5 Smart Practices for IT Risk, Governance and Compliance

Even if the Sarbanes-Oxley Act of 2002 had never come along, the panoply of compliance, risk and governance issues facing American corporations in the 21st century already was expanding quite nicely, thank you. The impact of “Sarbox” mostly was to shift things into overdrive.

“What Sarbanes-Oxley did was really a copy of what the Securities and Exchange Commission was requiring the exchanges to comply with already,” says Bernie Donnelly, vice president of quality assurance at the Philadelphia Stock Exchange.

Indeed, banks and securities firms had been dealing with similar regulations for years, so Sarbox was no big deal for them. But for the rest of corporate America, getting financial systems and processes in order was a massive undertaking.

“Most companies initially did their Sarbanes-Oxley compliance efforts with a lot of human beings, and now they are trying to automate these activities as much as they can,” says John Hagerty, vice president of research for governance, risk and compliance at AMR Research. And while most large organizations have their Sarbox houses more or less in order now, concerns over governance, risk and compliance, especially as they relate to the role information technology plays, aren’t likely to become any less critical any time soon.

CIO Insight talked with CIOs and other executives as well as several compliance experts to identify the technology smart practices companies should follow to improve their governance and risk management.

1. Develop an understanding of how technology influences risk and compliance.
2. Use technology to enforce and monitor compliance rules and processes.
3. Define requirements versus best practices.
4. Work in tandem with finance and compliance groups.
5. Leverage industry standards such as COBIT.

Next page: Develop a comprehensive, corporatewide understanding of how technology inf luences risk and compliance.