When trillions of dollars of assets suddenly disappear off the face of the planet, you can bet there’s going to be some finger-pointing. Republicans blame Democrats, Democrats blame Republicans, Congress blames the President, Europeans blame Americans, auditors blame accountants, risk managers blame business executives, and on and on and on … Alan Greenspan blames Ben Bernanke. Ok — that’s enough.
But when you really dig, what do you find? Underneath every bad decision, fraudulent assumption, and greedy gamble, there’s some analysis — and that analysis is built on a model, and that model is dependent on data from IT applications — yes, it’s true — whether that application is a speadsheet, business intelligence application, or ERP system — it all points back to IT.
The point is that the use and abuse of IT has enabled tremendous injection of risks into global financial networks. IT has enabled just about every good or bad business decision over the past two decades — a period that has now seen two extraordinary IT-enabled recessions — first the tech bust and now the global financial crisis.
So, if IT enables bad business outcomes, should IT be used to better manage the risks that lead to bad business decisions and fraud? It could.
For an example of how IT is being used to prevent bad things from happening, one needs go no further than the IT security organization. With compliance as an excuse, over the last four years security organizations spent huge amounts on controls automation, ranging from application controls like access management and segregation of duties to infrastructure controls like configuration auditing and security information and event management.
But when it comes to IT controls spending for the business — almost nothing has been done. Spreadsheet controls that could prevent the creation of errors in financial and investment models are almost never used. Transaction controls to ensure that business rules are followed in financial management systems have not gotten very good adoption.
So who’s to blame for this failure to automate the controls that are most closely associated with the risks in financial systems? While IT has been quick to adopt all kinds of automation to relieve its own compliance and risk management demands, most IT organizations have not “reached across the aisle” to the business in order to raise awareness of solutions that automate and lower the risks inherent in IT-enabled business processes.
Well, there’s no time like the present to take on responsibility for automating the controls that can stop fraud and improve process control. Siemens is an example of a company acting decisively and is implementing ACL to automate controls for all of its accounts payable transactions worldwide. But why wait until being investigated by regulators?
How about a call to action for all those IT risk managers and compliance managers: You’ve done it for the IT organization — now, tell your business counterparts what IT solutions are available for them to prevent unacceptable business risks.
Category: Uncategorized Tags: