If you want to know how important regulatory compliance has become for financial services companies in in recent years -- how ingrained in the day-to-day operations of banks, brokerages, and mortgage companies -- consider the experience of SunTrust bank, the seventh largest financial institution in the US, where auditors have their own room on the upper floors of the company's Atlanta headquarters. Permanent network connections? Got 'em. Perpetually refreshed buffet? You bet. Floor-to-ceiling windows with striking views of downtown? Done.
"We like to keep our auditors happy," says David Rowan, senior vice president and director of SunTrust's enterprise technology risk management group, at a recent conference.
And for good reason. With more than $US175 billion in assets, five million customers and 33,000 employees, SunTrust gets audited around 48 times a year. That means auditors are an almost permanent fixture in the company's offices and SunTrust is in an almost perpetual state of 'audit readiness', with full-time staff dedicated to nothing other than facilitating audits against the legion of regulations that affect SunTrust's business: Sarbanes-Oxley, Gramm-Leach-Bliley, the Anti-Money Laundering Act, the Bank Protection Act, audits from the Federal Reserve and the Securities and Exchange Commission, as well as internal and third-party audit teams.
The company's robust response to these challenges has made it a leader in enterprise risk management and a darling of the compliance community. SunTrust has reduced outstanding audit issues by 97 percent in the last five years by investing in areas such as user and access management, and by consolidating risk functions such as physical and IT security. The cost? According to Rowan, SunTrust will spend $US55 million on enterprise risk management this year, around 5 cents per share of the company.
All the more frustrating, then, that SunTrust's investment didn't spare it the expense and embarrassment of having to reissue 65,000 debit cards to customers last year. A security breach at a merchant site (by an unnamed Russian hacking crew) led to the theft of account information for hundreds of thousands of Visa card holders, Rowan says.
Similar dilemmas are annoying companies across the country, in the wake of reported data thefts at online retailer OfficeMax, the Veterans Administration and Fidelity Investments, not to mention ChoicePoint, LexisNexis, CardSystems and countless others. Traditionally something that was managed within the company, enterprise risk management today involves an increasingly complex set of interdependencies that includes customers, business partners and outsourced operations, along with consultants and other contractors. At the same time, risk officers are under intense pressure to reduce the cost and complexity of compliance.
That confluence of factors could set the stage for a big shift in the evolving practice of enterprise risk management, as companies look for ways to streamline and automate compliance functions, while broadening their understanding of enterprise risk to take into account threats that accompany customer and business partner integration through Web services and SOAs.
Developing an enterprise risk management strategy involves creating an integrated view of a company's exposure to risk that includes a company's business, ongoing operations and finances. Enterprise risk management requires a sober assessment of internal risks such as theft by rogue employees or the unexpected loss of an indispensable senior executive, not to mention external hazards ranging from hackers to hurricanes (see "Best practices for managing IT risk").
"Basically, if it's bad, it's my responsibility," Rowan jokes.
Companies have weighed their business risks for years, but the Sarbanes-Oxley Act of 2002 pushed many businesses to think seriously about risk beyond the basics of door locks, passwords, firewalls and antivirus software. Two provisions in particular caused a Y2K-like scramble: Sarbanes-Oxley Section 404, which requires companies to document - and auditors to attest to - the effectiveness of internal controls and procedures; and Sarbanes-Oxley Section 409, which requires real-time disclosure of information that changes a company's financial condition or operations.