Corporate
governance has taken centre-stage across boardrooms around the world. The term applies to all aspects of a business.
Given the fact that technology is expected to play a key role in helping organisations achieve their business objectives, it is imperative to discuss the role of
corporate governance over technology.
Risk management is a critical component of corporate governance. Risk management helps organisations recognise the wide spectrum of risks that they are exposed to. It aims to help them prioritise risks based on their potential impact, put mitigation plans in place, and monitor them so that they don’t become hurdles in achieving corporate objectives. Information technology is a key support function in any business, and regulation requires the board and the management to report key risks, and their assessment of how these risks are being managed. The Chief Information Officer (CIO) needs to play a significant role in supporting boards, audit committees and the management, in first understanding, and then implementing, good governance over IT.
Security and disaster recovery used to be major risk factors, but today, IT risk management covers a range of factors such as runaway projects, global sourcing, regulatory compliance, privacy, trans-border data flow, export control, financial disclosure, certifications, business continuity, fraud detection,protection of intellectual property and shortage of skilled resources. The list is endless, and promises to keep growing.
The sources proliferating risk are increasing manifold as well. Natural disasters such as fires, floods, earthquakes and cyclones have always been a risk for IT. To that list of natural calamities can be added an ever-expanding range of man-made risks— viruses, worms, Trojan horses, phishing, spyware and identity theft—making the IT risk management job more difficult every passing day. In addition, globalisation, new technology and attrition rates complicate the task of managing IT risks
The responsibility of assessing risks and mitigating them to ensure that they are transparent to the stakeholders, implementing an IT control framework, and ensuring that roles critical for managing IT risks are appropriately defined and staffed lies with the CIO.Since the user of IT services is the enterprise, it should set the mandate for risk management and provide the resources to support and monitor the plan designed to protect specific business interests. In today's complex business environment, the IT service provider also needs to advise its clients to ensure that proper safeguards are in place. Internal and external auditors need to throw light on inadequate processes or risks that are not being appropriately addressed. They must assure the management that adequate measures have been adopted and implemented, or even make recommendations for improvement.Ultimately, individuals across the organisational hierarchy need to be aware of their responsibilities towards an effective IT risk management programme. Building a fence around IT risk to separate it from the rest of your organisational activity will not work because the alignment of your IT strategy to your business strategy will underline the success and even the survival of your organisation. The author is Partner-National Director Risk & Business Solutions Ernst & Young India. He may be contacted at sunil.r.chandiramani@in.ey.com