The Rogers executive, who has been in his role for just a few months, said his team is already in the process of baking risk management goals into an individual employee’s performance evaluation. The process, which he said will probably take another 12 months, will attempt to make business managers and other senior employees look at business risk in the same way they would look at their own house or car.
The risk team is trying to build something that affects people personally “and in their pockets,” he added.
Speaking at an IT World Canada event aimed at helping CIOs and senior IT directors revamp their risk management strategies, the tip was just one of many Singh dished out for IT department’s looking to present a more effective risk management strategy to the telecom giant’s business leaders.
In addition to making risk more personal, Singh is looking to add security and risk checks at nearly every level of the business to better align the company’s various silos. “What does risk mean to HR, legal, IT, the PMO?” he said.
For Rogers, this means embedding risk managers into the business units themselves to ensure security and risk concepts are being discussed at the inception stage of the company’s internal and external projects. These managers will also be able to more effectively craft risk training programs for their departments to avoid the dreaded “one-size-fits-all” approach.
On that front, he advocated for continual, “in your face” risk training of end-user staff, as opposed to the “once-a-year” meeting that does little to drive home the importance of the subject.
Also in attendance at the event was Paul Saxton, executive consultant and practice leader at IBM Canada Ltd.’s business continuity and resiliency services unit. He said IBM recently polled more than 500 management level executives worldwide and discovered a huge gap between IT and the c-level suite regarding risk concerns. Saxton said “85 per cent of folks in IT are very concerned over risk,” while that number only reaches 35 per cent when it comes to top business execs.
“That’s a big disconnect in terms of gaining sponsorship,” he said.
Other areas of concern for Saxton include organizations overestimating their risk management strategies when assessing themselves and the dominant tendency for organizations to implement reactive strategies as opposed to proactive plans.
For Singh, the key to overcoming this struggle to sell business opportunity to the “c-suite” is to bring in risk managers that can take “quantitative risk analysis” and repackage it into something business leaders understand. He said this means looking for candidates who not only have an understanding of IT risk concepts, but also superior communication skills.
“They need to always look at the business objectives that the organization won’t meet if the risk comes to fruition,” Singh added. This might also help IT leaders gain a couple “champions” among the business unit, which in turn, will help spread your risk strategy even faster.
Saxton agreed on the importance of spreading people across silos who can translate risk factors into easy-to-communicate business consequences.
“When you talk to the c-level, you have to communicate in small words, speak slowly and use lots of colourful pictures,” he joked.