The Value of IT Risk Advisors _________________________ By Jorge Ma. S. Sanagustin How well do you sleep at night thinking that your Information Technology (IT) systems are safe from untoward incidents? How confident are you that any IT failure will not lead to the debut of your pink slip? How satisfied are you that the IT risk advisor/consultant you hired provided you the value you truly need? As IT evolved from a simple productive tool into a mission-critical pillar, so did the risks associated with it. This gave birth to the IT risk profession. But the cost and headaches to maintain people with such skills and qualifications in the permanent payroll only to lose them to higher paying jobs both here and abroad has risen to the point that they are sometimes viewed as risky investments. In order to mitigate such risk, organizations needed to transfer such risk. In comes the IT risk advisor. IT risk advisors range from the independent, boutiques, and professional firms. Services range from sourcing risks, IT audit, IT attestation (SAS70), business systems control, security, privacy and continuity (ISO 27001, IT project management, regulatory & compliance, IT internal audit, and IT governance (COBIT, ITIL) to name a few. Rise in IT project activities has sparked increased involvement of IT risk advisors. A global IT project management survey conducted by KPMG indicated that driving the demand for increased IT project activities are compliance, ‘Stay-in business’, and ‘grow-the-business’ considerations. Compliance drivers such as the Sarbanes-Oxley Act of 2002, International Financial Reporting Standards (IFRS), Basel II and a host of multinational, industry-specific or local governance and regulatory requirements have contributed to increased IT project activities in 24 percent of organizations surveyed. The major drivers (74 percent) for IT project activities were new products and services, or general business process improvements. Technology refreshes accounted for increased activity in 48 percent of organizations. Failure is something we want to, need to, have to, should, and try our best to avoid. But how do you avoid anything if you don’t know what it is and what contributes to it? When asked their definition of failure, many organizations which participated in the KPMG survey suggested it centered on timeframe and cost blowouts. Some organizations do not even have a definition of failure. The three main reasons for failure identified by organizations included unclear/change of scope requirements, poor project management processes, lack of executive sponsorship and management buy-in. Success appears to equate to achieving a “compromised” acceptable level of failure or lost benefits. Failure still happens, and when it does, it should be used as a key to success. As quoted from Michael Jordan…“And I have failed over and over and over again in my life. And that is why... I succeed”. It is this price of failure and the lessons derived from it that lead to success that the IT risk advisor brings into the organization. Why commit the same mistake of others when you can learn from it to avoid it? The KPMG survey came up with ‘golden rules’ that summarized what organizations can do to extract more value from their IT project investments and enable them to meet commitments most of the time. A very important golden rule is Invest in people and process - Recognize project disciplines, acknowledging the link between strategy and project execution. Develop capability, capacity and risk models to suit your organizational maturity and culture. A famous quote from French businessman, politician, and publisher James Goldsmith, the Free Dictionary by Farlex (Internet) interprets this quote as “only inadequate people will work for you if you do not pay much”. Quality does not come cheap and so do good IT risk advisors. Skills, qualifications, experience, and even the tools used (e.g. programs/licenses, hardware, methodology, proprietary products) have its corresponding price to achieve/acquire, maintain, and enhance. Since IT systems are generally high value assets especially for medium to large scale organizations that invest in the likes of Oracle and SAP, the more they should invest in acquiring the services of an IT risk advisor truly qualified to do the job. Would you entrust your sports class or BMW to an unknown, untested, and inexperienced mechanic? The value It all boils down to achieving value for money. By equation, value = (benefits minus costs) adjusted for risks. It is very important that adjustment for risks is included in the equation. Having identified the expected benefits, some organizations would minimize the costs without considering the risks involved. This is where a good IT risk advisor comes in. Value goes up by increasing the benefits and minimizing risks. A good IT risk advisor can lower total cost of ownership by identifying better options and recommending practical and fundamental solutions. Overlapping or redundant projects can be identified. Unnecessary spending is minimized, if not avoided. But the true value of a good IT risk advisor is meeting your commitment to the company and to shareholders. It is the peace of mind. It is the confidence that your IT is generally safe from untoward incidences and you meeting your KPIs, which translates to good performance reviews, leading to career advancement, a bigger paycheck, and a good pat on the back from your boss. (Jorge Ma. S. Sanagustin is vice chairman for Audit and Risk Advisory Services of Manabat & Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com.ph or jsanagustin@kpmg.com.) |