A CFO’s Relationship with CIO and Legal: Mitigating Enterprise Risk
Moderator: Johnny Lee, Principal, Practice Leader, Forensic Technology
Panelist: Marcus Delgado, Assistant General Counsel for Cox Enterprises
Panelist: Kevin Dotts, CFO of Internap
Johnny pitches the first question to Kevin, “What considerations drive enterprise risk from the perspective of the CFO? There are a lot of new things that come to you from external pressures like cyber security and regulatory change, what are the things that are presently on your radar from an enterprise risk management perspective?”
Kevin responds first by explaining that when he started Internap, the company was hacked three months into his job. He had to work with internal and external counsel and the IT organization to figure out next steps. “I realized we had a problem, and we had no idea what we were doing,” Kevin remembers. The problem led them to work with third-party experts to:
- Assess the risk and exposure
- Figure out how to put a wall around the company from an IT perspective
- Determine best practices for IT organizations and operations to work in close collaboration
Second, Kevin advises that people need to be prepared for their board members to be going to the same events that talk about cyber security. In particular, the organization needs to recognize that these events provoke questions of management that it needs to be able to answer with some specificity.
Third, he highlights the unique infrastructure model of Internap, and how that lends itself to what they deal with from an enterprise risk management perspective, including exposure from everything from Super Storm Sandy with data centers in NY to being PCI compliant.
It comes at you from all different angles. Effectively what you have to do is figure out working with the operations team and the IT organization to figure out moving from a crawl, walk, run scenario.” Kevin explains as he points out they are just starting to get to the walk stage.
Johnny expands on Kevin’s points by asking Marcus, “Cox is a privately owned company, and from the perspective of external stimuli, compliance agendas rank pretty top of mind for in-house counsel. What other categories of external influence are you getting?”
Marcus explains that a lot of the risk issues are seen first by his group. He develops this by describing, that when lawsuits start coming in, the CFO usually comes in with questions asking, “why is the risk happening, and why wasn’t the risk anticipated?” This leads to the question of who is responsible for managing risk across the enterprise, which can be seen in many areas from:
- Cyber Security/Privacy – The biggest risk Cox faces right now
- IP- from a patent perspective
- Electronic Discovery
They first determine who’s responsible and why the costs are going up. The CIO’s role is to then coordinate this among his group, the finance group, and the technology group.
Johnny pointed out the emblematic theme that electronic discovery tends to expose institutional practices over time. He clarifies that one of the main struggles for organizations is the volume and variety of data held that serve no statutory, legal, or business purpose.
“If the haystack is already out of control, looking for the needle becomes a pretty expensive effort,” Johnny concludes.
How do you look inward once you have some mandatory stimulus that requires you to review a compliance problem, privacy issue, or cyber security mandate? How do you begin to corral the internal resources?” Johnny asks.
Kevin suggests that they don’t quite have it all figured out as they are still in the crawl to walk stage of this scenario. Two and a half years ago they were working on moving their email platform to back up to the cloud. Two years later, this led to an out of hand discovery process with external counsel because of the amount of email data. “You have to figure out what the best balance is in your business, and have something that is a little more moderate and efficient that still meets the key holes,” he advises. The people involved in determining this are the CFO, IT, CIO, and eventually the audit committee.
Marcus complements Kevin’s statement with a quote he read, “Dance like no one is watching and email like it will be read aloud in a deposition.” When electronic discovery began to get out of hand, Kevin’s company began a concerted effort to solve the problem in-house and create best practices. Compliance created a records information management system (“RIM”) for the entire organization. This RIM system created a schedule for how long you should keep data and tracked all of the data purged, including both paper and electronic data. He stresses that getting your electronic discovery, data, and management in a good position is something that companies need to do.
Understanding that over the last twenty years it has been less expensive to buy more storage (rather than embrace a records management system), Johnny reinforces Marcus’ point that curing this data problem does not have a self-evident ROI. He asks Kevin, “How does a CFO rationalize the spend when looking at enterprise risk?”
You cannot quantify an ROI immediately; it is a little bit more of a judgment call on making the investment,” he points out. Kevin emphasizes that you have to look at balancing the infrastructure, provisioning to what your customer needs first and then your shareholders.
Johnny directs to Marcus, “How do you balance questions from the enterprise where you know you are being asked partially from a business aspect and partially from the legal perspective? How do you separate those two agendas?”
I like to think of myself as a business partner, and we are engaging in a business discussion about what is associated with the nature of the risk,” Marcus declared. His goal is to always keep his legal hat on in discussions and ensure that the conversations are always privileged. This allows the CFO to have the opportunity to make decisions and ignore him if the decision will not get the company in huge legal trouble. It is important to take the legal language and put it into business speak so that the CFO can understand and manage that risk properly.
Johnny asks both panelists to expand on their roadmap for implementation, “How do you decide what aspects should be retained in-house? Is there a calculus for deciding on which things your organization will be excellent in-house, which things to co-source, and which things are best left to an outsourcing arrangement?”
Kevin decides by simply asking, “Is this in our genetic code or is this something that we are learning?” which points them to whether they should use internal or external resources. Being a relatively lean company, they typically choose to leverage best practices from the outside to help educate them internally.
Marcus unfolds how Cox has shifted from mostly outsourcing to doing internal calculations and bringing more in-house.
Supporting Marcus point, Kevin expands by saying they play to their strengths by leveraging strategy and knowledge base externally, but perform most IT in-house.
Johnny highlights the inherent risk involved in this, “Once your personnel comprehends how truly valuable they’ve become this niche skill, they must be difficult to retain. How prominently does that figure into the math as you try to hold on to these in-house resources?”
Historically, Marcus felt that they did not take this into consideration as much as they should have. This is where a CIO is extremely valuable because they are used to dealing with this issue.
Kevin explains how they decided to use a third-party provider after going through the process of bringing someone on in-house to strategically work at the security engineering level. After one year that person left, and they were left with a security engineering issue. Working with a third party allowed them to bring in an IT security strategy and only buy engineering when they need it.
Following up, Johnny asks, “Where does the insurance factor into this?”
Kevin picks the cyber security insurers by leveraging another third party that does benchmarking to look at:
- The industry they are in
- Size of their company
- Where they fit in the middle of the pack
At Cox, is the legal function involved in the acquisition or analysis of particular insurance policy?” Johnny asks Marcus.
Marcus explains that the legal department, along with the risk management group, is mainly involved in the acquisition of insurance for Cox media group, which owns a lot of media entities. He counters that statement by pointing to how they also deal with a lot of patent litigation, which is uninsurable because the risk is not quantifiable.
Johnny inquires, “How often do you revisit the market analysis for changes?”
Cox has an entire risk management group that handles insurance claims and makes them aware of changes regularly.
Internap revisits it no less than once per year, and it also relies heavily on leveraging third-party brokers throughout the year for special projects.
Johnny pivots the topic over to third-party relationships with key vendors and suppliers, asking Marcus, “Is the legal function involved when a new sizable supplier is signed on?”
Expressing that the legal function is contemplated, Marcus gives the example of how when a new vendor is brought on, it usually starts with the technology or procurement group, and those groups immediately engage legal at the RFP stage.
Directing a related question to Kevin, Johnny asks “What other considerations are red flags for you?”
Kevin conveys that they hired someone to bring in best practices to the procurement situation, which led them to have a more professional approach compared to where they were four years ago. “We have a diligent and standardized process to vet vendors legally,” he states.
You need a lot of trust between legal, CIO, and the CFO, where everyone works with one another well. If that doesn’t take place you wouldn’t be able to spot certain problems that come up,” Marcus concludes.