Corporate governance is a generic term used to describe
a number of processes by which companies are operated and, more
importantly, how they are directed by their Boards of
Directors.
Although there is no universally accepted definition of exactly
what it is, there is a general agreement on what good corporate
governance should comprise. However one thing is very clear, it is
not the more limited issue of enterprise IT management, which is
currently enjoying a new lease of life rebadged as “IT
Governance”.
As a simple exercise in accountability of the people who run
businesses, corporate governance has been exercising regulators for
many years, with one of the first corporate governance regulations
in the UK being in 1986. However, it is only recently that
corporate governance has begun to have a major effect on
businesses, as governments around the world begin to implement some
pretty heavyweight legislation. The US have enacted the
Sarbanes-Oxley Act which has significant penalties for internal
control failure, and the European Union is preparing a Directive
making good corporate governance mandatory for all organisations
doing business in Europe.
This legislation is rapidly moving the failure to implement good
corporate governance from a civil law issue into to the realms of
criminal law in many countries.
This move to legislate is seen as necessary by governments
because they have begun to realise the affect that significant
business failures have on their public citizens and therefore on
the political environment within which governments operate. There
is also a political awareness that the current lack of faith in the
capital markets is in some part due to the poor control over what
is seen as questionable activities of some companies and this lack
of trust is often reflected in low growth, which may in turn result
in constraints on governments’ spending ability.
In addition, the Basel II New Capital Accord will be providing
significant advantages to businesses that are able to demonstrate
good internal control, reflecting a growing view that good
corporate governance is essential to rebuilding trust in global
markets. In the EU the proposed Capital Adequacy Directive (CAD
III) is widely expected to mandate compliance with Basel II for a
far wider catchment of the European finance sector and foreign
owned businesses operating out of Europe.
This is the situation that risk managers find themselves in
currently, in the certain knowledge that there will be an even
greater emphasis on meeting corporate governance objectives in the
future, regardless of the corporate sector they operate in. What’s
more, the legislation is not only aimed at the top of the
organisation but at the integrity of the processes right the way
through the business, like a stick of seaside rock there must be
integrity written all the way through.
The new challenge for information risk management professionals
is to ensure that they are able to support their organisations and
their Boards of Directors in meeting corporate governance
obligations in full, when doing so may require fundamental changes
to the risk management structure that they are currently working
within. Furthermore there will be increased Board level scrutiny
of those structures in the future, they and their attendant
processes must be consistent across the organisation and have
in-built integrity.
The project studied all of the reports and guidance available
but particularly concentrated on the Turnbull report on the
implementation of the “London Stock Exchange combined codes” (UK,
September 1999) and the Commonwealth Association of Corporate
Governance (CACG) corporate governance principles.
Turnbull is particularly interesting because it is an
implementation report and therefore it is naturally at a lower
level than many of the other codes and guides, whilst continuing to
follow the same high level principles. This means that the
Turnbull report is much easier to implement than many of the more
strategic reports and guidance documents and therefore it is easier
to work with because there is less need for extrapolation of its
principles down to a working level.
The CACG principles on the other hand is very high level and
Board of Directors focussed, but it is one of only two
international corporate governance sets of principles available
(the OECD principles is the other) and is based on some of the most
important national corporate governance reports currently available
such as Bosch - Australia, Hampel - UK, King - South Africa and Dey
- Canada.
There are two key conclusions that may be drawn from the
corporate governance requirements, that there are a number of
processes that need to be in place to manage an organisation’s
risks and that, more importantly, the risk management process
itself must have inherent integrity. This is an important idea
because it works on the basis that if the process is sound and the
data input is sound then the results must be sound also.
However, it can be clearly seen that there is more to managing
information risks than just integrity of the process, and this view
is supported by many of the corporate governance implementation
frameworks, such as the Committee of Sponsoring Organisations of
the Treadway Commission (COSO) Internal Control – Integrated
Framework.
Although 11 years old, the COSO framework is still one of the
most useful tools available for helping organisations to develop
and implement appropriate and consistent internal control
structures. One way in which the COSO model maps onto the corporate
governance requirements for managing risks is shown in the table
below.
COSO model elements Risk management
processes
Control environment A risk management structure covering the entire
organisation, with clearly defined roles and
responsibilities.
Risk assessment A risk assessment process which is both consistent
across all risk areas and the organisation.
Control activities Policies, standards and procedures developed and
implemented to ensure that all identified risks are managed within
the organisation’s “risk appetite” .
Monitoring A process for the regular monitoring of risk management
processes.
Information and communication A process for regular risk reporting
to executives and to the Board, with facilities to enable the
assimilation of feedback into the risk processes.
A process to communicate risk information to the organisation’s
stakeholders both internal and external.
The primary requirement from this list is the establishment of a
sound risk management structure with defined roles and
responsibilities throughout the organisation. This also has a
parallel in the Basel new Capital Accord requirement for “an
independent operational risk function for measurement, methodology
and process”. These two requirements infer that there is the need
for an independent and consistent risk management function within
organisations.
Many organisations already have a risk management structure in
place within which most risks have in fact been managed fairly
adequately for many years. The most popular of these risk
management structures is one that depends on a strong audit
capability, as its independent risk management function, which
reports control exceptions to the Board, normally through the audit
committee.
However, this structure has an inherent weakness in that if it
is the only method of assessing whether risks have been properly
managed, it can sometimes result in a delay in identifying and
rectifying the problems, and sometimes the level of protection
afforded to information and information processing systems could
depend on the amount of resources available to the audit function
and whether there is an imminent threat of an audit.
Furthermore, the individual nature of the audit process does
little to ensure a consistent approach to risk management across
the organisation and may sometimes accentuate rather than reduce
the differences in reporting of risks.
This structure has certainly worked with an element of success
in many businesses and is still operating in many organisations
today. However, there are a significant number of forward thinking
organisations that are moving to another type of risk management
structure which establishes an independent risk co-ordination
function within the organisation to collect risk input from the
business risk units and pass information about those risks to the
Board via a risk committee and a risk officer, who may even be a
member of the Board.
The business is still very much responsible for identifying and
managing its own risks with the risk co-ordination function setting
standards, ensuring consistency and collating risk management
reporting to the Board and feedback from the Board to the
business.
This newer structure has a better fit to the corporate
governance requirements for risk management and in particular to
the requirements of the Basel II New Capital Accord, because it
allows for the independent collection and assimilation of risk
information from across the organisation. It also facilitates
consistency in establishing the organisation’s risk appetite, risk
assessment and risk reporting. Basel II provides a high level set
of criteria for managing operational risk , which will probably
become an internationally recognised benchmark.
In particular, Basel II will result in financial institutions
developing systems to track internal and external losses and
modelling them to analyse the impact of these losses on the
business in order to determine their level of capital charge, and
this can only be done within a function similar to the risk
co-ordination function.
There is considerable consensus, within the various reports and
guides relating to corporate governance, in identifying what risks
should be managed within a corporate governance framework.
However, whilst some codes and guides are very high level and
consider only strategic, credit and operational risks, many set out
a consistent set of nine specific types of risks that they consider
should be managed.
Information risks are certainly risks that need to be managed
within a corporate governance framework, this is clear from a
number of the corporate governance codes and guides, however there
is no firm definition in any of the codes or guides of what
constitutes information risk. This lack of a firm definition of
what is contained within information risk, in a corporate
governance sense, could create problems for information risk
managers unless they are able to agree a firm definition within
their own organisations.
This is not an ideal situation but is how things currently stand
until more detailed guidance is produced.
The Information Security Forum (ISF) project took a very wide
view of information risks and information risk management, which
encompassed all of the risks that affect or are generated by the
use of information and its related information system(s) or
communications services. This definition may be of help to
information risk managers in establishing their own local
definition, because it is essential that they are able to
articulate to their peers within other risk specialisms what it is
they are trying to protect, and what from so that clear lines of
demarcation may be established.
The ISF project went beyond identifying best practice in risk
management structures and also determined the information risk
management requirements for good corporate governance. By mapping
the COSO model onto the requirements for risk management it was a
relatively simple job to extrapolate from them the generic
information risk management requirements. These generic information
risk management requirements are set out below:
• An information risk management structure that:
has clearly defined roles and responsibilities
is consistent within the organisation’s overall risk management
structure
has a good interface with other risk management areas
is responsive to feedback and direction from the Board
• An information risk assessment process that:
is consistent across the whole of the organisation
has inherent integrity
identifies the nature and extent of the information risks facing
the organisation
assesses the likelihood of the information risks
materialising
establishes the cost benefit analysis of implementing controls to
manage information risks
• A process for determining and managing the acceptable level of
information risk to the organisation, (the information risk
appetite)
• A set of policies, standards and procedures to
ensure that all information risks are managed within the
organisation’s risk appetite
reduce the potential business impact of incidents by use of
control measures (to prevent, detect and recover)
monitor the effectiveness of implemented controls regularly
• A process for the regular monitoring of the information risk
management process for both effectiveness and integrity
• A process for reporting information risks to the Board with
facilities to enable the assimilation of all feedback into the
information risk management processes
• A process to communicate information risks to the organisation’s
stakeholders both internal and external.
These information risk management requirements are of course
still at a rather high level but they can be broken down
considerably further with a little effort into lower level
processes and procedures, which may then be tailored to meet the
needs of an individual organisation, conversely, a checklist such
as this could provide some very good pointers for senior executives
and Board directors to audit against and so assure themselves that
they have a good handle on all of their information risks.
Therefore, this set of requirements can be a double edged sword,
both providing evidence of the need for significant resources to be
devoted to information risk management and as a way for the Board
to ensure that information risk management is properly exercising
the business.
All of the codes and guides agree that managing the risks to an
organisation is a Board responsibility; however this is not
practical in a management sense, so it is generally acknowledged
that this must be a hands-off process. But, since the
responsibility remains there needs to be a process by which the
Board can control risks at arms length.
For this reason, a key requirement of corporate governance as
reflected in all of the codes and guides is ensuring that the Board
is aware of the risks facing the organisation and how they are
being managed. However, none of the codes and guides is specific
about exactly what information the Board should see.This is
particularly true for comparatively new risks like information
risks.
Corporate governance will not go away, that much is clear, in
fact it is going to increase in prominence as the low equity values
of recent years begin to recover and stakeholders look to
legislators to protect their increasing investment value. It is
also clear that the integrity of individual processes is as
important as the process itself and therefore these processes are
open to ever more detailed scrutiny from the regulators,
considerably more transparency to stakeholders and far more
visibility to the executives and the Board.
The new challenge to information risk management specialists is
not just to implement good processes, but also to be able to prove
that they are both consistent and repeatable under all foreseeable
circumstances - this is a very tall order.
Colin Dixon is a project manager with the Information
Security Forum
The Information Security Forum project on Corporate
Governance will be published and available to ISF Members in August
2003.