In this interview, Robert N. Charette, Senior Consultant, Cutter Consortium addresses the role of the CIO and the corporate IT organization amid an atmosphere of increased corporate emphasis on risk management.
Q: In your latest Executive Report, “The Rise of Enterprise Risk Management and Governance,” you cite the increased level of risk management in corporations, and the need to govern it across the enterprise. Why is the CIO’s role so critical here?
The CIO is critical for a couple of reasons. First, IT is central to the effective and efficient operations of almost every modern organization. If a corporation’s IT doesn’t work well, the operations of the corporation suffer as a result. For instance, operational risks — those risks that are created by a company’s dependence on its internal systems, processes, and staff — have caused measurable losses of shareholder value in several public corporations when they were not actively managed. Oxford Health Plans, as an example, lost close to 70% of its market value after its billing system failed a few years ago. In privately held or governmental organizations, operational risks are sources of higher operating costs. Therefore, how well the CIO, and by extension, his or her IT organization, manages the risks that reside therein can well determine the future viability of the corporation.
Second, the recent US Public Company Accounting Reform and Investor Protection Act of 2002 (also known as Sarbanes-Oxley Act) tightens the rules of public corporate financial reporting and, among other things, requires the CEO and CFO to personally certify the accuracy of financial statements. As an incentive to comply, Sarbanes-Oxley imposes a maximum penalty of 20 years in jail and a $5 million fine for making false statements in corporate financial certifications. This means that financial information must be both valid and verifiable. This increased accountability has, in turn, pushed the CIO into the hot seat concerning many corporate governance issues. For example, it’s the CIO’s job to ensure that risks — for example, the possibility of fraudulently altering a financial transaction — to any IT system used to produce, gather, store, or transmit financial-related data are not only being managed but that the processes to manage that type of risk are effective.
To give you a third reason, consider the UK, where the government is considering a “corporate killing” law, which would hold senior managers criminally responsible for accidental deaths resulting from actions taken by the company — say, from the operation of a corporation’s IT systems. How would you like to be the CIO of a company that makes software that is used directly or indirectly in transportation or communications systems, or in a power plant or hospital system?
What you are seeing now is that IT risks are becoming de facto enterprise-level risks, and it is the CIO and his or her team that is responsible for ensuring that the risks are managed effectively.
Q: What circumstances have caused this increased emphasis on risk management?
Several events have combined to increase the desire for better enterprise risk management and governance. We have had 9/11, which showed how unprepared corporations and their systems were for terrorist attacks. It also showed that many of the lessons learned about IT system vulnerability to extreme events from the Y2K experience were not put into regular practice.
There have been the Enron, WorldCom, Global Crossing, and several other corporate financial scandals that severely eroded the public’s trust in corporate financial reporting, as well as in their ability to behave as good corporate citizens.
There has been a surge in IT security and data privacy problems (for example, identify theft) in the last several years that have made managing these types of risks a high corporate priority.
Ever-increasing global competition has spurred IT outsourcing across the world, which brings along all sorts of new types of corporate operational and strategic risks to be managed, many of them political in nature. It will be interesting to see what corporations that outsourced to India are going to do given the recent election of a new government there that campaigned on the idea that all the high-tech work being outsourced there wasn’t necessarily beneficial to the country as a whole.
These and several other events, I think, have driven home the point to corporations that they live in an increasingly uncertain world, which requires a much better understanding of the opportunities they pursue and the risks they take on.
Q: What can the CIO do from an enterprise risk management and governance standpoint that goes beyond the purview of the typical CIO role?
Well, I am not sure what is a “typical” CIO role, but I think CIOs need to be — if they aren’t already — extremely involved in the aggressive management of IT risks. Risk management can’t be seen within the IT organization as some pro forma process that CIOs only give lip service to. CIOs need to continuously ask themselves and their project managers for the risks that the IT organization and its systems create for the corporation, and how they can best be managed.
Risks that may materially affect the corporation’s finances, strategic position, competitive capabilities, reputation, intellectual property, etc., need to be conveyed upwards to the CxOs and corporate board so that they may understand what is being placed at risk, and what the consequences are if these risks turn into problems. This is especially true of what I call “grey space” IT risks — IT issues that don’t start out as governance-related issues but can quickly turn into them. For example, if an IT project looks as if it will incur a major financial overrun that will materially affect, say, the corporation’s profitability, then the project becomes a governance issue. These types of risks need to be communicated as early as possible to senior managers. At the very least, CIOs need to ensure that IT creates no surprises for senior decision makers.