective is needed to guide the use of business technology in implementing effective and economical enterprise risk management systems that facilitate both management control and an ability to audit performance. With greater complexity in the processes and structures for managing business technology (for example, outsourcing, offshoring, and applications and website hosting), there is a need for more sophisticated models of enterprise-wide risk assessment that factor in not just the internal risks, but also the risks inherent in sourcing and external partnering.
Boards and top management teams must provide active oversight over how business technology risks impact the business, and ensure the effectiveness of the governance systems in mitigating these risks. The board must remain vigilant - always looking at both the business and technology sides of their organization.
Strategic risk refers to the risks facing the firm due to poorly envisioned or executed business strategies. Within business technology management (BTM), the focus is on risks at the intersection of business technology and business strategy. Regulatory compliance refers to corporate adherence to different regulatory expectations related to financial reporting and data management. Poor regulatory compliance invites liabilities of civil or criminal punishment and shareholder lawsuits. There are other forms of risks, including systems and sourcing risks.
Although those forms of risk are likely to be managed by business and technology executives, the management of strategic risk and regulatory compliance must reside at the board level.
What strategic risks must be managed at the top? Some of these risks include the following:
- Business model risk This refers to the robustness of the business model and how well it is being executed.
- Competitive risk - This refers to the ability to sustain competitive action and retaliation. Investment risk - This refers to the ability to manage business technology spending in a business environment where capital is scarce and technologies are volatile, expensive and not easily understood.
- Integration risk - This refers to the risks of inadequate integration between business technology investments and business processes.
- Misalignment risk - This refers to inadequate alignment between business technology spending and business priorities.
- Governance models risk - This refers to the risks of inadequate participation and involvement of business and technology executives on key BTM decisions.
The management of regulatory compliance has always been an area of board oversight. However, the strategic importance of information and the nature of current business technologies have raised the stakes regarding the privacy, security, and confidentiality of information. In particular, there is heightened sensitivity to safeguarding not just sensitive corporate transaction data, but also data about customers, employees, and business partners.
The pervasiveness of business technologies has made it far easier for unauthorized pilferage of such information and data. In addition, with heightened concerns about terror, regulations increasingly compel organizations to furnish more data than before. The management of compliance requires attention to the following issues:
- Prevailing regulations.
- Maintaining and protecting data about transactions, customers, employees, and business partners.
- Alerting stakeholders about incidents of unauthorized access.
- Providing the affected stakeholders with assistance.
- The potential for economic sanctions and the threats to business continuity due to noncompliance.
- Effectiveness with regard to managing data in conformance with the regulations and stakeholder expectations.
- The cost of responding to the compliance expectations.
Faisal Hoque is an internationally known entrepreneur and author, and the founder and CEO of BTM Corp. His previous books include Sustained Innovation and Winning The 3-Legged Race. BTM innovates business models and enhances financial performance by converging business and technology with its products and intellectual property.