Reposted, original on the “IT Governance, the Kapteyn’s view” blog on Computerworld UK in April 2009
Given the public outrage over the mess the financial sector created and the need for governments around the world to spend public money to bail out the private sector there will be a price to pay. The world might be focused on cleaning the mess right now but the first trembles are already being felt. The politicians who are now asked for approval to spend these vast amounts of money have already started mentioning the words “terms and conditions”. Some institutions do not seem to see this natural disaster waiting to happen and are fuelling it by their (what are considered extravagant) expenditures and bonuses.
The price
Which natural disaster and what price? Well, the weapon of choice of politicians is legislation and regulation. And no self respecting politician who would like to get re-elected sometime in the future (either in the United States or Europe) will propose we just hand out the money without a quid pro quo. If you add those two statements you may expect new rules and regulations in the future. Not tomorrow, not a week from now but when the financial storm settles they are bound to come. While checking this assumption by researching the web (reading blogs and following podcasts from leading political and economical analysts for instance from the BBC, NPR and Financial Times) I could find no real voice that disagrees and many who agree. So there you go: I am convinced, a new wave of governmental regulation is coming.
The scenarios
However that does not tell us anything about the potential impact of any such new regulations on IT governance. This is where scenario thinking helps. The bad scenario says that if two scandals at two organizations (Enron and WorldCom) can trigger legislation of the size and with the worldwide impact of SOX, imagine the consequences of the world-wide failure of the financial sector. I know that the mention of the SOX legislation will send shivers down the spines of many (IT) managers. Let there be no mistake, for many companies achieving SOX compliance was a nightmare. On the one hand unclear regulations with rules changing in the middle of the implementation period; on the other hand, a number of companies who were ill prepared, grossly underestimated the effort needed and who started too late. The bottom-line is that many companies ended up spending a ridiculous amount of money to achieve a level of governance control that should have been there in the first place. By the way: this goes for enterprise and IT governance alike. So the bad scenario says that if you manage to survive the storm of the financial crisis be prepared for the earthquake of the new governmental legislation that will follow it. If you adopt this scenario you might want to check your (IT) governance, risk compliance function (if your organization has one) and verify it is earthquake proof!
The alternative scenario says that though legislation is inevitable those who create it have a basic sense of recent history and the ability to learn from it (specifically SOX); this combined with a proper understanding of the current status of the average organization and its ability to change. In this case the legislation will come in a form such that organizations can adjust in a reasonable manner. All this will result in rules with acceptable impact and timeframes that will not lead to crazy projects requirements (and the accompanying excessive cost). If you have that much confidence in our (chosen) governmental representatives don’t worry, I hope you dream about the beautiful sun which will inevitably come after this financial storm.
The textbook reaction?
According to the Australian Standard 4360 on risk management the definition of a risk is “the chance of something happening that will have an impact on objectives”, so all of the above is definitely a risk. So again, check with your (IT) governance risk compliance (GRC) function (this time the risk expert) for the appropriate risk response. If mitigating the risk is the answer, the solution would be to bolster the GRC function in your organization. Hold on, did I just suggest asking a certain function if they think it would be a good idea to increase their size and/ or funding? Hum, probably need to think about that. Anyway, I hope the bigger message comes across.
No comments:
Post a Comment