The toughest component of regulatory compliance is perhaps the scrutiny it places on the IT department. As the one who blew the whistle on the illegal practices at Enron Corp., former Enron executive Lynn Brewer knows a thing or two about the current climate of corporate governance. During her three-year tenure there, Brewer was responsible for risk management in energy operations, the e-commerce initiatives for Enron’s water subsidiary, and competitive intelligence for Enron Broadband Services.
She ultimately took her knowledge of Enron’s improprieties to the U.S. government, which set the wheels in motion for legislative measures such as the Sarbanes-Oxley Act (SOX) which makes disclosure and information compliance a necessary step for publicly trading enterprises. We need to move away from a world where we manage our business (by) running queries at the end of the quarter…and begin to have a pulse on a real-time perspective.Lynn Brewer>TextITWorldCanada.com spoke with Brewer about the “new normal” when it comes to compliance and how IT has been affected.
How have enterprise attitudes changed since Enron imploded?
Initially in the U.S. and worldwide, there was this initial “Oh my gosh, we’ve got to be compliant!” And then it became “Look at what we’ve learned about our business!” And now it’s become “We’ve got to change the way we’re doing business.” So I think that since Sarbanes-Oxley was passed in 2002 and we’re now cutting in on three years out on that. In 2001 (the year that Enron imploded) the Securities and Exchange Commission received 6,400 whistle-blowing reports per month. That would tell you that there are some serious weaknesses in systems and technology. Because if there is fraud being committed, and I’m blowing the whistle on it, it means that the systems aren’t sufficient to pick it up. Or someone is ignoring that, and that clearly went on at Enron. But today the damages, the punitive efforts underway because of SOX are much more serious. So people want to know what’s going on in their business.
The other frightening thing is that last year in 2004 the SEC received about 45,000 whistle-blowing reports per month. So it’s a huge increase in whistle-blowing reports and yet there are only 9,000 publicly traded companies. So even if you deduct 75 per cent of those as saying that they are disgruntled employees, it still means that the SEC is receiving more whistle blowing reports than there are publicly traded companies. Business isn’t being done any differently than it was before Enron. It’s just that the tolerance has gone down. (Enterprises) are sort of saying, “We’ll use our ERP system and we’ll just keep stretching the system to the point [at which] it’s doing things it wasn’t intended to do.” And because they’ve committed so many dollars to [the ERP applications] and discovered after the fact that they’ve bought them that keeping them up to date requires a whole lot of consulting fees. They’re really just getting by and not very well. We’re still trying to do business management instead of business intelligence. We need to move away from a world where we manage our business (by) running queries at the end of the quarter…and begin to have a pulse on a real-time perspective.
How much further do enterprises need to go in achieving proper corporate governance?
I think that we’re a long way off. Businesses are a long way from accepting that they need to not do business the way that they’ve always done it. I think we’re a long way from creating that paradigm shift. I would agree that business is being done the same way today despite the passage of Sarbanes-Oxley, the only thing is that you slap my hand a whole lot harder. As systems that have been in place for a number of years, if I want to manipulate the system to give you the numbers that you want I simply have to change the macros.
What can IT departments learn from Enron?
I have an incredible amount of empathy for IT. I think that they’re in an incredibly awkward situation because they’re being asked to do more with less. The biggest thing is to look at systems that will analytically predict what the likely outcome is going to be. Am I maximizing the use of my dollars by leveraging my vendors, for instance? Can I predict how long it’s worth it to put this amount of money and energy into a particular project? The key is to make sure that these systems are talking to one another so that you don’t have those silos of information. You’ve got the guy with the Excel spreadsheet, you’ve got the other person who is using a word processor and you’ve got the other guy who is using the ERP system. It’s making sure that the integrity of the data, whether coming out of SAP, Excel, MS Word, Lotus Notes, whatever – that in fact it can be intelligently read so that I can run reports that are not just based on queries. You need to make sure that the information can be available in real-time.
How do you suggest IT departments ensure their practices align with the business side?
The biggest recommendation that I can make to IT is to help them understand that the call they don’t want to get is the one from the CEO or CFO that says, “How come I didn’t know this?”. I need to make sure that I have a solution in place that will take all that data and provide reports in a real-time way so I can ensure a single version of the truth. At the eleventh hour, what I want to be able to say to a CEO is I can assure you that the data you are getting will allow you to make intelligent decisions. That really is about transparency.