There is an interesting contention made in a recent article in the Sarbanes-Oxley Compliance Journal. (Note: I read that sentence over and realized I used the word interesting in a sentence mentioning SOX compliance. That is a first. I apologize to any of you who are riveted by SOX compliance). The author, Jan Sondergaard (VP of Products, HP) correctly asserts that many IT organizations are viewed as "black holes" or "bottlenecks" but takes it one step further and say that this is reflective of the inability of many IT organizations to "automatically capture, view, and report on all of the work IT is doing." And as a result, this deficiency creates real corporate risk making "sustainable Sarbanes-Oxley compliance impossible."
The author further contends that the "best way to implement standards across an organization is to take a top-down project and portfolio management approach that allows you to define and enforce 'control points' throughout the processes" and to "take project and portfolio management solutions that offer real-time alerts and indicators."
So a couple of interesting points/questions this raises:
- I'd love to hear from any organizations who are using their portfolio management discipline as a source of SOX compliance. In general, I don't think I've seen that as the purpose behind a corporate portfolio management effort, but if the CPM discipline can aid in SOX compliance, it's an obvious benefit. Please leave a comment and let me know if you are doing this, and perhaps we can get a dialogue going.
- Of course, those of you with opinions on this topic of any kind should also leave your comments.
- Regarding the article itself, I like and am intrigued by the idea as I do feel that the rigor that a CPM effort would instill around IT investments can definitely help mitigate risk and offer insights into the behavior/nature of IT spending.
- That said, the article does come from the "portfolio tool as savior" school of thought with dashboards, workflows and real-time alerts all being highlighted as the means to get at "accurate, reliable information that IT professionals at all levels can more effectively respond to the demands of the business while creating a culture of accountability that can support current and future regulatory requirements." This I disagree with on multiple levels:
- Technology solutions are not a panacea to any type of problem - regulatory or not. You must understand what your objectives are, what process you are trying to enable, etc and then think of how technology might aid in this effort.
- Portfolio management solutions do not magically create accurate, reliable information nor do they force accountability. They create rules (good or bad) which people, if not properly educated and incentivized can circumvent and/or ignore.
- If building a portfolio management process, you should aim to build it as a capability -- not as a process to enable just support of regulatory requirements. CPM is a powerful discipline which has widespread organizational uses and so building it in a sufficiently robust way will enable it to offer insights into SOX compliance but will also give it significantly more ability to contribute to the organization on other pressing fronts including ensuring achieving financial, strategic and risk-oriented goals.
I am glad that Mr. Sondegaard raises this idea around CPM and SOX as it is quite interesting and has some merit. I think the means to achieve what he is talking about maybe enabled by a technology solution, but that is not the first priority.
No comments:
Post a Comment