SOX is still here, but this year you're smarter. If you survived year one, then you know a lot more now. But do
your CEO and executive board know enough? If they still need a SOX tutorial, then you are in luck.
The Open Compliance and Ethics Group Technology Council, which has merged with the Compliance Consortium, has published "Governance, Risk Management, and Compliance: An Operational Approach," to help CIOs plan for compliance, and compliance discussions.
Ideally, your CEO will be well-versed on compliance. But it's more likely, according to Ted Frank, president of the compliance software company Axentis, Inc., and director of the technology council, CIOs will have some explaining to do. Here Frank provides five questions that every CIO should ask their CEO.
Do we have a shared understanding of the principal strategic, financial and regulatory risks facing the organization?
Ted Frank: The most significant question that needs to be asked is this one. There's a bunch of different bodies out there that have come out with high-level conceptual approaches to managing risk. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is probably, in particular in the U.S., the leading methodology for thinking about risk. COSO says there are four categories of risk. The first is legal and regulatory risks. So these are mandates placed upon the company, by the government, and if you don't manage compliance with these processes, you're going to be in a lot of trouble. That's where SOX falls, HIPAA [Health Insurance Portability and Accountability Act] falls and a lot of others. The second category is operational risk. A good example of that would be supply chain risk. The third is financial risks. Finally, you've got strategic risks and that's more nebulous.
The answers you want are 'Yes, we have someone that's designated to drive this concept of enterprise risk management, or, 'No, we don't have a shared understanding and we're going to address that.' We're going to get someone that's focused on defining all of those risk management categories.' That's the partner the CIO needs to put something good in place. I think the COSO categories are a superb place to start.
Do we have clarity regarding roles and responsibilities for risk and compliance requirements?
Frank: As a CIO, I'd want to know who owns risk management and compliance in an organization. I'd need to know who my compatriot is when making decisions around the process. One of the problems with compliance is that organizations have plenty of people who own various aspects of compliance. You go to one and you get a perspective and opinion. You go to the next and it completely contradicts what you heard from the last person. If I were in that position, I'd be down on my hands saying, 'We've got to get someone who is the master of this process.'
How do we measure efficiency and effectiveness?
Frank: If you don't have appropriate metrics and performance levels defined, you'll never really know what you're doing. I would like to establish what those metrics are. What are the appropriate and acceptable performance parameters? You can put in all the great processes in the world, but if you don't know if they're working or not, what's the point?
Who are the various constituencies that have an interest in the performance of compliance and risk management?
Frank: You've got a lot of different constituencies that care about the performance of compliance. Underlying all of this, you have the same data and the same processes, but you're looking through different prisms. The regulators are looking for certain things. Your shareholders are looking at the exact same information, but they're looking at it through a different prism. They want to see different information, and may not care about the information the regulators are looking for. My board, my executive management, my operating management … all need to consider what they're looking for and how this dovetails into their particular area of responsibility.
Which systems are currently used to manage compliance and risk management activities? What other systems are dependent on compliance and risk management?
Frank: Cataloging the systems that are currently used to manage compliance activities is important. You need to understand all the touch points. Part of that process is actually being done by Sarbanes-Oxley, but more for financial reporting compliance than other areas of compliance. The same diligence ought to be used for other areas of compliance. Those are critical components to just getting your arms around the current landscape.