Adventures in risk management

By Jan Mattingly

Leading public sector organizations around the world have formally concluded that managing risk means continuous management of uncertainty in dynamic environments- not just management of adversity. And who knows more about uncertainty than a CIO – a leader constantly working in the face of change.

So…here you are. Your organization is making headway in some areas on managing risk in a couple of key projects. Maybe you’ve got modified types of shared service arrangements in place that shore up your budget. You might even have a game plan in motion for advancing common infrastructure or Web content management. The internal auditors may have been by to discuss their risk observations. Certainly you understand that you need to move your technology organization from service delivery to management. It’s a plateful for any CIO – never mind the horizontal initiatives you’ve committed to in your business plan. Add a little daily firefighting and it’s a “dynamic” mix that would set knees to knocking in any seasoned executive.

So what are your priority risks? How do you know where to focus your efforts in managing uncertainty as you advance your business plan? Where should your business continuity focus lie?

If you’re like most CIOs in Canada, you may use a combination of intuition and information to answer these questions every day. Risk information for CIOs is typically developed by a variety of staff using a variety of risk approaches. What’s more, the risk information you receive likely won’t be rolled up in a way which helps you to readily identify the uncertainties that matter most in relation to your objectives. If there’s a link between priority risks and business continuity plans, it may be intuitive or informal.

In addition, the information you receive likely won’t help you identify opportunities to enable you to leverage or innovate with the dollars you have. So how can you realign your current risk approach to ensure you’ve got the best business value?

To answer the question, let’s look at three common challenges in managing CIO risk:

Challenge #1: Understanding the true meaning of “risk”

The surprising thing about risk is that the public sector has, over the last quarter century particularly, imputed incorrect meaning to the word “risk” itself. The term actually derives from the Latin word “riscara” which means to dare. Who knew?

The root meaning is not “to control” or “to avoid,” as some public sector risk processes and policies might suggest. The term is neutral, but it implies action. If you are a lateral-thinking, energetic, focused CIO, this definition will feel comfortable.

If you put the term “risk” in the right perspective, then, euphemistically it means that audit, safety, security, privacy and quality risks are only “towns” along the road in a CIO’s journey to the “city” of effective risk management. Most organizations stop here and get bogged down by labour-intensive risk processes of questionable value. Were they to carry on, they would find other stops along the journey of uncertainty that include issues, opportunities, ethical and strategic risks. John Weigelt of Treasury Board Secretariat recently touched on this broader view of risk in a discussion of threat risk in the August issue of CIO Governments’ Review.

Resources to help:

For sample neutral definitions of risk refer to

Challenge #2: Finding value in risk information

So assuming you take a broadened view of “risk” how can risk information substantively add value to the objectives in your business plan as a CIO and help you capture the power of risk?

Your challenge as a leader is to send this message to your staff and managers whose job it is to support your decision making:

Risk information helps me to manage uncertainty. I need to know that you’re developing this information in a way that:

– Helps me to continually understand the priority risks in relation to my objectives;

– Is consistent across all of my projects and functions;

– Enables me to identify opportunities to enhance our objectives; and

– Directly links to our performance measures.

Regularly issued summarized priority risk reports (your organizational risk profile) are only one means of securing ongoing support for management decision.

Resources to help:

For sample international best practice risk management process: (AS/NZ 4360)

Challenge #3: Internal Risk Dialogue

A third challenge for a CIO in managing risk is a recent horizontal management initiative across many provinces and in the federal government, often known as Integrated (or Enterprise) Risk Management or IRM. At its simplest level, IRM is a formal modern management requirement which:

– Requires you to communicate your priority risks to your executive colleagues from your area for their awareness; and

– Enables you to receive information about the priority risks of your colleagues from their areas of responsibility to enable you to understand any impacts (positive or negative) to your organization that may result.

This continuous risk dialogue is meant to promote awareness of major risks among the executive management team as a key means of decision support collectively and for you as CIO. It’s a lofty goal; integrated risk management is proving challenging to implement federally.

In reality, every group of public sector executives discusses risk and has done so for years, whether or not “risk issues” appears as an agenda item. What’s new or different about IRM is its intent: When you speak of priority risks as a team, you have agreed on a common understanding of what risk is and used a consistent approach to consider risk throughout the organization in relation to its objectives.

Resources to help:

For a sample view of horizontal risk communication requirements:

In summary, there are a myriad of complex risks that come from static risk sources such as resource pressures, broad mandates and other dynamic risk sources such as emerging threats, collaborative service arrangements and new public service demands. To help sort through the swamp of details and continually focus on the risks that matter most, CIO’s will need:

– To take a broad view of risk, which includes adverse and positive uncertainty (risks and opportunities) as well as issues. Define uncertainty formally and simply for your organization;

– To ensure that information developed uses an objective-centric approach: what risks, issues and opportunities could/will impact our business or service objectives? Be mindful of process-bound methods that can use up valuable resources and provide little business value in return;

– To build a culture that recognizes the value of formal and informal risk management and teaches managers how to scale between the two. Staff should be able to determine when a more formal approach to managing uncertainty is warranted. This recognition will promote a less onerous and sleek risk process; and

– To become an effective communicator of risk. Include risk information as part of your decision rationale in major activities such as resource allocation to business planning.

In and of itself, risk information is no substitute for strong leadership vision and direction. Good, balanced, risk information only makes strong leaders stronger.

Jan Mattingly ( is president of Ottawa-based RiskResults and a certified risk management practitioner specializing in public sector risk management. She is chair of The Risk Management Forum.

Buy better: A primer on collaborative service arrangements

Collaborative service arrangements are rife with uncertainty. As CIO, your goal is to ensure that you will have a solid appreciation – in terms of return on investment – of risks and rewards. In collaborative service arrangements, risks are typically associated with third party services. This, however, is an incomplete view.

There’s another key aspect to risk in collaborative service arrangements. It starts near the beginning of the procurement process: Disclosure of risk information between potential parties to a contract. There are tremendous opportunities throughout the procurement effort, starting with the RFI or RFP stage, to engage bidders in a better discussion of risks, issues and opportunities.

For example, in the recent past in Canada, the best risk management effort in complex or multi-year procurements has usually resulted in an approach which includes these key elements:

1. Bidders are asked to describe how they would manage specific risks in a listing of “identified major risks;”

2. Bidders may be asked to identify some other relevant risks;

3. Bidders may be asked to describe how they would manage risk over the life of the contract;

4. Contracts may take a fractious approach to managing risk, by including clauses on limitation of liability, indemnity, hold harmless and insurance requirements, among other items; and

5. Bidders may be asked for business continuity plans and issue/problem escalation paths.

Through all this, bidders receive a clear message that managing risk is important to you. Other questions remain, however: Do they understand that you take a broad and integrated view of uncertainty in the arrangement, so that all sections reflect a profile of procurement risk as well as your tolerance for risk in the service arrangement? Is it clear to a bidder what the public sector commitment or capacity is to continuous management of risk?

This amounts to a missed opportunity for public sector technology managers who need to reflect a consistent definition of risk in broad terms and use an RFP to convey – in summary form – risk sensitivities and expectations. Put another way, this is a missed trust-building opportunity – a key pillar of collaborative arrangements.

Building trust in any relationship involves disclosure – not just once, at the award of a contract, but continuously. Ongoing disclosure of priority risks, issues and opportunities sets the stage for program success, but it requires active public sector involvement in (a) ensuring that both parties continually identify and manage uncertainty, and (b) escalating and communicating risk as an ongoing means of “managing the business.”

Such a climate in your next collaborative service arrangement could have several benefits:

1. Active dual (public-private sector) risk management could result in better outcomes – fewer crises, less lost productivity, improved leveraging of opportunities and better informed stakeholders

2. Calmer, better-informed procurement legal counsel

3. Engaged management of uncertainty at the program level – which also helps to avoid negative program risk events that contribute to project failure such as deteriorating governance structures.

Model A shows a sample paradigm of how to start to shift the tide in managing uncertainty in collaborative service arrangements. The model is particularly relevant for CIOs who understand that they need to increasingly move their operations away from service delivery to an ITIL-based service management approach.

– Mattingly