Embedding risk management within IT to deliver business value while maintaining compliance

Assurance & Compliance, Risk Management

IT organisations have long been subject to a wide range of rules and regulations mandating control over information, technology and processes. These rules and regulations are often created as a counter-measure to some major scandal. Within IT, management is often faced with a “bull-whip effect”, where every small risk must be managed, controlled and minimised. This not only drives significant costs but also undermines IT’s ability to deliver on already stretched IT targets.

“Rules are a funny thing. We like some of them because they make us feel protected, aligned, and perhaps operating on a fair playing field. We dislike them because they can protect us to the point of being smothering, align us to the points of being constraining, and fair to the point of being unfair.”

Regardless of good intent, external rules tend to be interpreted overzealously and become over-engineered

The initial interpretations of section 404 of Sarbanes-Oxley Act of 2002 created an enormous focus on internal controls. Following the collapse of Enron and WorldCom, almost every process within companies listed on the US stock markets (i.e. under SEC authority) became objects of control.  Companies were over-flooded with auditors doing management testing and compliance audits, which lead to massive indirect and direct costs. Since then there has been an ongoing discussion on the costs versus benefits of this regulation. In the Forbes article ‘The Costs and Benefits of Sarbanes-Oxley’, the authors note that the cost of internal control’s relative earnings has decreased over the years since its inception. This means that internal control processes have become more efficient – and companies which approach risk management as continuous improvement and ongoing operational development can still generate cost advantages (and business benefits) without having to belabour it.

As internally focused projects compete for the same funds, excessive resources spent on control can lead to missed business opportunities. The key is to embed internal control in all development initiatives in the strategy and design phases instead of viewing it as discrete one-off events.


Insight and transparency enable decision-making, valuation and acceptance of risk levels

Failure to embed risk management and control often becomes apparent in IT sourcing initiatives. As in any business transaction, it is crucial to understand the scope of the service that is being bought and appreciate the risk dynamics. Without a proper business-oriented definition and understanding of the service in terms of functional and non-functional features (e.g. risk) the business relationship becomes asymmetrical and the quality of the service will be negatively impacted. Either the service becomes too expensive or is misaligned with client expectations.

Understanding risk and its dynamics is not something that is done through discrete one-off activities such as a single risk workshop during the course of a project – it is a decision process that requires data, diligence and analysis. The risk management process needs to be embedded in the transformation initiative.

In IT outsourcing, the client often seeks to shift the risk to the vendor through the use of open-ended clauses such as “the responsibility included, but is not limited to…” This approach is particularly common among new external regulations where the client demands tighter risk commitment and compliance from its vendors. The problem with this approach is the bull-whip effect it creates; the vendor, at the back of the value chain, needs to cover all the bases as the risk has entirely been transferred to them. This often leads to a situation where the quality of the service is undermined because it was poorly designed from a technical and functional perspective – overzealously controlled and laden with overhead.

To avoid this pitfall, the outsourcing organisation needs to include a proper analysis of the sourcing object (i.e. the service/group of services) in the service design phase including suitability, readiness, risk and potential – as well as determine the business’ risk tolerance. An integral part of IT outsourcing is understanding how IT organisations and IT executives make decisions, value risk and manage risk.  Balancing the alignment of the retained organisation, IT’s capabilities, the vendors’ capabilities, and the technical prerequisites of the services, is imperative. This then needs to be operationalised in the delivery processes.


Companies should approach implementation through an iterative approach and continuously improve

To summarise, two key points have been covered above:

  1. There is a clear risk of over-controlling processes within IT as IT is at the far end of implementation of new control frameworks
  2. Risk management is not discrete one-off events. IT needs to continuously revisit the risk analysis and embed it in all processes

This signals a new approach to IT risk management. Risk management – including implementation of internal controls – should be approached in an iterative manner. Moreover, companies should strive to embed it in the strategy, design, implementation and development processes. This approach will reduce costs, allow for better allocation of scarce IT resources and ultimately lay the foundation for more effective IT delivery processes.

About the author

Jens Ekberg is a Director and senior IT management consultant in 3gamma. He is specialised in IT strategy, IT architecture and IT transformation. Jens works across industries supporting clients in IT-enabled business change working in the intersection between business and technology. Jens holds dual degrees in engineering and business administration.

Related Articles

IT needs to move from passive procurement to active service integration

Sourcing, Strategy & Architecture

3gamma is witnessing a shift from cost focused outsourcing to value creation and capability acquisition. Companies are now looking for partners that can contribute with a piece of the innovation puzzle and has a unique competitive capability.

Understanding IT outsourcing risk: incorporating risk management in your IT sourcing strategy

Risk Management, Sourcing

Outsourcing decisions have long term consequences. Understanding how IT organisations and IT executives make decisions, value risk and manage risk is an integral part of IT outsourcing. The consequences of poor decision making with resulting lock-in effects can be detrimental to competitiveness, undermine organisational morale and incur significant costs. Managing risk during the IT sourcing life-cycle is at the heart of successful IT outsourcing.

Using governance, risk and compliance systems to deliver business benefits

Assurance & Compliance, Governance, Risk Management

Governance, risk and compliance systems are getting more and more attention on management and board level. Companies and organisations are struggling to manage governance, risk and compliance in…

Driving business value through IT innovation

Innovation is top of mind these days for most business executives and IT managers who feel pressured to stay competitive. 3gamma is deeply engaged in several initiatives related to the topic.

Delivering sustainable change: Ensuring you are doing the right projects in the right way

Change Management

The selection of articles in our latest Spotlight looks at the ever debated topic of how to achieve project success and avoid failure through different lenses: governance, the pros and cons of project methodologies, business case development, SOX compliance and stakeholder management. We also have interviews with the authors behind two of the articles – Seamus O’Sullivan and Andy Jones.