After its 22 August outage, NASDAQ OMX Group stated they “will work with other exchanges that are members of the SIP to investigate the issues of today, and we will support any necessary steps to enhance the platform.” (SIP is the Securities Information Processor that consolidates and disseminates all prices for the industry.) The US Securities Exchange Commission (SEC) Chair Mary Jo White stated, “As one step, I will work to advance rules that the Commission proposed earlier this year regarding new standards for the trading and other systems that are central to the integrity of our markets.”
Many details have to be published, but the critical question for anyone involved is whether the right lessons have been learned.
During the trading-restoration period, NASDAQ was reported to be working hard to ask all the right “What if?” questions before trading resumed. This is excellent—just as they should have done—and the reopen went smoothly. Yet, one wonders the extent to which it asked “What if?” before the risk materialized, just as so many companies have wished after a “bad thing” occurred.
As many companies have found, attempts to rely on controls (other than for malicious situations, such as fraud and hacking) tend to be excessively costly, give a false sense of security, debilitate organizations, and dangerously distract. This is especially the case when managing systems that cross organization boundaries, as with financial markets. At the extreme, consider how loss of human life occurred during both the BP Texas City and BP Deepwater Horizon explosions on the same day awards were presented for safety compliance.
The National Association of Securities Dealers (the original parent of NASDAQ) and ISACA are both 40 years old. Over those decades, changes to ISACA’s COBIT have reflected the understanding that controls and audit are not the best path to better-performing information technology. Continually improving processes in a system increases quality and decreases risk. COBIT 5 has made the transition to focus on better management practices. This is in line with management thought leaders such as W. Edwards Deming, who have emphasized quality management over (often futile) attempts at quality control.
The challenge confronting the SEC, NASDAQ OMX Group, other financial institutions and, truly, any company is whether to follow the path of better management practices or the burden of misguided controls. As an ISACA member, I am pleased that the SEC chose to mention COBIT as a publication reviewed by its Automation Review Policy Staff in preparation of the Proposed Rule “Regulation Systems Compliance and Integrity.”
Yet, I am sorry they seem to have missed the point that we have learned. The proposed rule mentions “control” more than 80 times and “audit” nearly 50 times. But it mentions “scenario”—the very heart of risk management—only five times. Further, the proposed rule relies heavily on notions of events. While events might be convenient for backward-looking insurance claims after the “bad thing,” the real world is not that simple. In the messy, complex and changing real world, situations cascade from lurking root causes. Forward-looking management of risk emphasizes scenarios to evaluate risk and good management practices to respond to risk at its cause. Yes, controls are useful—when they are the right tools for the job.
ISACA members and certification holders can find a teaching moment in NASDAQ’s woes and next steps. If you are a risk management professional, your opportunity is to share COBIT 5 guidance on using better management practices, tailored to your organization, to more easily manage risk to business objectives. If you are an auditor, your opportunity is to evaluate the extent to which risk management teams understand COBIT 5’s practical lessons learned, rather than just applying more costly control bandages.
Principal, ValueBridge Advisors
Continue the conversation in the Risk Management topic within ISACA’s Knowledge Center.