French CaldwellWhen trillions of dollars of assets suddenly disappear off the face of the planet, you can bet there’s going to be some finger-pointing. Republicans blame Democrats, Democrats blame Republicans, Congress blames the President, Europeans blame Americans, auditors blame accountants, risk managers blame business executives, and on and on and on … Alan Greenspan blames Ben Bernanke. Ok — that’s enough.
But when you really dig, what do you find? Underneath every bad decision, fraudulent assumption, and greedy gamble, there’s some analysis — and that analysis is built on a model, and that model is dependent on data from IT applications — yes, it’s true — whether that application is a speadsheet, business intelligence application, or ERP system — it all points back to IT.
The point is that the use and abuse of IT has enabled tremendous injection of risks into global financial networks. IT has enabled just about every good or bad business decision over the past two decades — a period that has now seen two extraordinary IT-enabled recessions — first the tech bust and now the global financial crisis.
So, if IT enables bad business outcomes, should IT be used to better manage the risks that lead to bad business decisions and fraud? It could.
For an example of how IT is being used to prevent bad things from happening, one needs go no further than the IT security organization. With compliance as an excuse, over the last four years security organizations spent huge amounts on controls automation, ranging from application controls like access management and segregation of duties to infrastructure controls like configuration auditing and security information and event management.
But when it comes to IT controls spending for the business — almost nothing has been done. Spreadsheet controls that could prevent the creation of errors in financial and investment models are almost never used. Transaction controls to ensure that business rules are followed in financial management systems have not gotten very good adoption.
So who’s to blame for this failure to automate the controls that are most closely associated with the risks in financial systems? While IT has been quick to adopt all kinds of automation to relieve its own compliance and risk management demands, most IT organizations have not “reached across the aisle” to the business in order to raise awareness of solutions that automate and lower the risks inherent in IT-enabled business processes.
Well, there’s no time like the present to take on responsibility for automating the controls that can stop fraud and improve process control. Siemens is an example of a company acting decisively and is implementing ACL to automate controls for all of its accounts payable transactions worldwide. But why wait until being investigated by regulators?
How about a call to action for all those IT risk managers and compliance managers: You’ve done it for the IT organization — now, tell your business counterparts what IT solutions are available for them to prevent unacceptable business risks.
Category: Uncategorized Tags:
3 responses so far ↓
1 Peter Teo October 16, 2008 at 2:36 am
Interesting, but how can IT prevent human greed?
2 Jeffrey Mann October 24, 2008 at 4:58 am
I obviously agree.
http://blogs.gartner.com/jeffrey_mann/2008/10/06/how-long-before-it-gets-blamed-for-the-financial-crisis/
3 Christofis Constantinidou November 18, 2008 at 6:32 pm
The question should be, was the gap between business and Information Technology too great and who signed it off?
OR in deed not! … Who knows if the financial organisations were industrialised with a robust framework strategy that was portable for hard times (with contingency). Why didn’t industry lead measures kick in? With true measurement, That wasn’t the banks fault!!!???
Do we know what “GOOD” is and how we measure it? Was the error’s strategy, process, could we simply blame people? or was this only a proportion of the real issues?
To blame I.T is quite simply naive. Without investigation none of us can provide a quantitative or qualitative view. To say it was a dreadful shame would be an understatement… How can we mitigate such events in future? By utilising the correct auditing tools, and business applications however these need to be components within a 360 degree robust strategy framework, measurement gates and collaboration between independent consultants and corporate management. Ones that will share a risk in the game …. and not simply provide service for fees without sharing in rebuilding the history and fine tuning into a successful future..