The Sarb-Ox shift

Von Thomas Hoffman

When Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael Oxley (R-Ohio) crafted legislation in 2002 aimed at strengthening corporate governance and restoring investor confidence, little could they have known that the new law would help trigger a recasting of the CIO"s role and the responsibilities of corporate IT departments across the U.S.

And it isn"t just the Sarbanes-Oxley Act of 2002 that"s contributing to the shift in the CIO"s role. There are roughly 150 corporate governance regulations that companies have to adhere to worldwide, according to George Westerman, a research scientist in the Center for Information Systems Research at the MIT Sloan School of Management.

As a result, CIOs and IT departments have become integral to corporate compliance efforts, and their visibility within the organization has risen to new heights. Still, their increased stature may diminish once IT-related compliance requirements are under control.

Dimming spotlight

Many believe that the evolving regulatory landscape has helped raise CIOs" visibility within their organizations. Sarbanes-Oxley compliance alone "is making people understand what is under the covers and how complex IT really is," says Dennis Fishback, senior vice president and CIO at Calpine Corp., a San Jose-based energy company. For example, Calpine"s accounting group conducted 450 tests for its Sarbanes-Oxley Section 404 readiness efforts. In comparison, the company"s IT department had to conduct thousands of tests to ensure its readiness, says Fishback.

"IT systems are so large and companies have become so much more dependent on their IT infrastructures that the potential for failure has gone up," says Rob Austin, a fellow at Cutter Consortium in Arlington, Mass., and a professor at Harvard Business School.

And while the changing regulatory environment has made the CIO more visible, it hasn"t necessarily made the role more important. That"s because the primary requirements imposed by recent regulations such as Sarbanes-Oxley and the USA Patriot Act place the onus on CEOs, chief financial officers and business unit leaders, with CIOs playing a supporting role in compliance efforts.

When something goes wrong with IT, such as inventory problems that arise from a botched ERP project, "it"s not the CIO who ends up on the hot seat but the CEO or CFO," says Austin.

"The accountability resides in those individuals who are directly responsible for the business," explains Bruce Fadem, CIO at Wyeth, a pharmaceutical company based in Madison, N.J. Fadem is in the process of establishing a single set of system policies and standards that can be used to help Wyeth meet regulatory requirements set under Sarbanes-Oxley as well as those imposed by the U.S. Food and Drug Administration.

Others agree that the CIO"s regulatory role is more supporting than leading. CIOs "are there to explain to senior management whatever they need to explain, but it"s housekeeping," says Paul A. Strassmann, an author and researcher in New Canaan, Conn. And while those duties are essential, says Strassmann, CIOs "are not chiefs in the same sense that a CFO is."

Closer to the CFO

But many see the CIO"s relationship with the CFO growing closer. "IT is going to become much more intertwined with the finance function for a while," says John Parkinson, senior vice president and chief technology officer for the Americas at Capgemini in Rosemont, Ill. "CFOs and operational executives are going to want a lot more evidence that IT is doing what they think it"s doing."

The regulatory environment will also force CIOs "to have more knowledge of business controls and accountability," says Howard Rubin, executive vice president at Meta Group Inc. in Stamford, Conn. For the next two to three years, CIOs will be required to "worry about things" like data integrity, security and the interplay between controls and systems, says Rubin. The result will be a closer partnership with the CFO. But once those compliance requirements are under control, "IT will fall into the backdrop of business processing," he says.

Impact in doubt

Although some experts believe that the increasingly complex regulatory environment will raise the profile of CIOs, if only temporarily, some IT chiefs foresee a negative impact on their careers as businesses become much more risk-averse. "The biggest change for me and for other CIOs is that (increased regulation) has taken risk management decision-making entirely out of our hands, and that puts us in a hell of a bind," says Calpine"s Fishback. "The auditors are telling us that any policy, process or procedure that is not based on trying to achieve zero or near-zero risk tolerance is a deficiency, and aggregation of enough of these deficiencies could result in a finding of one or more material weaknesses."

Under Sarbanes-Oxley, companies are required to identify and resolve any material weaknesses discovered in their IT or financial controls.

"It makes it that much harder to continue to drive your costs down and productivity up when you have to address things from a no-risk perspective," Fishback adds.

It"s unclear whether regulations will heighten or diminish the CIO role, says Thomas W. Malone, a professor of management at the Sloan School. He contends that the IT function is becoming ever more important to the success of modern business. But as organizations are forced to address IT-related issues to comply with regulations, responsibility for IT may no longer be left to the CIO. Instead, the head of marketing or the director of manufacturing, for example, might share responsibility for their divisions" use of technology, he says.

Alternatively, CIOs may see their current responsibilities increase beyond IT management to accountability for the architecture of the entire organization. "CIOs have a privileged view of how the organization should be structured, like a chief organizational architect," says Malone.

Clearly, experts are divided regarding whether the new regulatory landscape will be a net positive for CIOs. "It"s going to depend a lot on how the executive management teams respond to these pressures," says Parkinson. If the organization fails to respond to IT-specific regulatory requirements effectively and "they cast IT and the CIO as a villain, then CIOs will be subject to a lot of scrutiny and control," he says.

But if CEOs recognize that they and other C-level executives have to get their arms around the technology opportunities that regulatory compliance efforts provide them, says Parkinson, "then the office will gain in prominence and influence."

Side bar

Transparency trumps

Data accessibility is a key component of Section 409 of the Sarbanes-Oxley Act, which calls for "real-time disclosures" on material changes to an organization"s financial condition. "We fundamentally believe this is a huge systems problem," says John Parkinson, senior vice president and chief technology officer for the Americas at Capgemini. "Everyone is going to have to get much more transactional and get away from this idea that I can store stuff up all week and process it Sunday night."

New regulations are also requiring that organizations provide auditable, transparent systems controls, and that requirement is affecting how systems architectures are being approached and revised. "Clearly, when you looked at (systems) requirements in the past, they were around performance, function and scalability," says Martin Colburn, CIO at the National Association of Securities Dealers Inc. in Washington.

But now more is required. For example, because of the need for auditability, last summer NASD developed a Web-based enterprise security system that gives the regulator for the Nasdaq Stock Market the ability to see into its systems to ensure proper authorizations and authentications as well as to determine who is connecting to which systems, says Colburn.

"There are greater demands on data accessibility within an enterprise," says Rick Berk, CIO at Brown Brothers Harriman & Co., a New York-based investment bank. "In essence, to simplify the data mining process we will increase the amount of data we store and create additional interfaces to facilitate access," he says.

Demands for greater data accessibility are providing an upside for CIOs who have been advocating architectural standards and better systems controls, says George Westerman, research scientist at the Center for Information Systems Research at the MIT Sloan School of Management. "Compliance is helping CIOs to sell a lot of projects that they"ve wanted to do," he says.

-- Thomas Hoffman

Side bar

A Sarb-Ox for IT?

Privacy laws such as the USA Patriot Act and elements of the Sarbanes-Oxley Act of 2002 contain IT-specific requirements that organizations affected by these regulations have to meet.

But are we also likely to see national legislation aimed at alerting investors to IT-related risks at publicly held companies? CIOs and industry experts say they have mixed feelings about that.

There are already some examples of this in industry-specific regulations, says George Westerman, a research scientist in the Center for Information Systems Research at the MIT Sloan School of Management. For example, the Uniform Rating System for Information Technology, or URSIT, which is overseen by the Federal Financial Institutions Examination Council, requires an IT audit of banks and affiliated data processors.

As for something less industry-specific, he says, "I would think that any forthcoming regulations involving IT would be around risk, data accuracy and avoiding future surprises," such as huge processing snafus or failures of inventory management or other critical systems (QuickLink 51774).

Not everyone agrees. "It"s more likely that we"ll get security-related regulations than we would investor-related protections," says John Parkinson, senior vice president and chief technology officer for the Americas at Capgemini. "If an ERP implementation fails because you"re no good at it, how do you defend against that?" he asks.

Rick Berk, CIO at Brown Brothers Harriman & Co. in New York, says he expects to see federal and state legislation that"s centered more around the archiving, maintenance and the accessibility of data. "We"ve already seen this with e-mail archiving legislation" specific to the banking industry, he adds.

It may take just a single major IT-related disaster that cripples a company and causes a panic among investors to spur legislation specific to IT-related risks, says Rob Austin, a professor at Harvard Business School "It"s only a matter of time before we have a train wreck (based on an IT failure) that brings down a company or hurts them badly," he says.

-- Thomas Hoffman