1 / 73

Steve Sanazaro For TACUA April 8, 2010

A CIO’s Perspective on Compliance & Risk Management Keeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls. Steve Sanazaro For TACUA April 8, 2010. Topline Summary.

luigi
Download Presentation

Steve Sanazaro For TACUA April 8, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A CIO’s Perspective on Compliance & Risk ManagementKeeping Stakeholders and Auditors Happy with ICT Value Contributions and Controls Steve Sanazaro For TACUA April 8, 2010

  2. Topline Summary • Objective: improve your understanding and your ability to team with IT leaders to implement and manage a robust and meaningful compliance regime • Briefly describe the general and college/university environment • Discuss IT Governance – where teamwork and cohesion begins • Describe the role, agenda and cross-pressures on CIOs and their organizations • Demonstrate some of the sources of dysfunctional friction between compliance and achieving the IT agenda • Provide a roadmap to: • IT – Compliance collaboration and integration for efficiency and productivity

  3. My Background…welcome to my day job • Executive and technology roles in all three aspects of information and communications technology: • Commercial technology product development – e-business, data communications, reservations technology, business applications • Corporate executive – business strategy and operations, technology planning and implementation and managing ICT (CIO/CTO/CEO/COO) • Professional services provider: advising corporations in a range of industries on business-technology opportunities and managing strategic initiatives (consultant) • Educator and mentor of the next generation of business-technology leaders (the 110% factor) • Diverse industry experience in the US and other countries: • Software, telecom, e-commerce, distribution and supply chain management, hospitality, transportation, consumer products, manufacturing, health, broadcasting, business process outsourcing, consulting • Companies in all stages: mature Global 500, mid-size growth, early-stage and startup companies, not-for-profits • Responsible for international initiatives and technology management with multiple companies • Instrumental in 2 successful IPOs • Founder of multiple companies, including two profitable professional services businesses • Today I advise companies on business and ICT strategy, major program implementations, competency development, change management and other subjects companies explore to maximize the competitive standing and value of the enterprise. • Special focus: strategic readiness, organizational health and sustainment, total supply chain, performance management, turnarounds, rejuvenation efforts • All of my engagements today require a strong background in international business, Information Technology, business operations, compliance and risk management, strategic planning, performance management, cross-cultural business and social experience and travel.

  4. A More Detailed Overview • 1 - The unique environment of colleges and universities and the environment we all share • 2 - The IT Value Proposition • Automation, Information, Communication, Collaboration • Routine performance and innovation • Performance and institutional sustainment • 3 - IT Governance • Integration, not alignment – team sport • Expectations, priorities and targets • Performance and organizational sustainment • Financial stewardship • Risk management and controls • 4 - What do CIOs do anyway? • Agenda and cross pressures • 5 - Friction and Dysfunction in IT Compliance Implementation • Risks – the infinite spectrum • IT control regimes • Integrating compliance into IT • 6 – A Roadmap to IT-Compliance Harmonization • Compliance as connective tissue, not a separate organ • Integration, not alignment • Implementing Practical Compliance • Where IT and Auditing need to collaborate the most today

  5. 1 - The Unique Environment of Colleges and Universities Today

  6. The 21st Century Economy • Global & relentlessly competitive: talent, products, customers, suppliers • Fast & Unforgiving – time is the enemy • Continuous innovations & imitations – new products, new competitors, new technologies, imitators everywhere • Digital – information is replacing physical goods • Customers are in command • Choice: access to global information, access to peer opinions • Fluid loyalties • Suppliers - Partners - Customers • Results-driven • Financial • Other • Emerging global culture – the new cosmopolitans

  7. Management in the Global Reality • Management’s great task will be taking strategic control of companies and simultaneously decentralizing operational control—loosening controls without losing control. • “Strategic Discontinuity,” McKinsey, 2002

  8. Enterprise Purpose: Convert Assets to Goals Value-Generating Processes Assets Results Generate or Raise Cash (Endowment, Grants, Building Projects…) Ideas Graduates – stature & market acceptance • Enterprise Execution Model • Performance • Health & Sustainment Cash Attract Talent, Allies and Partners Talent (People) Grow and Strengthen the Institution Facilities Build Brand Loyalty Allies & Partners

  9. Cash Results from Doing the Right Things Right • Businesses begin with assets and try to grow them over time • Assets become sales • Sales minus expenses become profits • Profits become cash flow • Cash flow becomes assets • There’s no reason to grow the asset base except to generate higher revenue, more sales, etc. • ICT must adopt the same attitude • The purpose of IT assets is to grow revenue (effectiveness) and net income (efficiency

  10. Globalization Has Enlarged the Enterprise Focus & Risk Management Agenda • Talent development: attract, recruit, retain, develop, place • Economics and Free Trade • Tradition, Sovereignty and Cultural Preservation • The Role of Information, Communications and Collaboration • Education, Opportunity and Participation • Population Shifts and Mass Migrations • Human Rights • Crime & Safety • Environmental Concerns and Pollution • Transborder Disease • Corporate Social Responsibility and the Digital Divide • Compliance • Corruption and Governance • Intellectual Property Rights • Representation and Participation

  11. Colleges and Universities Face Additional Challenges • Some are common to institutions; some are unique to educational institutions • Further gradients of issues are by public/private, size, target curricula, etc. • Just a few of the many Big questions: • What is the 21st century college and university value proposition? • Autonomy and centralization issues • What new programs or capabilities do we need? • Performance targets – what to measure, what to do with the results? • Customers and colleagues: Students, academics, administrators, other stakeholder interests • How do we improve distance and continuing education? • How do IT technologies, applications and services change curricula, delivery methods, target audience, student and prospective student expectations? • The special function of university research • Endowments , special gifts, programs and other fundraising • Talent management – faculty, administration • Community support • Peer standing among other colleges and universities • Mastering legal and regulatory mandates

  12. College and University ICT Challenges • Centralized core systems and supporting infrastructure • Fragmented departmental and functional systems by discipline • High variability in governance policies and effectiveness • Non-standardized user technology • PCs and laptops, smart phones, game consoles, sensors, video cameras… • An “open” information culture – with information integrity and protection • Inherent resistance to centralized authority • Diverse investor (contributor/user) base with different objectives • Facility or discipline-specific gifts • Endowment • Student/parent payments • Industry/corporate gifts • Gifts in-kind • Net net: mandates from on high will not achieve the objective of a controlled ICT environment in a fragmented, decentralized institution • Challenge: how to get critical mass on the compliance team

  13. Institutions Balance Today with Tomorrow Performance (today) Organizational Health (tomorrow) Reinforcing desired culture Respect, curiosity, integrity, diversity, excellence Strategic assessments Where do we want to be in the future? When does the future begin? Planning New programs, facilities, relationships, etc. Skills and competency improvements (people) Job and organizational structure reviews Building compliance and risk management competencies • Doing the work; working the plan • The academic year cycle • The financial cycle • Fund raising campaigns • Incremental improvements • Security, applications • Delivering on commitments • Meeting deadlines • Operations reliability and continuity • Meeting goals and objectives • Managing controls; conducting compliance audits

  14. Where’s your Line between Performance & Institutional Sustainment Initiatives • Performance: • Execution • Operations • Continuous Improvement • Monitoring • Measuring • Adjusting • Controlling What’s your institution's Optimal Golden Mean? Do you have a way to get there? [Time, talent & treasure] • Institutional Health & Sustainment: • New Capabilities - dynamic compliance, resilient disaster recovery • New Methods and Processes – administration, customer interaction • New Subject Areas – performance management and reporting • New Relationships – complementary; virtual institutions • Strategic Planning & Investment - programs, facilities, faculty, locations

  15. Innovation – the New – Is Hard to “Control” Continuous Future Today Today+ Legacy Systems: financial, email, registration, Blackboard, payments, grading, Internet access, etc. Emerging systems: Social Networks, Smart Phone apps, new academic apps Innovative Apps & Services Controls in place & audited Controls in development The Wild Wild West Process and Accountabilities to Develop & Oversee Controls New and Enhanced Regulatory Regimes: Privacy, Intellectual Property Rights, Security, Disclosure, Transparency, Statistical Mandates… Therefore, to jump ahead, the competence to develop, operate and improve controlled processes in a timely manner is MORE – MUCH MORE – important than developing a protocol for any one regulatory regime. [ I know: easier said than done…]

  16. University Compliance Missions Are Inconsistent • To support the University’s fundamental commitment to the highest standards of ethics, education, integrity, lawful conduct, and responsible citizenship by complying with all laws, regulations, and internal policies. This makes sense to me. • Columbia University • To reinforce and support a culture at UNT which builds compliance consciousness into its daily activities and operations of the University and encourages each employee to conduct UNT business with the highest standards of honesty and integrity. This makes sense to me • University of North Texas • The mission of internal audit is to assess and monitor the university community in the discharge of their oversight, management, and operating responsibilities in relation to governance processes, the systems of internal controls, and compliance with laws, regulations and University policies including those related to ethical conduct by providing relevant, timely, independent, and objective assurance, advisory and investigative services using a systematic, disciplined approach to evaluate risk and improve the effectiveness of control and governance processes. Huh? • - University of California system

  17. 2 – The ICT Value Proposition

  18. Pervasive IT – Who’s In Charge? In Control? • ICT today serves every aspect of institutional life, and numerous personal ones as well • Universities have an exceptional Venn overlay of these two domains • Transcends organizational boundaries – tremendous interaction with external individuals and institutions • Continues to permeate organizations at every level and scale • Is encompassing more devices (Smart phones, object sensors, what’s next?) • Includes all types of data (text, numbers, video, audio, all digitally translatable analog data, real time, hyper-aggregated, images…) • Includes both staged, asynchronous and real-time information events • The proportion of IT activity that happens outside of IT continues to grow • Consumer devices – iPhone, Blackberry, Xbox, Playstation • Social networking – Facebook, online games, Twitter, Foursquare • Embedded systems – device sensors and controllers, cars • Non-IT business functions - every enterprise function has some “independent” IT, whether they admit it or not (think Excel) • Consider everything your faculty and students are doing with Information, Communications and Collaboration tools today? What’s coming tomorrow? • Content, devices, communications channels, users, collaborators, intelligent agents

  19. The ICT Value-Building Cycle Plan Execute Assess Move On Environment IT Governance, Portfolio Management & Alignment Delivery Assess Business Strategy - Differentiators Enabling Initiatives & Execution Priorities, Projects & Service Levels Measurement Operations Capabilities & Competencies Performance Management - Measures & Targets Vision & Mission Adjust & Adapt – Flexibility & Resilience Issue: What are the decision rights, accountabilities, responsibilities and metrics for each component and the overall cycle? Hint: no answers = no controls = ineffective risk management

  20. Four Sources of New IT Value Internal Informing Provide information to improve Operational decisions External Informing Embed information into Products and services Improve Decision Making Reshaping Change how customers and Partners interact with the Enterprise and its Products / services Optimizing Improve or transform internal Processes through technology Improve Process Source: The Real Business of IT, Hunter & Westerman , Harvard Business Press 2009

  21. The IT Value Proposition • Information, communications and collaboration • Automation of existing work • Blackboard • Accounting: AP, AR, GL, Asset Management • Funds management • Grants administration • Research • Admissions • Financial aid • Payment • Improvement and optimization • Innovation (new, unknown, speculative, experimental) • External integration • Risk management (assets, security, data, services continuity, liability)

  22. 3 – ICT Governance Getting a return on your ICT investments

  23. ICT Governance • Governance is the process of ensuring that an institutions financial investments yield the desired returns and are “well managed” • A subset of the overall institutional governance function • Strategy (direction), institutional integration and oversight • Priorities and investments • Focus on projects, performance (overall operations) and sustainment • Integration, not alignment – a team sport • Expectations, priorities and targets • Setting expectations, priorities and targets • Focused, at heart, on ensuring that the enterprise receives an appropriate return for the money and other resources invested in IT • Financial stewardship • Balancing performance with organizational sustainment • Integrating strategy, operations and IT

  24. Governance: Analysis, Decision, Follow-through • Enablers: • Clear accountabilities • Shared purpose & goals • Smooth collaboration • Measures & targets • Org sustainment

  25. Risk Management is Integral to IT Governance • Internal control is a process • Not a department, organization or function – a genuine team sport • There is no ultimate destination or rest for the weary • It focuses in an ideal world on insuring that the institution is being managed and operated in reasonable accord (not a perfect world) with regard to: • Effectiveness (right things) and efficiency (right level of resources) • Integrity and reliability of reporting – not just financial • Compliance with a growing list of laws and regulations • Being able to deliver priority projects and services • Being able to keep services running (continuity) or to recover from a disaster • This makes well-managed risk management and compliance a key enabler of institutional processes – IT and other – that operate to move the enterprise towards its goals

  26. ICT Governance Cross Currents Goal: Achieving, maintaining and improving strategic and operational integration among all internal and external entities and stakeholders to deliver value and improve enterprise health and sustainability

  27. IT Investment Profiles “Rethinking IT Strategy,” McKinsey, Aug 2006

  28. CIO ICT Portfolio Allocations Technology Selection & Implementation IT Strategy & Alignment Talent & Career Management IT Operations, Support & Continuity Core Competencies Organizational Health Projects Source: Based on Gartner Group, 2004 ICT Structure Investment Allocations (Capex & Opex) Bus-Tech Architecture ICT Portfolio Risk Management Measures & Targets Innovation Business Technology Projects Competitive Parity or Advantage Service Levels Operations Capacity Planning

  29. ICT’s Role Is Changing August 2006, Trends “Is There A Career Future In Enterprise IT?”

  30. 4 – What do CIOs Do Anyway?

  31. CIO Career Growth Stages Source: “CIO Success Factors,” TechExecs, Nov 2009

  32. The CIO’s Universe ICT Environment Stakeholders & Business Partners ICT Environment General & Business Environment Strategy Governance Integration & Alignment Portfolio Mgmt Compliance & Risk Mgmt Architecture Measures & Targets Financial Mgmt ICT Competencies, Processes & Staff Projects Emerging & Future Technologies Enterprise Environment ICT Infrastructure & Operations

  33. The CIO Meta-Agenda • Shaping and Meeting Enterprise Expectations – a translation layer between institutional needs and technology capabilities and talents • Providing reliable and effective IT services • Planning: Insight and Foresight • Doing the right things the right way • Operations – running what is already in place • Projects – delivering extended, enhanced or innovative improvements • Institution building / organizational health • Financial and compliance stewardship / risk management • Communicating value: the iceberg report • Building and reinforcing a High Performance culture • Net net: provide more value, continuously improve and extending IT into new areas to increase value/benefit provided for investment made

  34. Sample ICT Agenda Items Today

  35. a brief aside on controls and controlled environments…

  36. SB1386 (California privacy breech disclosure law) Internal & proprietary regimes FERC/NRC (Energy) FERPA – Controls on student grade and other personal information Jeanne Cleary Act (1990) – campus crimes disclosure FISMA – Federal Information Security Act PCI – Payment Card Industry control objectives Access – systems access controls Sarbanes Oxley (SEC, PCAOB, COSO, CobiT, ITIL) SAS 70 – external service provider control regime Graham-Leach-Bliley – Consumer information privacy safeguards HIPAA – Protection of personal health information SysTrust & WebTrust – AICPA assessment of IT risks and opportunities – can substitute for a Sox audit Government Accountability Office Securities and Exchange Commission NIST – National Institute of Standards and Technology ISO 27000 – Security techniques Office of Thrift Supervision ITIL – Information Technology Infrastructure Library FIPS 140-1 & 140 2 – Federal standards for cryptographic software implementation CMMI – Capabilities Maturity Model Integration GAAP/FASB – Generally Accepted Accounting Principles / Financial Accounting Standards Board IFRS / IASB (International Accounting Standards Board) – convergence projects with FASB underway Compliance Regimes Source: Students enrolled in EMIS 7360 Executive program, May 2008

  37. The Purposes of Controls • Safeguarding assets – essentially the cash-to-result value chain • Checking the accuracy, integrity and reliability of operational and financial data • Promoting operational efficiency through rigorous process definition, measurement, assessment and continuous improvement • Encouraging and ensuring that official policies and procedures are followed • Demonstrating legal compliance by contemporaneous, current process, role and proof-of-adherence documentation

  38. Look at the Regulatory Storm We All Face • Missing: • PCI • FERPA • Security breech reporting (CA SB 1386) • CA SB 25 re SSN use • Graham Leach Bliley • DMCA • CAN-SPAN • Fed Privacy Act 1974 – RMP-8 • Electronic Gov Act of 2002 • OMP Circular A-130 • NIST security standards – FIPS 200, 800-53A • Cyber Security R&D Act

  39. Relationship of Control Regimes Strategy Finance Applications Operations COCO COSO COBIT ITIL University control regimes are derived from frameworks originally developed for businesses and need tweaking to fit comfortably.

  40. COSO Enterprise Risk Management Model

  41. The COSO ERM Framework • Entity objectives can be viewed in the context of four categories • Strategic • Operations • Reporting • Compliance • ERM considers activities at all levels of the organization • Enterprise-level • Division or subsidiary • Business unit processes Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003

  42. Internal Environment • Risk Management Philosophy • Risk Culture • Board of Directors • Integrity and Ethical Values • Commitment to Competence • Management’s Philosophy and Operating Style • Risk Appetite • Organizational Structure • Assignment of Authority and Responsibility • Human Resource Policies and Practices

  43. Internal Auditors’ ERM Responsibilities per COSO • Do not have primary responsibility for establishing or maintaining ERM • Play an important role in monitoring ERM • Regarding the ERM process - assist management and the Board or Audit Committee by: • Monitoring - Examining • Evaluating – Reporting On • Recommending improvements CIO comment: ICT needs assistance too.

  44. ICT Vulnerabilities Are Increasing • Scale (Pervasive IT) creates complexity; complexity generates opportunities to breech security • Security is a moving target • Security is a people issue, not a “technical” issue • Complexity of Software and “open” development philosophy • Microsoft windows & most major league applications • Linux / Open source • Macintosh (yes, Macintosh) • New processing: • Wireless devices; open wireless connections • Unencrypted environment • Web based processing-immature security • More send/receive devices (Smart phones) • Decentralized infrastructures / physical and logical access control complexity

  45. Follow the Frameworks – Minimize “Roll Your Own” Controls The policies, procedures, practices, and organizational structures that are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented, detected and corrected. * * [formerly known as the Information Systems Audit and Control Association and, prior to that, the EDP Auditors Association]

  46. Control Frameworks and ICT • Control Environment – as much the culture of integrity and ethics as the official policies and procedures. Roles and responsibilities. • Risk Assessment – internal and external; controllable (prevent) and uncontrollable (anticipate and recover); observe and report only • Control Activities – policies and procedures that transparently ensure that management directives are carried out • Information and Communication – includes all information being controlled. Includes ensuring that everyone knows their role and responsibility. • Monitoring – timely assessment of adherence and effectiveness of controls

  47. CobiT Processes by Domain Monitoring Planning & Organization Delivery & Support Acquisition & Implementation

  48. Integrated CobiT Schematic

  49. The 34 Defined CobiT Processes 1 3 2 4

  50. The 7 CobiT Principles

More Related