Increased accountability has pushed the CIO into the hot seat concerning many corporate governance issues. After all, as Charette points out, it is the CIO's job to ensure that risks - for example, the possibility of fraudulently altering a financial transaction - to any IT system used to produce, gather, store or transmit financial-related data are not only being managed but that the processes to manage that type of risk are effective.

"Many corporations' boards and senior management do not believe that the CIO should be concerned with corporate governance. This is a grave blunder, and I pity the CIO and the shareholders of any corporation with this attitude," Charette says. "While not every IT risk is a governance risk, almost every governance risk involves IT. The reasons are plain: IT is pervasive in corporations, touching on almost everything it does. Financial results depend on IT systems to produce them. A corporation's operations, products, and services likely depend on IT. The misuse or unavailability of IT can have serious legal, let alone financial, consequences for the corporation."

The new focus on enterprise risk management is already transforming the way many IT groups function. For instance, IAG's chief risk officer and group actuary, Tony Coleman, says the introduction of enterprise risk management has transformed the way IAG's Technology Services group operates.

"IAG's Technology Services division is integrated to our group-wide enterprise risk management process," Coleman says. "This involves Technology Services evaluating their own risks at a key process/function level, with specific action plans developed to address each risk - a process facilitated by our Group Risk & Compliance Unit. These risks are then reflected in the Technology Services Business Unit Level Risk Profile. Risks from the Technology Services area of the business are then incorporated into the IAG Enterprise Risk Model, which is presented to the CEO and executive team for their consideration quarterly with results reported to the board. This process involves assessing all risks and ensuring appropriate action plans are developed and implemented."

Yet while organizations are increasingly recognizing risk management and assessment as an essential part of effective corporate governance, a recent survey conducted by the Institute of Internal Auditors and RMIT found most are failing to invest nearly sufficient time and resources into the function. It found that "risk management and assessment [in Australia] is ranked as the second most important function after monitoring the effectiveness of internal controls, yet organizations are donating just 8.8 percent of their time to this task".

Silo Approach Flawed

As Commonwealth Auditor-General Pat Barrett - a long-time champion of a best practice approach to organization-wide risk management in government - pointed out to the Canberra Chapter of the Australian Institute of Risk Management last year, risk identification and management play a key role in a robust management and governance framework.

In recent times, Barrett says, it has become increasingly evident that business processes, risks and controls across an organization are interrelated. The traditional insular or "silo" approaches to risk management left too many gaps and proved inadequate, offering no credible way of evaluating an organization's overall risk position. He says the inter-connectedness of risks across an organization can only be identified and managed, and ERM can only emerge, when the organization begins to share risk and control knowledge systematically across its functions and departments.

Barrett notes formal risk management may have been viewed as discretionary in the past but is now accepted as an essential element of sound corporate governance and management practice. It is not a separate activity within management but an integral part of sound management processes, particularly as an adjunct to the control environment.

"Governing bodies need to embed a culture of risk management in organizations so that consideration of risks and risk mitigation strategies becomes second nature to managers at all levels. This is particularly important in the public sector as the nature and significance of risk changes as the role of the public sector itself changes. The latter may be the change in what is covered and the manner in which services are provided, for example with greater private sector involvement," he says.

"Corporate governance is concerned with achieving results while taking account of risk. This makes formal risk management an essential part of sound corporate governance and management practice. It is becoming even more important as we move to a more networked, collaborative or joined-up government."