IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Lessons from Financial Crisis for CIO and Executive Technology Leadership, pulled from Senior Supervisors Group

November 9th, 2009 · No Comments

According to a recent examination by global professionals relating to the failure of risk management controls with respect to financial exposures many of the failures can be attributed to very specific technology failures.  This does not excuse the vast amount of other shortfalls, and apply blame as you see fit arguments.  It does highlight that these did certainly not help the situation any, and in fact exasperated it to some degree.  A few cogent points highlighted in the 36 page report are eerily applicable to all organizations, and should be a flare to all audit, security, risk managers, and compliance personnel.  PDF Report can be downloaded here.

Points that should be carefully considered:

“One challenge to improving risk management systems has been poor integration resulting from multiple mergers and acquisitions”

This is especially dangerous considering that many businesses choose to operate separately initially to insulate interruptions to the business at large.  Information systems are generally incompatible at the beginning of any integration.  This is due to the lack of pre-planning and enterprise M&A integration methodologies within the acquiring firms.  Organizations should take immediate action if they have acquired entities without consolidating these technology systems, or at the very least routing ALL traffic, logs, compliance controls, and processes through the acquiriing entity.  This creates both friction and a need for efficiency – two very powerful forces that will result in immediate transformation of these information technology environments, in the right direction.

“…acquisitions over the years have produced an environment in which static data are largely disaggregated”

This effects the ability to ensure daily consistent delivery of data and information technology services.  In addition, historic activity is just as important in managing current data environments.  Lacking such clarity and statistics requires executives to manage blindly without any context and sensible barometer of delivery and achievable commitments.

“…certain products and lines of business have not been included in data aggregation and analysis processes”

Technology historically has been disconnected from the business delivery objectives, and actual exclusion of specific products and businesses only ensures budgets will be misplaced; service will be inappropriate; and risks will not be addressed properly (if at all)

“…two systems for the same business results in duplication of processes”

This finding simply highlights waste – waste in resources; talent; time; bandwidth; budget, and brainpower.  In an age of interconnected capabilities such requirements for dual systems should becoming sparse and rare.

An interesting message echoes throughout the report was risk managements lack of complete visibility into the firms’ risks.  A point that is both similar in nature and impact to CIO and Technology executives alike.  How well do we professionals truly understand what is happening and has happened within the business information systems?  Is all the data that is pertinent provided and managed?  Peter Drucker would certainly ask – Are you fully aware of the system (not the one computer or the e-transactions, but the technology system as a whole)?  Are you making choices based on all the right information, or based on the information you have (right or wrong)?

The crossovers from professional risk management and technology leadership are clear, striking, and very relevant.  It is prudent that today’s leadership is aware and armed with the skills across many trades – risk management in particular – to truly leverage the centuries of experience that exist within arms reach.

Additional perspective – please leave a comment,

James DeLuccia IV

Check out my other thoughts here on IT Controls and PCI DSS

Tags: Uncategorized

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment