The Elephant in the Server Room

Abstract

IntroductionOrganizations tend to view governance, risk management, and compliance (GRC) as an overhead but a poor economy increases likelihood of fraud, bribery, and corruption for individuals beyond pressure of reaching often unrealistic organizational targets. Governance is process by which policies are set and decision-making is executed; risk management ensures that important business processes and behaviors remain within tolerances associated with those policies and decisions, going beyond that which creates an unacceptable potential for loss; and compliance is process of adherence to policies and decisions. The massive public failures in GRC around globe in recent years as evidenced by Enron, WorldCom, Fannie Mae, Freddie Mac, and Lehman Brothers mean that organizations and employees are under increasing pressure to conduct their business operations not only effectively and profitably but also ethically-and be able to prove it to regulators, in courts, to press, and to public. The risks associated with inappropriate ethical behavior have grown in number, likelihood, and severity. Ensuring ethical behavior among employees can gain organizations goodwill and trust of their stakeholders and clients, avoid unfavorable publicity, and protect them and their employees from legal action. Although importance of ethics in IT has been recognized for several decades in IT field, to date very little consideration has been given to need for an ethics specialized role dedicated to IT function. At same time, broader culture within a country influences its business culture that in turn influences organizational cultures as well as its legislation, which impacts how ethical behavior in organizations is viewed and promoted.In this paper we argue for such a specialized role in IT in form of an ethics officer using U.S. as point of departure. To this end this paper is structured as follows: first, we provide a brief overview of drivers for initiatives to promote ethics in organizations. Second, we examine reasons why ethics in IT function in particular is of especial importance to establish and maintain an ethical culture in organizations. The paper concludes with our argument that an Ethics Officer in IT function is needed to contribute to an ethical culture in an organization.Promoting an Ethical Culture in OrganizationsSo why is ethics so important to organizations today? In United States, Chapter 8 Part B of 2005 Federal Sentencing Guidelines entitled Remedying Harm From Criminal Conduct, and Effective Compliance and Ethics Programs (U.S. Sentencing Commission, 2005) necessitates an effective compliance and ethics program which should be designed to prevent and detect criminal conduct. It notes that this particular section is in response to section 805(a)(2)(5) of Sarbanes-Oxley Act of 2002 (U.S. House of Representatives, 2002) in which U.S. Sentencing Commission is directed to review and amend, as appropriate, guidelines and related policy statements to ensure that guidelines that apply to organizations in this chapter 'are sufficient to deter and punish organizational criminal misconduct.' The Sarbanes-Oxley Act (or SOX for short) is a U.S. federal law enacted in 2002 as a reaction to a number of major corporate and accounting scandals such as Enron and WorldCom. Then President George W. Bush, who signed it into law, called legislation the most far-reaching reforms of American business practices since time of Franklin Delano Roosevelt (quoted in Bumiller, 2002). Sarbanes-Oxley also has implications not only with respect to U.S. organizations' IT function but also for non-U.S. businesses that are listed on U.S. stock exchanges (see for example O'Conor, 2005; Anand, 2008).Apart from U.S. legislation effecting organizations in and outside U.S., there are also national legislation and/or regulation that pertain to organization's ethics (or lack thereof. …