TWO RECENT movements are forcing companies to look at what is called operational risk management (ORM). The first and probably most important is the reaction by the United States to internal financial scandals involving companies such as WorldCom and Enron, as well as those from outside the country involving Barings Bank, Allied Irish and Parmalat. The second influence on ORM is a desire by the American government to track the finances of organisations it believes may be tied to terrorist groups. Pierre Noel, chief executive of Arial Group Asia Pacific, said this concern would force companies to look at the services he had to offer which could save them large sums of money if they implemented their risk management intelligently. The biggest burden on companies today is the Sarbanes-Oxley Act in the US. Mr Noel said that nowhere in the law was the word technology used, yet it was almost all about technology. 'Sarbanes-Oxley focuses on finance. You must make sure that only those who are supposed to have access to financial data actually have access to it. If anybody else accidentally or intentionally accesses your financial data, you must notify the [US] government within four days,' he said. None of this can be done without technology, so there is a follow-on effect in the IT world. Some companies are making a great deal of money using what Mr Noel called 'scare tactics'. 'It is just like Y2K back in the 1990s. A lot of people did not quite understand what it was all about, so instead of finding out they simply paid the going rate for experts to come in and 'fix' their computers. Back then, some people made a lot of money and the same thing will happen now with these new anti-corruption laws,' he said. The biggest problem is probably the unintentional consequences of Sarbanes-Oxley. A Hong Kong company not listed on the New York Stock Exchange might think it is safe from prying eyes. If this company decides to buy a small outsourcing company in Bangalore, for example, it might discover that it must now conform to Sarbanes-Oxley because the company in India is doing the pay roll for a major US firm. 'We have seen a number of deals fall through recently because some of the participants did not like the idea of all that scrutiny,' Mr Noel said. He said that on a recent trip to the US, he saw some interesting advertising on television. Because all financial records must be kept for several years, some of the disk storage companies had been broadcasting messages intended to frighten management. The result was that lots of storage solutions were being sold. 'The fact is, however, you do not have to save everything,' he said. 'There are intelligent ways to go about this. It must be remembered that Sarbanes-Oxley is about financial data - nothing else matters.' For one of Mr Noel's customers, complying could have meant shelling out more than US$10 million. The company had 100 IBM AS/400 computers, each costing about US$500,000. The auditors told the company it had to turn all the security measures on. A lot of the measures were turned off because they slowed down processing time by as much as 20 per cent. To maintain the same computing power, they would have had to buy another 20 computers. By working out what could be turned off without reducing security, Mr Noel was able to save them a lot of money. 'We bring a certain amount of sense to all this,' he said.