Five compliance questions to ask your CEO

By Sarah Lourie, Associate Editor 08 Nov 2005 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

The Open Compliance and Ethics Group Technology Council, which has merged with the Compliance Consortium, has published "Governance, Risk Management, and Compliance: An Operational Approach," to help CIOs plan for compliance, and compliance discussions.

Ideally, your CEO will be well-versed on compliance. But it's more likely, according to Ted Frank, president of the compliance software company Axentis, Inc., and director of the technology council, CIOs will have some explaining to do. Here Frank provides five questions that every CIO should ask their CEO.

Do we have a shared understanding of the principal strategic, financial and regulatory risks facing the organization?

Ted Frank: The most significant question that needs to be asked is this one. There's a bunch of different bodies out there that have come out with high-level conceptual approaches to managing risk. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is probably, in particular in the U.S., the leading methodology for thinking about risk. COSO says there are four categories of risk. The first is legal and regulatory risks. So these are mandates placed upon the company, by the government, and if you don't manage compliance with these processes, you're going to be in a lot of trouble. That's where SOX falls, HIPAA [Health Insurance Portability and Accountability Act] falls and a lot of others. The second category is operational risk. A good example of that would be supply chain risk. The third is financial risks. Finally, you've got strategic risks and that's more nebulous.

The answers you want are 'Yes, we have someone that's designated to drive this concept of enterprise risk management, or, 'No, we don't have a shared understanding and we're going to address that.' We're going to get someone that's focused on defining all of those risk management categories.' That's the partner the CIO needs to put something good in place. I think the COSO categories are a superb place to start.

Do we have clarity regarding roles and responsibilities for risk and compliance requirements?

Frank: As a CIO, I'd want to know who owns risk management and compliance in an organization. I'd need to know who my compatriot is when making decisions around the process. One of the problems with compliance is that organizations have plenty of people who own various aspects of compliance. You go to one and you get a perspective and opinion. You go to the next and it completely contradicts what you heard from the last person. If I were in that position, I'd be down on my hands saying, 'We've got to get someone who is the master of this process.'

How do we measure efficiency and effectiveness?

Frank: If you don't have appropriate metrics and performance levels defined, you'll never really know what you're doing. I would like to establish what those metrics are. What are the appropriate and acceptable performance parameters? You can put in all the great processes in the world, but if you don't know if they're working or not, what's the point?

Who are the various constituencies that have an interest in the performance of compliance and risk management?

Frank: You've got a lot of different constituencies that care about the performance of compliance. Underlying all of this, you have the same data and the same processes, but you're looking through different prisms. The regulators are looking for certain things. Your shareholders are looking at the exact same information, but they're looking at it through a different prism. They want to see different information, and may not care about the information the regulators are looking for. My board, my executive management, my operating management … all need to consider what they're looking for and how this dovetails into their particular area of responsibility.

Which systems are currently used to manage compliance and risk management activities? What other systems are dependent on compliance and risk management?

Frank: Cataloging the systems that are currently used to manage compliance activities is important. You need to understand all the touch points. Part of that process is actually being done by Sarbanes-Oxley, but more for financial reporting compliance than other areas of compliance. The same diligence ought to be used for other areas of compliance. Those are critical components to just getting your arms around the current landscape.

This article originally appeared on our sister site SearchCIO.com.

Tags: Sarbanes-Oxley Act,  Information Security Policies, Procedures and Guidelines,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary