not explicitly stated in the guidelines, what is required to meet them is basi-
cally, in fact, a systematic approach to managing and monitoring risks. Also,
the Public Company Accounting Oversight Board (PCAOB) and the Securities
and Exchange Commission (SEC) recommends a top-down, risk-based
approach to organizations’ SOX compliance requirements.
Data privacy and security compliance
The problem of identity theft is driving increased regulation as well, both in the
areas of data privacy and computer security, which go hand in hand in pro-
tecting sensitive data. Regulations are on the rise in this area, whether it’s
laws regarding how sensitive data must be protected or laws that kick in if a
security breach has occurred (for example, the California Security Breach
Notification Law). In the healthcare industry, HIPAA has strong implications
for how data is handled. The COBIT framework helps companies organize
their compliance in this area; Chapter 14 covers the important topic of IT GRC.
Sustainability reporting
A new horizon in this area is the domain of sustainability, which doesn’t yet
fall in the realm of compliance, but one day might. Companies are increasingly
being asked to demonstrate that their operations do not have long-term dam-
aging effects on the planet and that they practice good corporate citizenship.
The United Nations releases a list of 230 sustainability indicators that compa-
nies may one day be required to report on. Chapter 13 discusses the topic of
sustainability.
R Is for Risk: Creating Opportunity..............................................................
Risk management is the process of uncovering what couldgo wrong for the
express purpose of making more things go right. All strategies and all oppor-
tunities worth pursuing involve risks that must be monitored and managed.
Racecars win not just because of their gas pedal but also because of their
brakes, which help drivers deftly maneuver around corners and other obsta-
cles. In the same way, risk management can help companies identify potential
pitfalls and thereby optimize their opportunities for success.
Many types of operational risks don’t appear on the balance sheet but can
have disastrous consequences. Risks in this category include such hazards as
�Environmental catastrophes
�Difficulties with integration of acquisitions
�An aging workforce
�Extreme weather
�Currency fluctuations
30 Part I: Governance, Risk, and Compliance Demystified
