standpoint

Tools and tips for enterprise risk management

Mon, 14 May 2007 20:01:39 -0400

Enterprise risk management is one of those buzzwords that has carved out more corporate mind share in recent years. Executives have always been focused on managing risk, but the process has been "from a reactive exposure-by-exposure standpoint or a silo approach," according to some new guidance from the Institute of Management Accountants (IMA). But in today's climate, most enterprises would be better off with a "proactive, integrated, across-the organization perspective." A holistic view of risk makes a lot of sense, especially from a large branding perspective. In this view, Sarbanes-Oxley-related risk is one set of "risks that exists under a larger umbrella." The IMA has just published a new statement on IMA that includes a lot of tips and tools for implementing such a system. The good news is that they allow financial professionals to really grow, underscoring their value to the organization. A copy of the statement, called "Enterprise Risk Management: Tools and Techniques for Effective Implementation," is available on the IMA website.

For more:
- here's a release

Software-as-a-service and Sarbox: Good match?

Mon, 19 Mar 2007 20:01:39 -0400

You've probably heard a lot about the rise of software-as-a-service as a model that more companies, big and small, are embracing. Clearly, the notion of paying for software services, hosted elsewhere, on an as-you-go basis makes a lot of sense. Does it offer any advantages from a compliance standpoint? Treb Ryan, CEO of OpSource, noted at a recent conference the software-as-a-service model can be a big benefit in compliance if the service is already "compliant" from a Sarbanes-Oxley, or HIPAA or regulatory perspective. OpSource, which provides a platform for software companies to deliver services, notes that its service has completed a rigorous audit known as a type II SAS 70, which basically validates that the service is compliant. So the marketing point is that if software-as-a-service (SAS 70-audited anyway) for critical functions can still deliver the benefits and perhaps even save you a few compliance headaches. More software-as-a-service providers will likely start touting this.

For more:
- here's an article from Infoworld (scroll down for Ryan's comments)

Get a grip on data sharing with partners

Mon, 20 Nov 2006 19:01:38 -0500

An Ernst & Young survey suggests that about half of all companies are not taking the risks of data sharing with partners seriously enough. More than 50 percent of respondents to the Annual Global Information Security Survey say they only informally address vendor risks--or not at all. Less than 15 percent require vendors to review their information and privacy practices in light of best practices. This is a obviously not wise from a compliance, privacy or competitiveness standpoint. You may want to develop a more detailed picture of your company's policies in this area. You will likely be thanked. Release