Posts Tagged 'Sarbanes Oxley'

October 16, 2012

An Introduction to Risk Management

Whether you're managing a SaaS solution for thousands of large clients around the world or you're running a small mail server for a few mom-and-pop businesses in your neighborhood, you're providing IT service for a fee — and your customers expect you to deliver. It's easy to get caught up in focusing your attention and energy on day-to-day operations, and in doing so, you might neglect some of the looming risks that threaten the continuity of your business. You need to prioritize risk assessment and management.

Just reading that you need to invest in "Risk Management" probably makes you shudder. Admittedly, when a business owner has to start quantifying and qualifying potential areas of business risk, the process can seem daunting and full of questions ... "What kinds of risks should I be concerned with?" "Once I find a potential risk, should I mitigate it? Avoid it? Accept it?" "How much do I need to spend on risk management?"

When it comes to risk management in hosting, the biggest topics are information security, backups and disaster recovery. While those general topics are common, each business's needs will differ greatly in each area. Because risk management isn't a very "cookie-cutter" process, it's intimidating. It's important to understand that protecting your business from risks isn't a destination ... it's a journey, and whatever you do, you'll be better off than you were before you did it.

Because there's not a "100% Complete" moment in the process of risk management, some people think it's futile — a gross waste of time and resources. History would suggest that risk management can save companies millions of dollars, and that's just when you look at failures. You don't see headlines when businesses effectively protect themselves from attempted hacks or when sites automatically fail over to a new server after a hardware failure.

It's unfortunate how often confidential customer data is unintentionally released by employees or breached by malicious attackers. Especially because those instances are often so easily preventable. When you understand the potential risks of your business's confidential data in the hands of the wrong people (whether malicious attackers or careless employees), you'll usually take action to avoid quantifiable losses like monetary fines and unquantifiable ones like the loss of your reputation.

More and more, regulations are being put in place to holding companies accountable for protecting their sensitive information. In the healthcare industry businesses have to meet the strict Health Insurance Portability and Accountability Act (HIPAA) regulations. Sites that accept credit card payments online are required to operate in Payment Card Industry (PCI) Compliance. Data centers will spend hours (and hours and hours) achieving and maintaining their SSAE 16 certification. These rules and requirements are not arbitrarily designed to be restrictive (though they can feel that way sometimes) ... They are based on best practices to ultimately protect businesses in those industries from risks that are common throughout the respective industry.

Over the coming months, I'll discuss ways that you as a SoftLayer customer can mitigate and manage your risk. We'll talk about security and backup plans that will incrementally protect your business and your customers. While we won't get to the destination of 100% risk-mitigated operations, we'll get you walking down the path of continuous risk assessment, identification and mitigation.

Stay tuned!

-Matthew

September 21, 2007

How do You Want to be Perceived in the Market?

When you look at the names below, what is your first reaction?

Barry Bonds
Bill Belichick
Shoeless Joe Jackson
Pete Rose
Tanya Harding
Ben Johnson
Rosie Ruiz

For most, the common thread is that each has been accused or admitted to cheating in their respective sport. Barry Bonds for using steroids (and don’t tell me he didn’t use them); Bill Belichick for filming the Jets defensive signals; Shoeless Joe and Pete Rose for gambling; Tanya Harding for trying to disable her competition; Ben Johnson for steroid used to sprint faster than any other human being and Rosie Ruiz for only running half a marathon. All of them will forever be associated with scandal first and their accomplishments second.

But sport is not the only place where cheating is running rampant. The financial markets have been and continue to be rocked by financial scandal. We all know about the high profile cases like Bernie Ebbers (Worldcom) and Andrew Fastow (Enron) but a recent university study has shown that from 1978 to 2006, there were 788 Security and Exchange (SEC) and Department of Justice (DOJ) enforcement actions for financial misrepresentation or as the layman would call it, "cooking the books". In those actions, there were 2,206 individuals identified as being culpable for some or part of the financial fraud. While all the sports figures above had their reputations tarnished, only some of them have suffered financial hardship and if I remember correctly, none served jail time for their initial actions. For financial misrepresentation, the penalties are far more severe. Over 93% were fired or left their jobs with another 31% barred from future employment as an officer of director of any publicly traded company. In addition, 617 of these individuals have been charged with criminal violations; 469 were found guilty and sentenced to an average of 4.3 years in jail and 3 years of probation. Needless to say, their financial position suffered as well. On average, these managers lost $15.3 million in stock value once the scandal was revealed and paid $5.7 million each in SEC fines.

Cheating never comes to good end. Most scandals generally start small, then greed sets in and the rest is history. Is cheating worth it? Even if you don't get caught, you will always be looking over your shoulder. And sometimes scandals can occur even with the best of intentions. Compared to other industries, hosting is still in its infancy and is just beginning to address the provisions of Sarbanes-Oxley. Who knows what kind of accounting and operational issues will come to the forefront as some of the leaders in the industry enter the public markets?

Around here we foster an environment of honesty and integrity. What are you doing in your company? How do you want your company to be perceived in the marketplace? Are you ready to face the public scrutiny of the SOX generation? Your customers and the markets are watching.

-Mike

June 29, 2007

Business Ethics Simplified

In this day and age of Sarbanes-Oxley internal controls, SAS 70 certifications, and myriad other regulatory, compliance, and audit issues that I won't get into , business ethics might seem to be a lengthy and complex topic.

In reality, it isn't. Back in the dark ages when I strolled the halls of SMU, a crusty Econ 101 professor named Jack Stieber proclaimed that there is only one ethical mandate in business: "Within the bounds of the law, maximize profit." There are no more ethical rules necessary to follow in business.

I have heard others phrase a similar thought as "maximizing shareholder value". I disagree with that approach because there are things that management can do to influence the stock price that aren't necessarily tied to maximizing profit. Basically, if you can maximize profit, the stock price will take care of itself.

In response to Prof Strieber's proclamation, there were a few students who responded, "But sir, what about ?" and Prof. Stieber shot them all down. Here is one of the more interesting objections:

"But sir, what about a business owner who hikes the price of bottled water to a ridiculous level in a disaster-stricken area that has lost its water supply? Are you saying he's being ethical by maximizing his profit from price gouging?" Prof. Stieber responded something like this:

Assuming that his pricing policy is legal, he's still being unethical because he's actually not maximizing his profit. Sure, he may reap a short-term gain but when the water supply is back on, those forced to buy his extortion-priced water will take their business elsewhere. So in the long term, he hasn't maximized his profit and thus has behaved unethically. An ethical decision during that time might have been to keep selling water at the pre-disaster price or maybe even donating some to build goodwill among his customer base. This could have cemented a long term relationship with the customers who would provide repeat business again and again and thus maximize his profit over time.

That being said, when a business maximizes it's profit within the bounds of the law, it's a "win-win" for the customers, stakeholders, and shareholders. In my next post, I'll explain how SoftLayer earning profit is a win-win for both the customers and the company.

-Gary

Categories: 
Subscribe to sarbanes-oxley