CIOs have learned to handle business continuity, information security, and project management. Many have learned to continually raise the bar on their performance in managing these risks, improving success rates for IT projects, managing outsourcer relationships with increasing skill, and bringing business managers into the business-continuity planning process.
Risk management was not in the top ten business drivers for enterprises two years ago. But in Gartner’s 2003 CIO survey it rose to number four. Some things have certainly changed in the past 12 to 18 months!
New IT risks are largely external
The change appears to come from new kinds of risks: terrorism and anti-terrorism campaigns, executive criminality, the rising incidence of identify theft, the interconnection of businesses, and IT failures.
Think about it… Terrorist attacks raised the perceived potential for catastrophic damage. Large companies have failed because of massive executive criminality. There is a rising incidence of identity theft, and thefts of databases containing sensitive personal information. And anti-terrorist mass surveillance programs have made consumers fear for their personal security and privacy – often with good reason, as we have seen in the past months with extensive airline customer information being shared with the military in a way that I expect few customers ever imaged.
Almost every aspect of business operations, in almost any business of any size, now depends on IT. So no matter which of these risks is under discussion, the CIO is involved in efforts to manage it. The indictment of US HealthSouth Corporation’s CIO on felony charges under the Sarbanes-Oxley Act in April 2003 shows exactly how involved a CIO can be.
Risks need to be identified, examined, then managed. To identify risks, start by sketching out enterprise-level scenarios. What will our strategies lead us to do? How will we do it? What might happen if we do that? What might cause us not to do it as well as expected? How will markets, competitors and regulators react?
With new risks at the enterprise level identified, the next step is to see how the enterprise’s practices and activities contribute to these risks. Ask senior managers to identify the most important risks and potential consequences they see in the business processes they are involved in.
Mitigating risk with IT
Given the high awareness of risk by executives and boards of directors, it’s the right time for the CIO to take action to mitigate risk with technology. Audit trails, including those related to electronic document access and modification, must be absolutely secure from manipulation and evasion.
As of July 2003, the U.S. Database Security Breach Notification Act (California) requires that certain customer identification and account information is stored in encrypted databases. CIOs should assume that this law will apply to all U.S.-based businesses within three to five years, and plan accordingly.
The accuracy of corporate systems must be ensured to comply with new regulatory environments, such as those created by the US’s Sarbanes-Oxley, the UK’s Turnbull and Europe’s Basel II. Frequent, regularly scheduled testing is the best means to ensure the integrity of transaction- processing systems. Monitor access to systems that contain critical data, and publicize the fact that monitoring is done. Set explicit policies for retaining and managing electronic documentation, including spreadsheets, e-mail, word-processing documents and anything else that contributes to management decisions and reporting.
Both Turnbull and Sarbanes-Oxley demand that issues affecting corporate performance be reported to stockholders immediately. Business intelligence (BI) systems help to quickly identify such issues.
Use external organizations to monitor risk
Responsibility for many risks can’t be outsourced, but often the day-to-day administration can be. As an example, under Sarbanes-Oxley, “whistle-blowers” must have a clear path to report problems directly to the board of directors, without review or interference by any level of management.
It’s trust, not contracts or monitoring, that provides the best protection. The best defense is to entrust the most important information only to trusted partners, specify via contracts and service-level agreements how the information is to be handled (for example, “proprietary intellectual property may not be disclosed to third parties for at least five years”), and monitor and measure to assure compliance.
Where to from here? Acknowledge the new IT risks in your enterprise. Educate your peers and your team about them. And prepare to take a leading role in mitigating, transferring, accepting and avoiding these new risks.
Dr. Marianne Broadbent is Group Vice-President and Gartner Fellow, Gartner’s CIO Executive Programs.