The Elephant in the Server Room: Confronting the Need for an Ethics Officer in the IT Function

IntroductionOrganizations tend to view governance, risk management, and compliance (GRC) as an overhead but a poor economy increases the likelihood of fraud, bribery, and corruption for individuals beyond the pressure of reaching often unrealistic organizational targets. Governance is the process by which policies are set and decision-making is executed; risk management ensures that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond that which creates an unacceptable potential for loss; and compliance is the process of adherence to policies and decisions. The massive public failures in GRC around the globe in recent years as evidenced by Enron, WorldCom, Fannie Mae, Freddie Mac, and Lehman Brothers mean that organizations and employees are under increasing pressure to conduct their business operations not only effectively and profitably but also ethically-and be able to prove it to regulators, in the courts, to the press, and to the public. The risks associated with inappropriate ethical behavior have grown in number, likelihood, and severity. Ensuring ethical behavior among employees can gain organizations the goodwill and trust of their stakeholders and clients, avoid unfavorable publicity, and protect them and their employees from legal action. Although the importance of ethics in IT has been recognized for several decades in the IT field, to date very little consideration has been given to the need for an ethics specialized role dedicated to the IT function. At the same time, the broader culture within a country influences its business culture that in turn influences organizational cultures as well as its legislation, which impacts how ethical behavior in organizations is viewed and promoted.In this paper we argue for such a specialized role in IT in the form of an ethics officer using the U.S. as point of departure. To this end this paper is structured as follows: first, we provide a brief overview of the drivers for initiatives to promote ethics in organizations. Second, we examine the reasons why ethics in the IT function in particular is of especial importance to establish and maintain an ethical culture in organizations. The paper concludes with our argument that an Ethics Officer in the IT function is needed to contribute to an ethical culture in an organization.Promoting an Ethical Culture in OrganizationsSo why is ethics so important to organizations today? In the United States, Chapter 8 Part B of the 2005 Federal Sentencing Guidelines entitled Remedying Harm From Criminal Conduct, and Effective Compliance and Ethics Programs (U.S. Sentencing Commission, 2005) necessitates an effective compliance and ethics program which should be "designed to prevent and detect criminal conduct." It notes that this particular section is in response to section 805(a)(2)(5) of the Sarbanes-Oxley Act of 2002 (U.S. House of Representatives, 2002) in which the U.S. Sentencing Commission is directed to "review and amend, as appropriate, the guidelines and related policy statements to ensure that the guidelines that apply to organizations in this chapter 'are sufficient to deter and punish organizational criminal misconduct.'" The Sarbanes-Oxley Act (or SOX for short) is a U.S. federal law enacted in 2002 as a reaction to a number of major corporate and accounting scandals such as Enron and WorldCom. Then President George W. Bush, who signed it into law, called the legislation "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt" (quoted in Bumiller, 2002). Sarbanes-Oxley also has implications not only with respect to U.S. organizations' IT function but also for non-U.S. businesses that are listed on U.S. stock exchanges (see for example O'Conor, 2005; Anand, 2008).Apart from U.S. legislation effecting organizations in and outside the U.S., there are also national legislation and/or regulation that pertain to organization's ethics (or lack thereof. …