The Supreme Court Ruling Will Have Little Impact On SOX . . . Sorry

Despite some speculation that today's Supreme Court ruling might overturn large portions of the Sarbanes-Oxley Act (if not all of it), the final opinion will likely have no significant impact on financial controls, auditing, or reporting requirements.

The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."

Read more

Risk Professionals' Window Of Opportunity

In my ongoing work with risk management professionals, I've been encouraged to see how quickly the role is growing in influence and responsibility in today's business environment (even though the drivers for that elevation are often disastrous). Along those lines, I read a great article this morning in StrategicRISK, discussing the window of opportunity for risk experts, aptly entitled Keep Your Eyes on the Prize.

The article quotes the Institute of Risk Management's deputy chairman, Alex Hindson, who says that top executives and boards of directors are looking for risk management guidance, and if risk experts in their organizations can't step up to fill that role in their "window of opportunity," it will be filled instead by auditors, finance professionals, or external consultants.

In my recent engagements with Forrester's clients in risk management, I've certainly seen a lot of interest and participation from other functions in the business - most notably audit and IT. And just last week, my colleague Craig Symons published a report explaining key issues in risk management for the CIO.

Read more

Enterprise Risk Management For IT Security

A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.

The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.

In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.

Crisis Communication, Business Continuity, And Risk Management

I recently recorded a podcast with Stephanie Balaouras, discussing the potential for increased collaboration between crisis communication, business continuity, and risk management functions. The strategies that businesses implement to manage disasters can mean the difference between bankruptcy and resilience... and we unfortunately see reminders of this on an almost weekly basis.

As each disaster hits the news (BP’s oil spill in the Gulf Coast, the recent volcanic eruption over Iceland, the financial crisis, the H1N1 virus, the extreme weather that crippled Washington, DC this past winter, etc.), the overwhelmingly negative impacts that occur start to hit home. Fortunately, we are starting to see our clients turning more to their crisis communication, business continuity, and risk management teams to ensure that they are prepared for the worst.

There are many potential points of collaboration between these teams. . . from modeling critical business processes and assessing the business impact of incidents to executing effective remediation plans and conducting post-incident loss analysis. Recently, I’ve also seen companies that talk about starting from scratch with a risk management function, although they have already done a substantial amount of relevant work for their business continuity function.

Of course, while there are some good trends that point to increased cooperation, there are still many areas for further improvement for every company. In fact, our data shows it to be the rare case in which both internal and external crisis communication functions are handled well in the same plan, with one usually being much stronger and more of a focal point.

Read more