How information risk management underpins good corporate governance

Corporate governance is a generic term used to describe a number of processes by which companies are operated and, more importantly, how they are directed by their Boards of Directors.

Corporate governance is a generic term used to describe a number of processes by which companies are operated and, more importantly, how they are directed by their Boards of Directors. 

Although there is no universally accepted definition of exactly what it is, there is a general agreement on what good corporate governance should comprise.  However one thing is very clear, it is not the more limited issue of enterprise IT management, which is currently enjoying a new lease of life rebadged as “IT Governance”.

As a simple exercise in accountability of the people who run businesses, corporate governance has been exercising regulators for many years, with one of the first corporate governance regulations in the UK being in 1986.  However, it is only recently that corporate governance has begun to have a major effect on businesses, as governments around the world begin to implement some pretty heavyweight legislation.  The US have enacted the Sarbanes-Oxley Act which has significant penalties for internal control failure, and the European Union is preparing a Directive making good corporate governance mandatory for all organisations doing business in Europe. 

This legislation is rapidly moving the failure to implement good corporate governance from a civil law issue into to the realms of criminal law in many countries. 

This move to legislate is seen as necessary by governments because they have begun to realise the affect that significant business failures have on their public citizens and therefore on the political environment within which governments operate.  There is also a political awareness that the current lack of faith in the capital markets is in some part due to the poor control over what is seen as questionable activities of some companies and this lack of trust is often reflected in low growth, which may in turn result in constraints on governments’ spending ability. 

In addition, the Basel II New Capital Accord will be providing significant advantages to businesses that are able to demonstrate good internal control, reflecting a growing view that good corporate governance is essential to rebuilding trust in global markets. In the EU the proposed Capital Adequacy Directive (CAD III) is widely expected to mandate compliance with Basel II for a far wider catchment of the European finance sector and foreign owned businesses operating out of Europe.
This is the situation that risk managers find themselves in currently, in the certain knowledge that there will be an even greater emphasis on meeting corporate governance objectives in the future, regardless of the corporate sector they operate in.  What’s more, the legislation is not only aimed at the top of the organisation but at the integrity of the processes right the way through the business, like a stick of seaside rock there must be integrity written all the way through.

The new challenge for information risk management professionals is to ensure that they are able to support their organisations and their Boards of Directors in meeting corporate governance obligations in full, when doing so may require fundamental changes to the risk management structure that they are currently working within.  Furthermore there will be increased Board level scrutiny of those structures in the future, they and their attendant processes must be consistent across the organisation and have in-built integrity.

The project studied all of the reports and guidance available but particularly concentrated on the Turnbull report on the implementation of the “London Stock Exchange combined codes” (UK, September 1999) and the Commonwealth Association of Corporate Governance (CACG) corporate governance principles. 

Turnbull is particularly interesting because it is an implementation report and therefore it is naturally at a lower level than many of the other codes and guides, whilst continuing to follow the same high level principles.  This means that the Turnbull report is much easier to implement than many of the more strategic reports and guidance documents and therefore it is easier to work with because there is less need for extrapolation of its principles down to a working level. 

The CACG principles on the other hand is very high level and Board of Directors focussed, but it is one of only two international corporate governance sets of principles available (the OECD principles is the other) and is based on some of the most important national corporate governance reports currently available such as Bosch - Australia, Hampel - UK, King - South Africa and Dey - Canada.

There are two key conclusions that may be drawn from the corporate governance requirements, that there are a number of processes that need to be in place to manage an organisation’s risks and that, more importantly, the risk management process itself must have inherent integrity. This is an important idea because it works on the basis that if the process is sound and the data input is sound then the results must be sound also.

However, it can be clearly seen that there is more to managing information risks than just integrity of the process, and this view is supported by many of the corporate governance implementation frameworks, such as the Committee of Sponsoring Organisations of the Treadway Commission (COSO) Internal Control – Integrated Framework. 

Although 11 years old, the COSO framework is still one of the most useful tools available for helping organisations to develop and implement appropriate and consistent internal control structures. One way in which the COSO model maps onto the corporate governance requirements for managing risks is shown in the table below.

COSO model elements Risk management processes
Control environment A risk management structure covering the entire organisation, with clearly defined roles and responsibilities.
Risk assessment  A risk assessment process which is both consistent across all risk areas and the organisation.
Control activities Policies, standards and procedures developed and implemented to ensure that all identified risks are managed within the organisation’s “risk appetite” .
Monitoring A process for the regular monitoring of risk management processes.
Information and communication A process for regular risk reporting to executives and to the Board, with facilities to enable the assimilation of feedback into the risk processes.

A process to communicate risk information to the organisation’s stakeholders both internal and external.

The primary requirement from this list is the establishment of a sound risk management structure with defined roles and responsibilities throughout the organisation.  This also has a parallel in the Basel new Capital Accord requirement for “an independent operational risk function for measurement, methodology and process”.  These two requirements infer that there is the need for an independent and consistent risk management function within organisations.

Many organisations already have a risk management structure in place within which most risks have in fact been managed fairly adequately for many years.  The most popular of these risk management structures is one that depends on a strong audit capability, as its independent risk management function, which reports control exceptions to the Board, normally through the audit committee.

However, this structure has an inherent weakness in that if it is the only method of assessing whether risks have been properly managed, it can sometimes result in a delay in identifying and rectifying the problems, and sometimes the level of protection afforded to information and information processing systems could depend on the amount of resources available to the audit function and whether there is an imminent threat of an audit.

Furthermore, the individual nature of the audit process does little to ensure a consistent approach to risk management across the organisation and may sometimes accentuate rather than reduce the differences in reporting of risks.

This structure has certainly worked with an element of success in many businesses and is still operating in many organisations today.  However, there are a significant number of forward thinking organisations that are moving to another type of risk management structure which establishes an independent risk co-ordination function within the organisation to collect risk input from the business risk units and pass information about those risks to the Board via a risk committee and a risk officer, who may even be a member of the Board. 

The business is still very much responsible for identifying and managing its own risks with the risk co-ordination function setting standards, ensuring consistency and collating risk management reporting to the Board and feedback from the Board to the business.

This newer structure has a better fit to the corporate governance requirements for risk management and in particular to the requirements of the Basel II New Capital Accord, because it allows for the independent collection and assimilation of risk information from across the organisation. It also facilitates consistency in establishing the organisation’s risk appetite, risk assessment and risk reporting.  Basel II provides a high level set of criteria for managing operational risk , which will probably become an internationally recognised benchmark.

In particular, Basel II will result in financial institutions developing systems to track internal and external losses and modelling them to analyse the impact of these losses on the business in order to determine their level of capital charge, and this can only be done within a function similar to the risk co-ordination function.

There is considerable consensus, within the various reports and guides relating to corporate governance, in identifying what risks should be managed within a corporate governance framework.   However, whilst some codes and guides are very high level and consider only strategic, credit and operational risks, many set out a consistent set of nine specific types of risks that they consider should be managed.

Information risks are certainly risks that need to be managed within a corporate governance framework, this is clear from a number of the corporate governance codes and guides, however there is no firm definition in any of the codes or guides of what constitutes information risk.  This lack of a firm definition of what is contained within information risk, in a corporate governance sense, could create problems for information risk managers unless they are able to agree a firm definition within their own organisations. 

This is not an ideal situation but is how things currently stand until more detailed guidance is produced. 

The Information Security Forum (ISF) project took a very wide view of information risks and information risk management, which encompassed all of the risks that affect or are generated by the use of information and its related information system(s) or communications services.  This definition may be of help to information risk managers in establishing their own local definition, because it is essential that they are able to articulate to their peers within other risk specialisms what it is they are trying to protect, and what from so that clear lines of demarcation may be established.

The ISF project went beyond identifying best practice in risk management structures and also determined the information risk management requirements for good corporate governance.  By mapping the COSO model onto the requirements for risk management it was a relatively simple job to extrapolate from them the generic information risk management requirements. These generic information risk management requirements are set out below:

• An information risk management structure that:
 has clearly defined roles and responsibilities
 is consistent within the organisation’s overall risk management structure
 has a good interface with other risk management areas
 is responsive to feedback and direction from the Board
• An information risk assessment process that:
 is consistent across the whole of the organisation
 has inherent integrity
 identifies the nature and extent of the information risks facing the organisation
 assesses the likelihood of the information risks materialising
 establishes the cost benefit analysis of implementing controls to manage information risks
• A process for determining and managing the acceptable level of information risk to the organisation, (the information risk appetite)
• A set of policies, standards and procedures to
 ensure that all information risks are managed within the organisation’s risk appetite
 reduce the potential business impact of incidents by use of control measures (to prevent, detect and recover)
 monitor the effectiveness of implemented controls regularly
• A process for the regular monitoring of the information risk management process for both effectiveness and integrity
• A process for reporting information risks to the Board with facilities to enable the assimilation of all feedback into the information risk management processes
• A process to communicate information risks to the organisation’s stakeholders both internal and external.

These information risk management requirements are of course still at a rather high level but they can be broken down considerably further with a little effort into lower level processes and procedures, which may then be tailored to meet the needs of an individual organisation, conversely, a checklist such as this could provide some very good pointers for senior executives and Board directors to audit against and so assure themselves that they have a good handle on all of their information risks.

Therefore, this set of requirements can be a double edged sword, both providing evidence of the need for significant resources to be devoted to information risk management and as a way for the Board to ensure that information risk management is properly exercising the business.

All of the codes and guides agree that managing the risks to an organisation is a Board responsibility; however this is not practical in a management sense, so it is generally acknowledged that this must be a hands-off process.  But, since the responsibility remains there needs to be a process by which the Board can control risks at arms length. 

For this reason, a key requirement of corporate governance as reflected in all of the codes and guides is ensuring that the Board is aware of the risks facing the organisation and how they are being managed. However, none of the codes and guides is specific about exactly what information the Board should see.This is particularly true for comparatively new risks like information risks.

Corporate governance will not go away, that much is clear, in fact it is going to increase in prominence as the low equity values of recent years begin to recover and stakeholders look to legislators to protect their increasing investment value. It is also clear that the integrity of individual processes is as important as the process itself and therefore these processes are open to ever more detailed scrutiny from the regulators, considerably more transparency to stakeholders and far more visibility to the executives and the Board. 

The new challenge to information risk management specialists is not just to implement good processes, but also to be able to prove that they are both consistent and repeatable under all foreseeable circumstances - this is a very tall order. 

Colin Dixon is a project manager with the Information Security Forum

The Information Security Forum project on Corporate Governance will be published and available to ISF Members in August 2003.

Read more on IT risk management