1. Develop a comprehensive, corporatewide understanding of how technology inf luences risk and compliance.
"It's important to first incorporate risk into the overall framework and lexicon of how you manage the organization," says Jeffrey Weber, managing director of Protiviti's technology risk practice. Adds Joe Atkinson, a partner at PriceWaterhouseCoopers, "When it comes to compliance obligations, all well managed companies want to comply, but the challenge is that you don't have unlimited resources to do so. That's where having an enterprise vision is very important. It helps the company start to rationalize the allocation of resources."
Most experts agree that in this early stage of scoping out the extent of a company's risk and the processes and systems needed to ensure compliance with laws and regulations, IT must be involved from the get-go. "Regardless of the model you apply, IT must be at the table," Atkinson says. "The only way to be effective at this is with the appropriate application of IT."
Robert Worrall, senior vice president and CIO at Sun Microsystems, recommends the first thing any CIO do is "get the organization aligned around compliance. Most IT people do not recognize the need for compliance, so training is needed," he says.
From an organizational standpoint, Worrall has found it helpful for the CIO, especially in a large corporation, to delegate someone with both IT and compliance experience to focus on training. At Sun, he has assigned a senior director of compliance for IT, who is a former internal auditor of IT systems. "He understands how an auditor looks at things and he can respond in a language auditors understand," Worrall says.