Upload
vanhuong
View
222
Download
0
Embed Size (px)
Citation preview
IT Leadership, Governance, Strategic Risks Management, and Ethics
*Christine Stagnetto-Sarmiento, Oglala Lakota College, USA
*Corresponding Author, 490 Piya Wiconi Road – Kyle, South Dakota
(605) 455-6110
Abstract
This research scrutinizes how leaders develop and recognize strategies that leverage business solutions.
Research studies compare and analyze the role that comply a leader in IT companies. This research
focuses on strategies, and the implementation of security controls, and risks. In addition, the objectives
and analyses identifies the potential risks and examines the strategic steps for solving the problems. This
paper will also investigate situations of fraud concluded in audit, and the implementation of antifraud laws
and regulations, including misconduct within the organization.
Introduction
This research paper focuses on IT leadership, governance, ethics, and strategic risk management for IT
organizations. Additionally, steps for good practices have been identified and explained.. The purpose of
this research study is to investigate leadership performances that excel during crisis time. Difficult times
makes leadership responsibilities an even more difficult job. Schubert (2006) demonstrated in his
research, how handling leadership and risk management differ among genders. For example, the
findings on risk management showed the differences between women and men in the workplace.
Publications on this research made by Schubert (2006), found that women have an advantage over men.
In general, they are less pessimistic than men are. For example “women underestimate high probabilities
for positive outcomes more strongly than men.” (Schubert, 2006, p. 710 ). Furthermore, the study of fraud
in organizations is predictable. Because of this predictability, fraud can be controlled if antifraud controls
are implemented. Further studies where researchers can find better approaches, and discover solutions
are ongoing (Schubert,2006).
IT Leadership, Governance, Strategic Risk Management, and Ethics
According to Yukl, (2006) a leader is defined as a person who can influence others. Nowadays, new
definitions such as “traits, behaviors, influences, interaction patterns, role relationships, and occupations
of the administrative position”(Yukl, 2006) are included in the definition of a leader. The term of leadership
has been changed, and it based on power or power of personality to dominate a group (McCrimmon,
2009). Orlando (2006), emphasized on leadership development, and the importance of best practices.
Orlando (2006), focused on improving the effectiveness of leaders within organizations. Schubert (2006),
focused on managing risks and the differences between gender, and how they act at the moment of
taking decisions.
How do organizations develop leaders to reach business results?
According to Orlando (2006), leadership development changes according to the company’s demands and
strategies. Today, leadership competencies have not changed, just their priorities.
Advantages in experiential leadership are:
1. Promote leadership skills of upper-middle and senior level leaders (skills developed are
connected with business strategy)
2. Accept and solve challenges inside the organization establishing interpersonal network (e.g
leaders must be skilled on strategy)
3. Experiential learning brings “leaders from different disciplines to work on special projects (it is
an important tool and effective, because senior leaders can develop, teach, and make
success projects inside the organization)” (Orlando, 2006, pp. 2-3).
Leadership competencies
The author focuses on the identification of core leadership competencies and prioritizing a few of these
competencies as shown in the table on the next page. Today, organizations build up leaders for better
business outcomes such as profit, revenue, earnings, profit per employee, customer retention and
satisfaction, employee satisfaction, and so forth.
As a result of this research, Orlando (2006), supported these investments which include
sponsorship, action learning, and others which shows the way for enhanced leadership skills. Another
important point for consideration is IT governance, especially during a recession, as with the current
market trends, because this becomes more crucial under financial pressures.
Table 1
Core competencies (Orlando, 2006)
Setting Strategy Engaging Talent Operating
efficiently
Generating revenue
Setting strategy Coaching Driving efficient processes
Business acumen
Strategy communication
Delegating Maintaining product quality
Driving for results
Strategy execution
Influencing Effective resource allocation
Customer focus
Strategy integration
Holding people accountable
Functional knowledge
Market positioning
Attracting talent Risk analysis Exploiting existing markets
Exploiting new markets
IT organizations need to know how to make decisions and how to obtain benefits in this critical economy.
At this point, IT governance is the most important at this time for the financial pressure that is affecting the
operations, and the decisions made are crucial. Good corporate governance gives a better structure, and
the benefits are working for everyone, including ethical standards and best practices of formal laws.
IT governance solution
For best solutions, IT managers must consider the following corporate processes: 1.Capture all
investments (e.g. cost of the project), 2. Prioritize business strategy and competing investments
(measuring ROI); 3. Standardize and automate processes (planning strategic process), 4. Manage
resources (e.g. recession times, prepare organization to emerge when recession ends), and 5. Measure
and track performance (making effort to track” those projects that take less than 24 hours to complete”)
(Lebeaux, 2009; & Tucci, 2009)
IT Governance and Strategy
Executives must consider a plan and a budget for the next several years. Furthermore, they must
implement the project’s price when its cost is more important than its returns. (Lebeaux, 2009)
What is IT Governance?
IT Governance focuses on information technology systems, their performance and risk management.
Goals
It is fundamental and imperative to consider as priorities the following goals: 1. Investments in IT generate
business value (at this point IT operations must integrate the tools and generate business), 2. Mitigate the
risks associated with IT (e.g. using the proper tools can be mitigated the risks in specific areas), and 3.
Implement an organizational structure with well defined roles for the responsibility of information,
business processes, applications and infrastructure. (e.g. following COBIT guidelines and IT solutions)
(Van Grembergen, 2004). In addition, the author describes the objectives and guidelines of COBIT as a
solution. (Van Grembergen, 2004, p. 1).
Why IT Governance is necessary?
IT governance is needed to ensure that the investments in IT produce valuable rewards and mitigate IT
associated risks thereby circumventing failure. It is needed because business is becoming more
important and the imperative impact on organization should achieve its vision, mission, and/or strategic
goals. IT governance is essential to mitigate IT related risks and avoid IT project failures.
Best practices
Several organizations fail to think about the magnitude of IT governance. Identifying organizational
objectives is one of the best practices for IT governance. For an organization to be successful it must
consider the following factors: 1.High level framework (leadership, processes, roles and responsibilities),
2. Independence assurance (internal or external audits, policies, standards procedures, and objectives);
3. Resource management (competent and efficient resource allocation that meets the organization’s
demands), 4. Risk management (risk and organizational impact), 5. Strategic alignment (between IT and
management enables understanding of strategic issues), 6. Value delivery (benefits obtained from each
IT investment), and 7. Performance management (accurate, timely, and relevant portfolio, program, and
IT project reports)
What do IS Auditors do to make IT Governance effective?
Information Systems auditors must assist in the development of IT governance such as: a. Contribute to
performance metrics (assisting in performance, implications, recommendations and advice), b. Ensure IT
governance ( technology assets and information that “contain be known, available and credible, and
protected”, a good IT governance must be aligned with regulatory compliance”), and c. IS auditors can
advise, assist, and provide assurance as well as use their skills for identifying performance. (ITICinstitute,
2007).
Objectives and Approach
This section identifies the objectives for the analysis of differences between strategies, risks, and ethics
among IT professionals, and non-IT professionals such as administrative personnel, secretaries, and so
forth. Why most companies are governing their information? How is the information used, shared, and
analyzed? Is it ethical? This analysis determines the findings and conclusions taken from the research
literature exposed below.
Overview of Literature Addressing Business Ethics and Risk Management Strategies
The most challenging aspects of managing ethics and compliance is attaining and adopting the values
and the model the business uses to conduct its affairs. One of the most powerful partners and supporters
for ethics and compliance is the company’s corporate social responsibility officer. At this point, the officer
plays the role of maintaining the moral position of the organization such as preventing fraud, corruption
and abuse scandals. As well, officer makes decisions to appoint ethics compliance under the Federal
Sentencing Guidelines for Organizations.
Hinders (2009), explained that business ethics is referred to as the study of business ethics, with
principles, and rules that arise in a business environment. Similarly, Cuizon (2009), focused on “ethical
principles and morals that occur in a business environment.” Many companies are addressing ethics as a
part of their corporate policies. These policies are internal policies, and most of them are focused on the
ethical conduct of employees (e.g. monitoring, supporting unequivocal management, and so forth).
Designing and implementing business ethics have different standards, procedures, and expectations that
are applicable in particular circumstances (e.g. laws and regulations, size of the enterprise, etc). If all
members (managers, stakeholders, executives, employees) considered a well-designed and
implemented business ethics program, and meet the goals and objectives; then owners and managers
can develop an effective standards, procedures, and expectations that help on achieve these goals and
objectives. On the contrary, when it is not well established, the strategies and plans are lacked on focus
and power. (p. 94).
Upper level managers in organizations must consider the following in order to comply with the most
important standards, and practices: (1). Responsible business conduct (applied ethical responsibility in
employee misconduct, prevent and detect wrongdoing), (2) Responsible business enterprise (the
responsible operates in compliance, risk management, reputation, enhancement, and value. It is
important to detect misconduct at this level), and (3) Business ethics program ( owners and managers
must take the orientation on it, for improving business performance and increases the prosperity) (p.63)
Managers must develop a set of tools that will attain different approaches to responsible business
conduct. In fact, business conduct is identified as an enterprise: a. Compliance with the law (e.g. leading
with own behavior as a model for all employees), b. Risk management (ensuring all policies and
procedures be applicable in the risky areas), c. Reputation enhancement (e.g. success, integrity, ethics,
and respect for others), d. Value added to the community (an example of decisions, with a high
standards of safety and employee protection)
In addition, ethics and compliance are responsible for the company’s value-based ethics program as well
principles (Standard of Conduct) processes for identifying, reviewing, analyzing, and coordinating ethics
at the highest standards. (Hinders, 2009).
Risk management strategies
This research paper examines risk management, the strategies to manage a negative situation as well as
avoiding the risk. This includes which financial risks corporations can have and how the management
team will solve them. The potential risks will be identified along with how those risks will be solved.
Literature transmitted to risk management examines the strategic steps of solving the most important
points where the risk can be found in organizations.
Moral-Basco (n.d.), describes the process of risk and how to develop strategies and effectively
communicate these processes in a way to avoid or reduce negative effects. The author focused on
financial risk management in small and large corporations The author described the risk management as
well the financial risk management where in the context in which it arises and can be detected...Once the
problem is identified, management must make an appropriate decision, and prioritize the risks where
these can provoke losses. For that reason, once the risk is seen it can be mitigated.
Furthermore, a panorama on risk management and its intricacies emphasizes the importance of
prioritizing the risk processes, and diagnosing risk management in recent years. Moral-Basco (n.d.) Harris
(2006) drew a guideline of risk management and explained the differences between risk and vulnerability
management. The author said that IT in the security industry must understand the word “risk” in the
business world. This article explained in detail risk management and its particular risks and vulnerabilities
as well as the stages of these vulnerabilities. Harris made an overview of risks and vulnerabilities.
Harris (2006) explains that one of the risks is the vulnerability of a threat which can impact the business.
Today there exists several security problems for mitigating vulnerabilities such as inadequately trained
workers, improperly configured firewalls, facilities located in flood zones, lack of or inadequate security
and so forth. The steps considered by the author are the following: 1. “Identify vulnerabilities (e.g.
threats), 2. Map the vulnerabilities and threats (e.g. record both); 3. Calculate the probability of each
vulnerability actually being exploited (exploits probability), and 4. Calculate the impact and what can
compromise the business (risks, analyses of risks)”. (Harris, 2006, no pag.)
Figure 1.
Risk Management guide (Harris,2006)
Figure 1 shows a guideline for management to apply and implement the plan, before the risks come. It is
important that management have in mind, and be prepared for any event, and can mitigate the risks.
Policies
The IRM (Information Risk Management) policy focuses on risk management whereas security center on
all phases of security. This policy offers “the processes and procedures” as well all issues regarding
“personnel screening as threat to physical security and firewalls”. (Harris, 2006). In order to preserve
security in the organization, the following policies were included: 1. “Objectives of IRM (Information Risk
Management) team ( such as plan, and identify the assets and vulnerabilities and risks), 2 . Level of risk
the company will accept and what is considered an acceptable risk ( each company has their own
acceptable risk level), 3. Formal processes of risk identification (consider the invest versus expected
payback over the total of project); 4. Connection between the IRM policy and the organization's strategic
planning processes (e.g. policies and procedures support them, and avoid any risk), 5. Responsibilities
that fall under IRM and the roles that are to fulfill them (management execute decisions on risk mitigation
tasks , also this responsibilities address information security personnel); 6. Mapping of risk to internal
controls ( effective mapping will improve the functions and activities such as policies, staff training, risk
analysis, and so forth), 7. Approach for changing staff behaviors and resource allocation in response to
risk analysis (rotate staff), 8. Mapping of risks to performance targets and budgets (eliminating any risk on
assets, and work on projects, testing, maintain a dialog with the team, and work with estimate resources);
and 10. Key indicators to monitor the effectiveness of controls (e.g. provide control monitoring, report
status of key business risk)” (Harris, 2006)
Steps
IT risk management strategy generates an organized approach for treatment of all coverage of risk from
the organizational viewpoint. Today organizations around the world deal with risks of various kinds such
as changes in customer habits, new competitors, and factors from outside that cannot be controlled that
could impede the project. Risk analysis and management must be able to help to evaluate these risks
and decide what actions to take for minimizing disruptions to the project. The decision is influenced by the
effectiveness of the strategy to control the risk and its cost effectiveness. (Harris, 2006)
On the other hand, Case and Young (2003), puts emphasis on employee abuse using the Internet. Many
organizations implement different strategies for combating this type of abuse by employees.
Organizations use written guidelines on acceptable or unacceptable Internet conduct or both.
Furthermore, most organizations monitor their employees concerning the misuse of the Internet and
provide an Internet usage policy. Employees are advised and alerted that all online activity is monitored
and abuses may result in disciplinary action for those who break the regulations thereby enforcing the
application of these policies. For example, the organization may use software, and electronic monitoring
which tracks, received, and detects he Internet usage by employees.
Tool
Risk = (probability of event) x (cost of event) (Harris, 2006, & MindTools.com, 2009)
Further follow these steps: 1. Identify threats (human, operational, reputational, procedural, financial,
natural, technical, political, and others), 2. Estimate risk (vulnerabilities, assets), 3. Managing risk (using
existing assets, contingency planning, investing new resources). 4. Reviews (all steps, probabilities,
costs, and vulnerabilities of assets) (Harris, 2006, no pag.)
Financial Risk Management
Tatum (2009) examines the financial risk management of financial investment, and individual and
corporate investors assessing the highest possible return. Risk management has its risks, and it requires
the use of sophisticated tools, Sarbanes-Oxley, Basel II, Solvency II and the cost of capital organizations
need to improve their risk practices. Financial risk management is a part of corporate strategy, and
requires integrated frameworks for optimizing the asset-liability management and processes. This
integration is based on design, and implements structures to either deal with or attempt to reduce the
risks.
The incorporation of regulations into Sarbanes-Oxley where the strategy is clear and the policies
are established as well as how to detect fraud, and prevent using different anti-fraud strategies.
Sarbanes-Oxley is applicable to private companies or organizations where in its section 1107 provides
criminal penalties “for retaliation related to an employee’s whistle blowing activities.” Section 802 makes it
a criminal violation to alter, destroy, mutilate, conceal, or make false entry in record, document or tangible
object with the intent to impede, obstruct, or influence any investigation or bankruptcy (e.g. Enron).
Section 904 increases the potential criminal financial penalties and possible prison sentences for ERISA
(Employee Retirement Income Security Act) infringement. (Sarbanes, n.d)
Fraud and misconduct
This section will review the new antifraud laws and regulations and misconduct within the organization.
Fraud is a continuing problem in every organization and in recent years it has resulted in increases in
financial, legal, reputational consequences, audit roles, responsibilities and practices. (Melancon, et. at.
n.d. pp. 22 & 28)
Fraud includes external information such as securities commissions, industry sources such as law
societies, key guidance setting groups such as COSO (Committee of Sponsoring Organizations of the
Treadway Commission), professional organizations such as IIA (The Institute of Internal Auditors), AICPA
(American Institute of Certified Public Accountants, the ACFE (Association of Certified Fraud Examiners,
and other more. The process of a fraud risk identification “includes assessment of the incentives,
pressures, and opportunities to commit fraud” (Melancon, et. al , n.d. pp. 1 & 8.)
Melancon, et. at, n.d. discussed the principles for protecting of fraud include the following:
Principle 1: Fraud risk management includes written policy (according to the expectations of the board of
directors and management), Principle 2. Fraud risk identifies potential systems and incidents that the
organization needs to mitigate, Principle 3. Prevention techniques (avoid key fraud risk events where it is
practical to mitigate probable impacts on the organization), Principle 4. Detection techniques (uncover
fraud events, preventive measures or unmitigated risks),and Principle 5. Reporting process (coordinate
investigation and corrective action) (Melancon, et. al., n.d., p. 6 ).
Fraud Risk Governance
Fraud risk management must consider the following: 1. “Roles and responsibilities (all parties involved)
2. Commitment (i.e. prevent fraud with strong techniques), 3. Fraud awareness ( new hires must be
trained for preventing fraud), 4. Affirmation process (e.g. directors, employees, and contractors must read,
understand and comply with the code of conduct, fraud policy, and so forth), 5. Conflict disclosure
(implemented for directors, employees, and contractors potential or actual conflicts of interest), 6. Fraud
risk assessment (e.g. overseen by the board which identifies where fraud may occur within the
organization), 7. Reporting procedures and whistleblower protection (considering people who commit
fraud inside the organization, and organization’s zero tolerance,) 8. Investigation process (e.g. internal
personnel or hiring experts must proceed the investigation) , 9. Corrective action (consequences:
termination of employment or contract), 10. Quality assurance (documentation, management must
evaluate the fraud risk management program and monitor changes), and 11. Continues monitoring (all
related documents).” (Melancon, et. at., n.d. p.7, 16-19 )
Management is responsible for designing and implementing a program for mitigating fraud risk
management. All levels of staff must include the following: a. “Have a basic understanding of fraud and
be aware of the red flags (e.g. be attentive with accounts or personal data), b Understand their roles the
internal control (management and the board must control for identity fraud, especially with override risks),
c. Read and understand policies and procedures (i.e. for mitigating fraud risks), d. Participate in the
process of creating a strong control environment, (e.g. internal control for preventing fraud) e. Report
suspicious fraud (i.e. identifying certain activities such as expense reports, ledger accounts, payroll, and
so forth), f. Cooperate in investigations.( e.g. into any alleged or suspected fraud)” (Melancon, et. at., n.d.
pp. 14-15)
Regulatory and Legal Misconduct
Regulatory and legal misconduct includes: conflicts of interest, theft of competitor trade secrets,
violations, and so forth which in turn depends of the type of organization. These risks must be considered
in the assessment process. (Melancon, et. al., n.d. p. 28)
Reputation risk
The organization’s reputation with customers, suppliers, and capital markets can be damaged by an act
of fraud. Bell (2009) described how to prevent the fraud and which steps organizations must consider
strategically. These steps are: 1. Prevent a truly independent and empowered audit committee (e.g. audit
committee monitors annually or quarterly the activities of organization), 2. Conduct detailed fraud risk
assessments ( increase the management’s attitudes of how is managing the fraud), 3. Deter and detect
the tools used in suspicious or inappropriate activities (employees need to report any suspicious activities
inside the organization), 4. Promote and support antifraud policy and training (good anti-fraud policy as
well employee’s training), and 5. Deter and detect and respond to fraud allegations (fraud must be
investigate and solved with proper evidence) (Bell, 2009)
Bell (2009) considered fraud as a form of corruption and bribery, and organizations are able to have a
hotline which is a part of the implementation where employees anonymously can report any suspicious or
inappropriate activity. For that reason, organizations must implement antifraud programs. On the other
hand, leveraging these and other resources, and possibly mitigating risks, one of the ways is to ensure
control inside the organization’s internal systems of financial reporting (Section 404 of the Sarbanes-
Oxley Act).
Overview of Security issues
This section reviews existing problems in management practices. It covers the Code of Practice for
Information Security Management (ISO 17799), auditing, and implementation of information security.
What is ISO 17799?
ISO 17799 is a code of practice which covers 36 objectives (listed in 11 chapters). BS7799 is the second
part that is not considered as a code of practice, but is a specification for ISMS (Information Security
Management System) (ISO, 2009).
ISO 17799 establishes guidelines and principles for initiating, implementing, maintaining, and improving
security management in an organization. The best practices cover the following control objectives and
methods in the information security management as follows: 1. Security policy (creating new policies and
compliance positioning, providing management direction and support), 2. Organization of information
security (it has three sections a. manage information security, b. maintain security in assets accessed by
third parties), c. maintain security in outsourced organization), 3. Asset management (maintain
appropriate protection of assets (corporate) and ensure level of protection) Organization of information
security (it has three sections a. manage information security, b. maintain security in assets accessed by
third parties), c. maintain security in outsourced organization), ), 5 Asset management (maintain
appropriate protection of assets (corporate) and ensure level of protection), 6, Human resources security
(reduce risks of human error, theft, fraud or misuse of facilities), 7.Physical environmental security
(prevent no authorized access, damage and interference, prevent loss, or compromise of assets,
interruption to business activities, and so forth), Communications and operations management (ensure
and secure operation of information processing facilities, minimize the risk of system failures, prevent
damage to assets and interruptions to business activities, etc), 8. Access control (e.g. control access of
information, prevent unauthorized access to information systems, etc), 9. Information systems acquisition,
development and maintenance ( ensure security into operational systems, prevent loss, modification or
misuse of user data, protect confidentiality, authenticity and integrity of information, maintain security of
application system software and data, etc), 10. Business continuity management ( e.g. interruptions to
business activities and failures or natural disasters) 11. Compliance ( avoid breaches of any criminal or
civil law, statutory, regulatory or other obligations, ensure compliance of systems with security policies
and standards, maximize the effectiveness, and minimize interferences)(ISO, 2009)
Security governance
This section will review the internal controls related to information resources and their security including IT
security policies and processes, as well as applicable laws and regulations. Harris (2006) states that
governance is “used, managed and supported business needs.”
What is Information Security Governance?
“IT governance is similar to information security governance, because both have common characteristics.
Security governance is the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are achieved,
ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used
responsibility.”(Harris, 2006).
Table 2
Impact of Recent Information Security Legislation (BSA, n.d.)
Recent Legislation Who is affected? What do the
security provisions
cover?
What are
penalties?
When is it in
effect?
Sarbanes-Oxley
Act of 2002
All public
companies subject
to US security laws
Internal controls
and financial
disclosures
Criminal and civil
penalties
Current law
Gramm-Leach-
Bliley Act of 1999
Financial
institutions
Security of
customer records
Criminal and civil
penalties
Current law
HIPAA Health plans, health
care
clearinghouses, and
health care
providers
Personal health
information in
electronic form
Civil fines and
criminal penalties
Final security rule
takes effect in
April 2005
California
Database Security
Breach
Information Act
(SB 1386)
State agencies,
persons, and
businesses that
conduct business in
the state of
California
Reporting of
breaches of
unencrypted
personal
information
Civil fines and
private right of
action
Current law
Federal
Information
Security
Management Act
Federal agencies Federal
information,
information
systems, and
security programs
Loss of IT funding Current law
Bottom Line Significant impact
on US private
sector and
governments
Financial
customer, health,
personal and
government
information
Criminal and civil
penalties and
private right of
action
Most provisions
are already in
effect
Overview of Leadership and Governance
According to Yukl (2004) leadership is classified in three different variables that includes 1.
Characteristics of leaders, 2. Characteristics of followers, and 3. Characteristics of the situation. Table 3
shows examples of each category:
Table 3
Characteristics of leaders, followers, and the situation (Yukl, 2009)
Characteristics of Leaders Characteristics of Followers Characteristics of the situation
Traits (motives, personality,
values)
Traits (needs, values, self
concepts)
Type of organization unit
Confidence and optimism Confidence and optimism Size of unit
Skills and expertise Skills and expertise Position power and authority of
leader
Behavior (e.g. examines how
managers spend their time,
activities, responsibilities, and
functions for managerial jobs)
Attributions about the leader Task structure and complexity
Integrity and ethics Trust in the leader Task interdependence
Influence tactics Task commitment and effort Environment uncertainty
Attributions about followers Satisfaction with job and leader External dependencies
Leadership shares the assumption that involves an influence process concerned with facilitating the
performance of a collective task. Leadership covers all situations and what matters is how useful the
definition is for increasing and understanding of effective leadership.
While on the other hand, Yukl (2006) indicates that managerial work is inherently hectic, varied,
fragmented, reactive, disorderly, and political. Decision processes are political and planning is informal
and adaptive, because managers face several dilemmas such as responsibilities, relevant information
that exists only in the heads of people who are widely scattered inside and outside the organization, and
they make decisions based on information, and need the cooperation from people who have no authority.
Leadership
Leaders have the responsibility of strategic vision, and to convince others to cooperate, analyze and
make improvements. Patterson & Winston (2006) discusses the differences between leaders and
followers. The leader influences the people selected. The objective is understanding and interpreting his
visions. Leaders in IT developed the following duties: 1.Technical support (computer support specialists),
2. Systems administration (install and repair computer systems and are responsible for maintaining
communications – Internet and intranet systems), 3. Programming (design applications by writing the
code that instructs computers to perform specific functions), 4. Web development (create company
websites, from layout design to code writing to usability testing), and 5.Project and technical services
management.
While administrative leaders have the same duties as IT leaders, both leaders communicate with
personnel using different concepts and language. Barton (1993) remarked the role, of an officer or
administrative leader that included four important strategies. These strategies are: “vision, articulation,
communication, and accountability.” (Barton, 1993)
Governance
This section shows the different principles, background, and processes that occur in IT operations and
mechanisms. The strategies and principles are clearly summarized in Figure 2.
The primary IT governance and corporate governance concerns are: 1.“Strategic planning and alignment
(committee/priority process, alignment with business objectives), 2. Financial management (budget,
capital budget, asset management, allocation and planning), 3. Operations (development, project
management, control and operation, job scheduling, system backups, etc), and 4. Control frameworks (
Corporate –privacy, business process owners, security, COBIT, ITIL, ISO, SAS70, documentation, etc)”
(Hamaker, 2004, no pag.)
Figure 2
Principles of IT governance (Hamaker, 2004)
Hamaker (2004) described in Figure 2 the principles of IT governance, and demonstrated the
best practices of governance.
Gender differences
Schubert (2006) in his article focused on the differences between men and women. Powell et. al., 2001,
pointed that women perceive higher risks and do not act while men do. The author expresses how the
risks differ under different situations or some influence (e.g. emotional).
There are differences according to the author, as follows: 1. “Women are less sensitive to probability
changes, women are more positive than men (risk averse). 2. Women underestimate high probabilities for
positive outcomes more strongly than men (pessimistic), 3. High degree of underestimation (risk
aversion).” (Schubert,2006, p.710 )
Empirically, women are more risk averse than men. Why? Because our society is managed by men, and
for that reason; women in the positions of management, leadership imply inefficient. Furthermore, risk
occurs in both genders. While on the other hand, women have more multitasking skills than men, for that
reason they perceive higher risks. From the author’s perspective, men have more probabilities in the risk
analysis, management, and strategies than women in the risk analysis. In a few words, men lie in
advantages.(Schubert, 2006)
Schubert (2006) concluded that women cooperate with men, and firms see them as more profitable.
Herrick (2009) analyzed hypothetically different scenarios (e.g. business and professional opportunities),
and showed women make take risks. The author, after his survey, illustrated the following information in
order to understand the business and career development by: a. “80% reported pursuing a major change
initiative “sometimes” or “often” (i.e. business/profession), b. 79 % reported pursuing a new program (e.g.
begin a new career), c. 77 % reported pursuing a new job (change for better expectations), and d.56 %
reported pursuing a major business development opportunity (e.g. consulting business, franchise, etc)”
(Herrick, 2009).
Women when taking risks, are more visible (e.g. opportunistic risks). On the other hand, Walker (2009)
illustrated in his article, and compared with Schubert (2001), that women have more initiative, are
confrontational or involve employees in foremost changes. Today, women are more audacious, but the
distinctions among genders are still evident.
Conclusion and summary
IT governance “is an integral part of” corporate governance that ensures the IT goals and the risks can be
mitigated. For example, IT delivers value to sustain and grow the organization and drives strategic
alignment among IT investment and programmed delivery and performance. (Boyd, et. at., n.d, p.31)
The analysis and recommendations of all findings are based on the authors’ findings. For further analysis
is provided recommendations and suggestions focused on risk management and implications and
recommended INTOSAI( International Organization of Supreme Audit Institutions) who is auditing,
investigating the risk, and giving guidelines of how to control these types of strategies.(INTOSAI, 2001)
The findings in risk management business where gender makes a different has been found that women
are more proactive; take fewer risks than men, except women perceive higher risks than men. Today,
women are leaders, managers, and occupy important positions. Therefore, organizations, firms, and
businesses continue to perceive that women are not as courageous as men at the moment of take a risk.
Women take more precautions when viewing or perceiving higher risks. But when working with men,
women are very cooperative. At this point, this research topic is open for continued in research. More
surveys need to be implemented, because risk management under the point of view of women is
different from men, and the implications of women in the position of leadership, and management can
change several businesses.(Schubert, 2006).
Furthermore, fraud in organizations is predictable, and can be controlled if it is correctly dealt with
including implementation of anti-fraud controls. In recent years, the increase of fraud and its risks have
elevated the expectations of the role of the audit committee. Audit committees focused on fraud and on
the mitigation of these risks. Their roles and responsibilities are preventing, detecting, and responding to
fraud as well as management of internal and external audits. These practices can control internally any
potential fraud. (Bell, 2009)
Another important point for consideration is the financial markets as a part of risk management (e.g.
insurance, law, compliance, ethics, etc). Today, organizations suffer fraud, which has been on the rise,
perpetrated primarily by dishonest employees (e.g. especially in the insurance/medical area). Audits play
an important role in helping organizations develop better practices for fraud risk. On the other hand, the IT
security industry must understand the risk and vulnerabilities that occur inside the company.
This research paper has been prepared been prepared in accordance with some personal experience.
The objective of the study material is to provide material for future practitioners to enable them to obtain
the knowledge and skills on this subject.
Perhaps, the literature emphasized the goals encountered in implementing practices in public as private
organizations where they can be improved with potential opportunities.
The current research paper is based on different practitioners and the applicability is further addressed for
future research. The results made from prior research concludes that evaluations oriented on critical
components are based on websites, and some investigations from some leaders. The evaluations serve
as important resources for other practitioners, researchers, and the data collected from different surveys
conducted by researchers indicates some impact on the data collected and the implications that they
could bring.
Further, this research revealed a significant gap in leadership and the findings in this investigation as
practitioner will help the business community as well other researchers and practitioners. Investigations
on this topic, the author concludes that leadership plays an important role in the structure, implications,
and responsibilities between business and IT. Finally, IT organizations must educate their clients
concerning the risks in their business, and train them how to avoid them.
Table 4
Advantages and Disadvantages in Leadership, governance, strategic risk management, and ethics
Advantages Disadvantages
Leadership Globalization Unemployment
Communication Privacy
Cost effectiveness Lack of job security
Bridging the cultural gap Dominant culture
Creation of new jobs
Governance Board shareowner
communications
Loyalty
Losing contribution of directors
Investment opportunity
Strategic risk management Allocation capital Allocated capital
Technique decisions Correction errors causing
competitive financial
Ethics Develop effective business ethics
and values
Bureaucracy
Unethical practices
This model showed in Table 4 the advantages as well disadvantages in the IT world. Furthermore, no one
organization will be successful if it does not implement values and integrity. Organizations that
established formal ethics and compliance for determining goals will be successful. If an organization
implements the model presented, it will be successful.
Finally, potential research should examine more organizations for evaluating the results. Future research
can resolve and assist organizations in improving, and maximizing the resources, and minimizing the
risks.
References
1. Auditing IT Service Management (2001.). Retrieved August 31, 2009 from INTOSAI
http://www.intosaiitaudit.org/totalauditpart1-2.pdf
2. Barton, Richard S. (1993, April). CEO as organizational architect. Canadian Business
Review, 20(1), 39-40. Retrieved September 2, 2009, from ABI/INFORM Global. (Document
ID: 239291).
3. Bell, E. (2009). Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent, and Detect
Fraud. Retrieved August 31, 2009 from
http://www.corporatecomplianceinsights.com/2009/internal-control-checklist-deter-prevent-detect-
fraud
4. Bentley, L. (2009). Undervaluing the Need for Risk Management Is Risky. Retrieved August 31,
2009 from
http://www.itbusinessedge.com/cm/community/features/articles/blog/undervaluing-the-need-for-
risk-management-is-risky/?cs=30861
5. Boyd, G., Brisebois, R. & Shadid, Z. (n.d.). What is IT Governance? And why is it important for
the IS auditor. Retrieved August 31, 2009 from
http://www.intosaiitaudit.org/intoit_articles/25_p30top35.pdf
6. Case, C.J. Dr. and Young, K. Dr (2003). Employee Internet Abuse: Risk Management Strategies
And Their Effectiveness. Retrieved August 31, 2009 from
http://www.netaddiction.com/articles/eia_strategies.pdf
7. Cuizon, G. (2009). What is Business Ethics? Retrieved August 31, 2009 from
http://businessmanagement.suite101.com/article.cfm/what_is_business_ethics
8. Fraud Risk Considerations (2004). KPMG Retrieved August 31, 2009 from
http://www.kpmg.com/aci/docs/fraud_risk/ACI_Hilits_Fraud_Web_FNL.pdf
9. Hamaker, S. (2004) Principles of IT Governance. Retrieved August 31, 2009 from
http://www.isaca.org/Content/ContentGroups/Journal1/20044/Principles_of_IT_Governance.htm
10. Harris, S. (2006). Risk Management Strategies: Understanding risk. Retrieved August 31, 2009
from
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1158732,00.html
11. Harris, S. (2006). Information Security Governance Guide. Retrieved August 31, 2009 from
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1211236,00.html
12. Harris, S. (2006). How to write an information in risk management. Retrieved August 31, 2009
from http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1178845_mem1,00.html
13. Herrick, N. (2009). Women Business Leaders are Risk-Takers: Survey Debunks Gender Myth.
Retrieved July 21, 2009 from http://www.simmons.edu/som/news/3573.shtml
14. Hinders, D. (2009). What are Business Ethics?. Retrieved August 31, 2009 from
http://www.wisegeek.com/what-are-business-ethics.htm
15. II The Business Ethics Program (n.d.) Chapter 3 Responsible Business Conduct as Strategy.
Retrieved August 31, 2009 from
http://www.ita.doc.gov/goodgovernance/adobe/bem_section_2/full_text_section_2.pdf
16. III Structuring the Business Ethics Program (n.d.). Retrieved August 31, 2009 from
http://www.ita.doc.gov/goodgovernance/adobe/bem_section_3/full_text_section_3.pdf
17. Information Security Governance (2006). Retrieved August 31, 2009 from
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1211236,00.html
18. Information Security Governance: Toward a Framework for Action (n.d.). Retrieved August 31,
2009 from
http://www.bsa.org/country/Research%20and%20Statistics/~/media/BD05BC8FF0F04CBD9D76
460B4BED0E67.ashx
19. ISO/IEC 17799:2005 Information technology –Security techniques – Code of practice for
information security management (2009). Retrieved August 31, 2009 from International
Organization for Standardization
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/in
formation_security.htm
20. ISO 17799 Security World –Resources, Expertise and Information for ISO/IEC 17799. ISO 17799
Made Easy **What is ISO 17799?** (2009). Retrieved September 10, 2009 from
http://17799.macassistant.com/def.htm
21. IT Governance and Strategy (2007). Practical guidance for managers on how to prepare for
successful audits. Retrieved September 1, 2009 from ITCinstitute.com
http://download.101com.com/pub/itci/Files/ITCi_ITACL-Governance_0702b.pdf
22. Lebeaux, R. (2009). IT governance, corporate governance must align in economic recession.
Retrieved April 18, 2009 from
http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1350649,00.html
23. Maximizing Strategic Investments with IT Governance (n.d.). Retrieved April 18, 2009 from
http://www.microsoft.com/office/showcase/2007/itgov/default.mspx#solution
24. McCrimmon (2009) What is Leadership? Retrieved August 31, 2009 from
http://www.leadersdirect.com/leadership.html
25. Melancon, B. C, Ratley, J.D. and Richards, D.A. (n.d.). Managing the Business Risk of Fraud: A
Practical Guide. Retrieved August 31, 2009 from
http://www.aicpa.org/download/news/2008/Managing_the_Business_Risk_of_Fraud.pdf
26. Moral-Basco, M. (n.d.). Risk Management. Retrieved August 31, 2009 from
http://risk-management.bestmanagementarticles.com/a-389-risk-management.aspx
27. Orlando, C. (2006). Leadership Development Practices of Top-Performing Organizations.
Retrieved May 15, 2009 from http://www.odl.rutgers.edu/e-leadership/pdf/Orlando.pdf
28. Patterson, K. & Winston, B.E. (2006). An Integrative Definition of Leadership. International
Journal of Leadership Studies 1(2), 6-66. Retrieved August 31, 2009 from School of Leadership
Studies, Regent University ISSN 1554-3145
29. Possible Impacts of Sarbanes Oxley on Privately Held Companies (n.d). Retrieved August 31,
2009 from http://www.strongtech.com/i/docs/sarbanes.pdf
30. Risk Management (n.d.). Retrieved August 31, 2009 from CRisk Consultants in Risk
Management website
http://www.c-risk.com/Construction_Risk/RM_Strategies_01.htm
31. Risk Analysis & Risk Management. Evaluating and Managing the Risks You Face (2009).
Retrieved August 31, 2009 from Mind Tools
http://www.mindtools.com/pages/article/newTMC_07.htm
32. Schubert, R. (2006). Analyzing and managing risks - on the importance of gender differences in
risk attitudes. Managerial Finance, 32(9), 706-715. Retrieved July 19, 2009, from ABI/INFORM
Global. (Document ID: 1140292451).
33. Schwartz, K.D. (2007). ABC: An Introduction to IT Governance. Retrieved April 18, 2009 from
http://www.cio.com/article/111700/ABC_An_Introduction_to_IT_Governance?page=1
34. Tatum, M. (2009). What is Financial Risk ? Retrieved August 31, 2009 from
http://www.wisegeek.com/what-is-financial-risk.htm
35. Tucci, L. (2009). As recession deepens, IT transformation best tackled in chunks. Retrieved on
September 14, 2009 from
http://searchcio.techtarget.com/news/article/0,289142,sid182_gci1350433,00.html
36. Van Grembergen, W. (2004). Strategies for Information Technology Governance. Retrieved April
18, 2009 from
http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDis
play.cfm&ContentID=19725
37. Walker, P. (2009). Women are business risk-takers too, study says. Retrieved July 21 from
http://www.cnn.com/2009/BUSINESS/05/04/execed.women.risktaking/
38. Yukl, G. (2006). Leadership in Organizations, 6th. Ed. NY: Prentice Hall