Blackouts, terror attacks, financial frauds, earthquakes and viruses (both biological and electronic) are just some of the high-profile crises and disasters that have befallen organizations around the world in recent years. The devastating outcomes and recovery costs from these events have firmly placed the concept of risk management at the top of the agenda for many organizations, a situation that presents both challenges and opportunities to CIOs.
Contingency plans, remote servers, sophisticated IT security applications, technology for a mobile and flexible workforce, backup systems and secure networks are baseline practices in risk management. Unfortunately, as many CIOs can attest to, simply deploying and managing these solutions as a risk management practice is not enough.
Today’s CIOs are expected to play a broader and more strategic role in the organization including developing risk management practices that extend beyond the CIO’s traditional IT domain. The CIO is now expected to advise the CEO, board members and extended management on other aspects of the organization and understand the various types of risk: risk inside the IT operation, risks in the use and deployment of technology, risks facing the broader organization, and strategic risk taking. And for those who don’t recognize this changing reality, anecdotal evidence abounds of CIOs being replaced by non-technical executives with a better understanding of the big-picture issues such as corporate governance, compliance and risk management.
The conclusion is clear – in the 21st century, CIOs need to be leaders not followers. They need to look outside the narrow function and tactics of being a low-profile IT caretaker. They need to harness the power of technology across the organization to reach a higher level of risk management, operational excellence and competitive advantage. In short, they need to become risk intelligent CIOs.
RISK AWARE VS RISK INTELLIGENT MANAGEMENT
But first things first, let’s define risk and risk intelligence and identify the difference between risk aware management and risk intelligent management. By definition risk is the potential for loss or the diminished opportunity for gain caused by factors that can adversely affect the achievement of an organization’s objectives. As we all know risk comes in many forms, presenting both opportunity and peril. Poorly managed, it allows a security breach by a hacker or disgruntled employee to expose an organization to potential loss and liability. Effectively addressed and leveraged, it provides IT infrastructure to support, for example, the treasury group in managing currency risk or support to the chief audit executive by providing systems to aid internal audits and control.
Risk can be characterized as ‘unrewarded’ or ‘rewarded’. Unrewarded risks usually bring no benefit to an organization. For example, managing risks affecting IT system availability, integrity of financial statements or compliance with regulations generally offer little or no reward even if properly managed. By contrast, rewarded risk-taking can sometimes offer substantial benefits to the organization. For example, well-managed risks associated with new technologies, products, markets, business models and acquisitions can result in increased profitability and market capitalization. This dual approach to risk is also what differentiates between risk awareness and risk intelligence. Unfortunately, more attention is usually given to managing the former type of risk.
Becoming a risk intelligent CIO means devoting attention and resources to (1) managing risks that directly apply to the IT department; (2) applying technologies across the organization to help other groups identify and manage their risk and; (3) playing a true executive role in understanding how it all comes together on an enterprise-wide level.
THE ROAD TO RISK INTELLIGENCE
The first step in becoming a risk intelligent CIO is to approach the position as that of a true C-suite executive who has an all-encompassing strategic view of the organization beyond the IT department. A risk intelligent CIO is also concerned about the business and operational issues facing the organization and not solely focused on running IT systems and ensuring data security.
The following are seven steps to becoming a risk intelligent CIO:
• Start by taking small steps. Before you expand your attention to the overall organization, assess your department’s current state of risk management. How costly is your existing risk management process? Are the people involved with risk management efforts satisfied with the existing processes? Do you know your department’s risk profile or tolerance for risk? Is that in step with your organization’s overall risk profile?
• Prioritize based on impact. After determining your department’s risk management maturity level, begin to prioritize by focusing on the low-hanging fruit, i.e. the most attainable initiatives that have the highest impact on the business. Performing a business impact analysis will help identify those areas that have the potential to generate the most impactful business benefits.
• Automate controls. Automation and consolidation of processes and systems not only enables the CIO to hold compliance and other costs at bay, but also offers the merits of fewer human errors and easier testing and verification.
• Assign and align user profiles. Develop and customize user system profiles that can specify and deliver the information that is appropriate to each role. Customizing access in line with roles and responsibilities provides better control over information as well as allowing for the efficient delivery of relevant information to those making business decisions.
• Improve information governance. Examine the IT strategies, procedures and technologies necessary to meet your organization’s information needs. In the process of improving information quality, you may find yourself facing some resistance which is natural when introducing new tools, procedures and controls. To overcome this barrier, consider deploying ‘soft’ tactics such as tools to monitor data quality behind the scenes.
• Align IT assets with broader risk management needs. On the journey to becoming a risk intelligent CIO, you should abandon the somewhat natural reflex to focus on the risks facing your own personal unit and broaden your perspective to the overall risk needs of the organization. Next you should work with other unit leaders to devise the most efficient and effective IT response to meet those needs.
• Keep it simple. One of the side-effect of Sarbanes-Oxley was a rush to deploy new and often unnecessary processes and controls. Now, that a few years have passed it is time to weed out complexity and redundancy by eliminating and simplifying controls.
Overall, the risk intelligent CIO must harness technology to embed risk management into the organization’s day-to-day operations. This requires work to instil a common language to talk about risk, and the common metrics to measure it. It also means working in active partnership with other CxOs and executives in the organization’s business, risk, finance and other functions, eliminating silos within the organization and adopting a risk rewarding approach. In becoming a risk intelligent CIO who promotes a risk intelligent organization, CIOs can improve the fortunes of the entire enterprise, those of their IT department as well as their own professional growth and advancement.
Eddie Leschiutta, CA, CISA, is the managing partner of Deloitte’s Enterprise Risk practice in Canada. He specializes in the review of large complex systems, provides audit and risk management consulting services and is a Certified Risk Professional. [email protected]
SIDEBAR: Measuring your risk intelligence profile — a self-assessment quiz
Are you a risk intelligent CIO? Take this test to determine how well you qualify. Score 1 point for “yes” answers and 0 points for “no” answers.
1 Recognize (and strive to influence) your enterprise’s highest strategic priorities?
2 Understand IT’s role in the organization as a whole?
3 Help develop an integrated view of the risks facing the entire organization, not solely the IT department?
4 Assess how prepared your organization’s systems are to withstand different types of risks and impacts, and develop ways to improve that resiliency?
5 Understand the relevant laws and regulations your company needs to comply with?
6 Align IT assets with compliance priorities?
7 Check for any potential redundancies or needless complexities in existing systems caused by the traditional fragmented organizational structure?
8 Know what your peers within and outside your industry are doing in terms of innovative risk management practices?
9 Focus on reducing regulatory compliance costs through automation, standardization and consolidation?
10 Continually improve your organization’s capabilities to develop, produce, and deliver information with better solutions, processes and systems?
11 Believe that if you could design your risk management program from the ground up, you would still do things the way you do them now?
12 Know how much risk management is costing your organization today, and have projected costs for the quarters and years ahead?
13 Know how to measure the return on your investment in integrated risk management organization-wide?
14 Know how to make the case that the return on investment justifies the cost?
15 Know the drivers and timelines of future risk?
14-15 points: Your risk intelligence borders on genius!
10-13 points: Your risk smarts are in the upper echelon, but a little more study couldn’t hurt.
6-9 points: You are smack in the middle of the pack. More schooling needed.
0-5 points: Your organization is at risk and you need to be part of the solution. Immediate remedial work required!