Lee Dittmar, Deloitte Consulting: If you’ve been working in IT at all, or working in any large organization that uses IT, you have some experience and perspective on this issue of how IT and Compliance or Risk functions communicate. In some organizations the person in charge of Compliance or Risk sounds like his. “I can never get IT to give me what I need.” And, if you’re in charge of IT, it might be, “If those people knew what to ask for, I could build it for them.”

To start our discussion today, we have asked Dave Farrell to speak not just for himself, but to engage in a little role playing, representing GRC professionals and their perspective in terms of trying to get their needs met from technology. And Michael Duffy, who has been involved in IT for 25 years and understands the Chief Information Officer (CIO) perspective, is representing the IT community. So let’s get this started.

Mike, I have a question for you. Speaking as the CIO, how comfortable are you that you understand what’s expected of you and your group in light of all this increased attention on improving corporate governance, engaging in enterprise risk management and meeting increasing compliance challenges?

Michael Duffy, Open Pages: Well, I know that my team would be comfortable delivering solutions, if somebody could explain to me what they need. One of the challenges is that I sit in meetings and all I here is “we need dashboards.” Okay, well we’ve got business intelligence capabilities in the company. We’ve got tools. We can help you with that. But what do you need from us? We find it very challenging to understand exactly what the requirements are.

Lee Dittmar, Deloitte Consulting: So David is not doing a good job of really explaining what he needs of you? Is that what you’re trying to say?

Michael Duffy, Open Pages: Well, yes.

Lee Dittmar, Deloitte Consulting: Okay David. So what’s your perspective? I mean how well are IT projects, priorities and processes aligned with your needs as a Chief Compliance Officer?

David Farrell, Sun Microsystems: How much time do I have? You know, I come in asking for solutions, for applications, the ability to role out training, communications, security and things like that, and I really just get back a lot of technical jargon and I’m expected to be able to analyze and interpret and figure out what to do with it.

Michael Duffy, Open Pages: Now wait a minute. Last year we did help you with the training application you looked for, but what is completely puzzling to my team is when you ask us for risk management dashboards, but nobody can explain to us where we’re supposed to get the information.

David Farrell, Sun Microsystems: Well, you know, if we had more time to sit down and talk with your group and that sort of thing and they weren’t so busy with all the other priorities and everything that they have to do....and every time we sit down with them they’re complaining about budgets and what the business units are making them do. It probably would be a little bit easier to communicate what our needs are if we just had a little bit more time and focus on those things.

Michael Duffy, Open Pages: So are you saying that you have the budget?

David Farrell, Sun Microsystems: No, we thought you had the budget. Maybe that’s the problem.

Michael Duffy, Open Pages: Yeah. Well if we could only understand exactly what you need, maybe we could get the budget.

Lee Dittmar, Deloitte Consulting: This is not an uncommon dialogue. But there is a really serious issue here that from my experience is pervasive. It’s not just pervasive around GRC. That shouldn’t be surprising, because IT is the youngest function in the modern corporation—30 or 40 years old, depending on how you want to define it. And we’re still in a mode of operation where many, many leaders of the other functions and in the general business community don’t think about IT as being strategic even when it affects enterprise assets like good governance, good financial reporting and compliance. What are some of the most common barriers to aligning governance, risk and compliance needs with IT priorities?

David Farrell, Sun Microsystems: Sure and by the way, obviously a little bit of role playing here. I have a member of my IT organization here in the room and we have never had a conversation like that last one. But, obviously we wanted to raise awareness on the types of challenges that we do have and the disconnects, and really I think it does boil down to some of the things we were alluding to here.

I’d say first and foremost—the biggest hurdle is that we’re all stretched for resources. Fortunately the IT people that I work with “get it.” But where the problem comes in, I think, is our not being in one group. We’re different functions; and compliance is just one more customer for IT coming in the door looking for a piece of the very limited amount of the whole IT budget. We want to get our items prioritized the way we think they need to be prioritized, and IT has to fit them in with all of the other requirements of businesses that are coming in the door right after us and asking for their own projects.

So I would say that’s probably the major hurdle. Not so much understanding the importance of compliance or what it is, but really trying to make it so that when you come in that door, you’re working as an integrated team. You’re planning and strategizing. You’re integrated with the business and the business requirements that the IT folks are looking at and not as “one off” projects. So you’re not fighting fire drills. You’re not reinventing the wheel with each new project.

Michael Duffy, Open Pages Inc: Clearly there is a need for education and communication—cross functionally between folks that are the leading thinkers in risk management companies and the IT organizations. In many of the leading companies we do business with, we’re beginning to see now in the IT functions real understanding and awareness of what the whole notion of process, risk and control is all about. And they are beginning to think about how to apply these same kinds of best practices around better managing risk management and IT.

But this is a very early trend. I would say in the last two to three quarters, we’ve probably had discussions with about 15 companies that are kind of thinking this far out. Generally, in the marketplace, most companies today are struggling to make the SOX projects effective and beginning to drive the cost out of SOX issues. As we move forward to get IT and the risk management and compliance folks working better together, it’s all about education, communication and working together on projects to try to make providing more effective information to management.

Lee Dittmar, Deloitte Consulting: Those are really good observations. You know one of the things that I have observed in the last several years—there’s a whole business of selling IT solutions to folks not in IT. It’s a rather interesting dynamic. One of the common questions is, “So do I have to work with IT or can I leave it on my own machine?” Now, does that sound like a good question? I think it’s a symptom of the alignment problem. David, I know, even though you have great support, you had to go out on your own and get some tools, some technology to do your job. It’s not uncommon for compliance and financial professionals, controllers, internal audit and others, to find technology that helps them do what they want to do, but not necessarily as part of the IT initiative.

David Farrell, Sun Microsystems: That’s absolutely true, particularly for a large enterprise. IT wants it standardized and they need to pick a vendor or a select number of vendors for particular applications. But there are few, if any, out there. There’s no onestop shopping. So a lot of times we do have to go out and find our own solution and then try to append that on to our IT systems. From my perspective, it would be so much better if this was just part of an integrated package which, if it doesn’t come with a solution built in, at least anticipates those types of solutions would become integrated with the system down the road.

Lee Dittmar, Deloitte Consulting: Mike, what’s the impact of the complexity in the IT architecture from this adding-on? And also from mergers, where systems weren’t rationalized, what’s the impact on IT in terms of your ability to meet all the needs? Does it make it easier? Does it make it harder?

Michael Duffy, Open Pages: So I’m not role playing anymore, am I?

Lee Dittmar, Deloitte Consulting: No.

Michael Duffy, Open Pages: Okay, good. First, the reason user communities do go out and buy solutions and lead those efforts ahead of IT is because generally, they are trying to solve a problem that’s a new problem that typically hasn’t become mainstream yet. There’s no question that the IT environment every year gets more complex. Last night over dinner we were talking about the challenges around privacy and the fact that it’s impossible to delete anything anymore because of the backing up of data everywhere. So the IT environment that companies are managing continues to get more complex and it’s not aided by user communities buying their own solutions to solve early problems. What we expect will happen over time is that companies are going to step back over the next five to ten years, led by IT this time, and reassess their needs for common platforms that can solve lots of problems and simplify the different initiatives that have been deployed by well-intentioned managers.

Lee Dittmar, Deloitte Consulting: This complexity was identified as the number one barrier to meeting information needs in our research report, IQ Matters. The CFOs and the CIOs we interviewed said that the complexity in their business processes and in their IT systems was the number one barrier to their ability to turn data into information. I think that’s a big deal because it recognizes that if you do things many different ways and if you don’t call things by the same name, it gets in the way of improving governance, which is about information. But, they have gotten in the way of improving governance, which is about information. Compliance management depends on getting the right information at the right time. Good risk management also depends on getting the right information at the right time. And yet the current IT architectures, which do a good job enabling transactions, do not meet the information needs.

Lee Dittmar, Deloitte Consulting: Do you see the need for changes in IT governance in organizations or even in the overall IT strategy?

David Farrell, Sun Microsystems: The answer is yes. There absolutely have to be changes, but there always will be. We’ve just gone through this seachange with Sarbanes and all the post-Sarbanes regulations. I think there will be an ebb and flow to that over the years, but there are always going to be new challenges and new regulations. Look at privacy. Where was that, say five years ago as compared to today, and where will it be five years from now? I wouldn’t say that the IT strategy or environment needs to change so much as it needs to be flexible and very adaptable to changes as they happen.

Michael Duffy, Open Pages: Boards are clearly taking a much more substantive look at risk across the corporation today. And one of the areas that boards never really focused on until the last five years was the whole concept of risk and IT. We believe that happened because of the sheer magnitude of the impact on an organization when there is a catastrophic IT event. And the impact on the organization’s reputation and brand is going to drive more and more board attention on this issue and in turn drive more attention and focus on the CIO to mediate and plan for the future. Some of the examples—just this year The Boston Globe mistakenly sent out slips with credit card data to 9,000 recipients exposing card information for up to 240,000 subscribers. Of course that hit home because my wife and I subscribe to the The Boston Globe. But many of you may remember the Bank of America event where they lost data on 1.2 million U.S. citizens including several members of the U.S. Senate. Every time one of these events happens, it shines more and more of a bright light on the impact to the corporation. And it’s very clear that in most companies today, you can’t run your business anymore without IT and many of the risks in the business are tightly coupled with IT.

David Farrell, Sun Microsystems: Just to support what Mike just said, integrity of your security areas is so critical. I think that’s one of the absolute key challenges. It’s funny that all the technology is great and it really enables us to do a lot more; to do things a lot quicker and that sort of thing. But as we all know, it also gives the individual bad actor or just somebody that’s being negligent, a lot more opportunity to really wreak havoc and create much bigger problems than was ever possible before. It’s critical to be able to harness the technology to get the right things done, but also to build in the security features that enable us to restrict or control access, to do auditing, to understand when somebody has gone in and perhaps manipulated the system or is trying to manipulate the system and to get all of that in real time.

Michael Duffy, Open Pages: Yes, and the whole theme of enabling the CIO to manage policy, right? I mean to really plan for these kinds of events. What can go wrong in our systems? And then have the technology there that enables them to have visibility to events. First of all to ensure that the policies and controls are in place so that if events might happen, you’re in control.

Lee Dittmar, Deloitte Consulting: So it sounds like we’re talking about two related, but different aspects of IT and GRC. On the one hand, it’s how do we manage IT differently? You know, the IT organization, the IT processes and so forth in light of all this GRC, right? And then second, how can we use information technology to make GRC more efficient and more effective. So which is the priority? Are you seeing activity in both of these areas? Is there more emphasis on one over the other? What’s your perspective on that?

Michael Duffy, Open Pages: We are just beginning to see IT organizations look at using technologies to help manage policies within IT. It’s a new trend. We’re expecting that by the end of the year we should have about a dozen customers doing that, which isn’t that many. But we’re used to being at the front of this stuff. In terms of IT looking at using technologies to help the rest of the business manage risk and compliance, I would say that we’re also very early on that. The level of real understanding about how to use business governance platforms and business intelligence and monitoring technologies is still very much in its infancy. One of the major reasons we wanted to play a significant role in OCEG, and why we care passionately about the mission, is to help educate the masses. We can help by being part of this organization that is driving awareness about how businesses can run more effectively.

Lee Dittmar, Deloitte Consulting: David, what’s your perspective on how to run IT better or how to use IT technologies to help with specific GRC challenges?

David Farrell, Sun Microsystems: What is evolving is the integration of governance and appreciation for the fact that governance, compliance and risk management is part of the business. From the IT perspective it’s not all about just generating the numbers and ensuring the accuracy, the roll-up of your numbers and that sort of thing. It’s also being able to get in there and retrieve your data. Mike talked a bit about how it’s impossible to delete anything nowadays and I think that’s certainly true, but just try to find it when you need it. That’s a huge challenge.

Try generating reports about things as simple as who signed off on our standard business contract or requirements or who’s taken various on-line training that we require of our employees regarding avoidance of conflicts of interest, or Foreign Corrupt Practices Act compliance, or export compliance and so forth. Really, up until now, as we discussed a moment ago, that’s all been something that we’ve almost done kind of on the side. But now, what IT is looking at is a larger picture and more of an integrated system. Hey, you know what? This really isn’t that different than what we are required to do for the other parts of our business. And oh, by the way, the other parts of our business can benefit from the risk analysis tools and risk management tools.

Lee Dittmar, Deloitte Consulting: Mike, you made a comment that we’re very early on the journey. So let me ask you both to reflect on how you see this journey unfolding.

David Farrell, Sun Microsystems: Over the next two to three years there will be examples—and lots of them—of companies that have stepped back and have reassessed their need to be able to be more efficient in managing GRC and providing their boards more effective support with the right kind of information. And once a critical mass is achieved—let’s say 50 to 100 major companies have accomplished this in a substantive way—the rest of the market will follow. An early majority will come fast because it will be proven in the marketplace and companies will want to take advantage of those technologies and those best practices because doing it the way they are doing it now is too hard. And it doesn’t give them what they need to run their business.

Michael Duffy, Open Pages: I would agree. I was talking with somebody during lunch who was referring to a study, I believe it’s just published this week in the The Wall Street Journal, regarding costs versus benefit of Sarbanes-Oxley compliance. Obviously that’s been a bit of a controversy. A lot of folks are outspoken over the question whether all of this extra effort, extra work, extra expense, extra resource that we put into this really make businesses better.

The conclusion of this independent study was absolutely— it has actually had a very positive impact on the stock price and the share prices of the companies that have gotten it right—a demonstrative, measurable effect. As more companies start seeing that this can be a competitive edge for a company, they will focus more and invest resources.

That said, taking that as kind of a baseline, I am really encouraged when you talk about looking out over the next few years. I’m encouraged when coming to a group like this and talking with folks in the room…seeing what’s on the table already… talking to people about their plans and future strategies. Just the amount of focus and the dialogue that is taking place is encouraging. I would never sit up here and say, “Well just because you’re having a dialogue, that’s progress.” But there are some real products, real technologies on the table here, and they are only going to get better and better as businesses start demanding that. Not just because they understand they have to comply, but because they do understand that it’s just good business to do that.

Lee Dittmar, Deloitte Consulting: One of the things we in the OCEG IT Council have talked about is the need for some different ways to evaluate IT projects, especially when you’re thinking about GRC. What’s the most typical approach to developing a business case to justify a new IT project? “How will it impact my costs?” Isn’t that the most common? If I do this project, will my IT costs go down? That’s fairly prevalent. But what we’re talking about here, especially with GRC, is looking at IT projects, looking at IT investments through a broader lens.

There seems to be a real need for a better approach to the justification; a better approach to the business case. If all you do is look at whether or not it will drive down IT costs, you are going to miss something here. So, it really is wonderful to see that article in the Journal about a statistical study that says identifying and fixing your control problems has a positive impact on your stock price. And think about this—that’s before there has been any leveraging of technology to speak of with regard to the underlying controls. Maybe there is hope. New ways to think about it. Proving that it links to ROI. Proving that it links to business performance.

Lee Dittmar, Deloitte Consulting: I have another question for you: Whose job is it to drive the better alignment? Is it the GRC professional or is it IT? Who’s responsible for making this happen?

David Farrell, Sun Microsystems: I guess a typical, orderly answer is that it’s both. We’ve got to meet in the middle and it’s probably not really satisfactory. I suspect Mike may have a different answer than I do on this. I feel it’s my job. If I don’t get these issues front and center for our IT folks, they are not necessarily going to be focused on them or thinking about them. What I would expect though, now that we’re getting them front and center, is that again it becomes just part of the checklist. As a matter of fact, it doesn’t even need to be on a checklist. It’s something that they automatically think of as defining their IT strategies going forward.

Michael Duffy, Open Pages: So I’ll surprise you, Dave. I’m actually going to agree with you. I think it’s everyone’s job, but we do believe that the people who are leading the risk management initiatives in companies do need to spend more time with IT, helping the IT folks understand, in a deeper way, how they can contribute. But it is everyone’s job and we’re beginning to see the trends.

QUESTIONS FROM ATTENDEES

Questioner: Yes, thank you. I’m a customer, a practitioner, if you will. What I’ve observed is that sort of historically compliance belonged to a department and they did the compliance stuff for the company. IT did IT stuff and were basically handed requests from the business areas. And then the business areas would help prioritize the IT resource activities. As compliance requirements began to expand over the last five, six years, different regulatory requirements or legal requirements began to be assigned to different areas in the business. And so that’s why a lot of other areas began to seek out solutions, not part of the traditional regulatory compliance area. As one requirement would come up, you would get a solution for that. Then when the next thing comes up, you get a solution for that.

At some point, either on the business side or on the IT side, someone would have a broader awareness of the overall company’s activities. It is either the business side saying “Hey, you know what, I think we need a strategy for all this compliance stuff and we need to think about an integrated IT platform to support these things.” Or you have the IT department that says “We’ve got tons of requirements on our schedule here. There seems to be a lot of similarity between some of them. Maybe we need to go back to the business people and say, “Hey, do you guys realize we have ten systems to track regulatory requirements? Should we kind of regroup around this and look at where we’re headed?” I think that whether it’s the business side that recognizes that or the IT side that has the insight into a broader array of IT activities, somebody needs to get with somebody on either side and say, “Hey, can we work together on this?”

Michael Duffy, Open Pages: Yes. I think—and I work for an IT company and we’re obviously trying to sell our IT—but at the end of the day, it’s not specifically an IT solution. It’s processes and people solutions. The IT is a tool and obviously it has to be aligned, not just in the way that we’ve been talking about here. I mean it has to be integrated with what you’re trying to accomplish. You have to look at the overall processes and the functions and what they are doing and see where the overlap is. I don’t think there is any IT system that’s going to solve all of that. I think you’re right that the role of the IT people, or one role is, that they can see how many different systems are doing the same or similar things and kind of raise that up to the attention of management and get that taken care of. But at the end of the day, you do have to get those business processes and functions aligned in order to get the full benefit out of all the technology that we’re talking about.

David Farrell, Sun Microsystems: I agree completely. That’s the way that this is going to play out. And if you recall, in the 1980s, companies were buying different financial systems from different vendors. It was not unusual at all to have a hodgepodge of different vendor solutions for accounts payable, general ledge, fixed assets, AR, right? MRP systems came out and companies were buying those. Before you knew it we had all this redundancy of different vendors. In most cases, IT led the projects to step back and really reassess and re-engineer the corporation for standardizing one solution set that could better run the company. To your point, we believe that’s how this is going to play out eventually. It’s hard to know exactly when.

Lee Dittmar, Deloitte Consulting: We have time for one more question.

Questioner: What to you think is the most important thing, one single thing that I must do to create alignment?

Michael Duffy, Open Pages: Communicate.

David Farrell, Sun Microsystems: That’s absolutely what I was going to say, so that would be it.

Lee Dittmar, Deloitte Consulting: You asked for one and its one word, the same word too.

Questioner: I was hoping for more.

Lee Dittmar, Deloitte Consulting: So let me help you and bring this to a close. Let me ask David and Mike for their pearls of wisdom. Maybe tips or tricks if you will for the IT professionals in the audience and for the GRC practitioners as we’ve come to use the term, in terms of moving this forward. Communicate is a good start.

Michael Duffy, Open Pages: I keep using the word integrate. Just work as a team and understand that it’s part of the business, not something that is separate. It’s not just some burden that’s imposed externally. There are strong business drivers for focusing on this area, for investing in the area as well as obviously all the mandatory requirements that you have to follow. So I would say it is integrate. Treat compliance as part of the business. Work together as a team, which probably is just another way of saying communicate.

David Farrell, Sun Microsystems: I would say, in addition to that, meet with your chief risk officer and/or his or her team, and your CFO and understand from them what the key areas of risk in the business are. Have the open dialogue with those folks to learn their vision of how this could play out and what they are looking for. I think that from those dialogues you will be able to develop a clearer strategy about what to do in the next year to three years. That will put you on the right track toward having the best information to better empower your CFO and your CRO to work with the board to better run your business.

Lee Dittmar, Deloitte Consulting: So before we thank David and Mike, I would like to share one closing thought and that’s this—there is a myth that if you get the tone at the top right, the rest will take care of itself. So here—let’s bust that myth. If your technology assets are out of alignment with what you’re trying to do, even with the greatest tone at the top, it won’t be enough. There are too many business processes that are inextricably linked to your technology. And this old answer, which I’ve heard so many times, “Let’s not worry about the technology, let’s just get the organization and the processes right.” It doesn’t work that way anymore. You also have to look at those situations where your technology assets may actually be a barrier to what you’re trying to do, when they are capable of being an enabler. David and Michael, thank you so much for a great session.