CIO's Role Critical

As the level of risk management conducted in corporations increases, in keeping with recognition that risk must be governed across the enterprise, the CIO's role is becoming ever more important in enterprise risk management (see "Running the Risk", page 51). Charette offers a number of reasons the CIO's role is critical to these endeavours.

For one, IT is central to the effective and efficient operations of almost every modern organization. If IT does not work well, Charette says, company operations will inevitably suffer. Take operational risks - those risks that are created by a company's dependence on its internal systems, processes and staff - which he says have caused measurable losses of shareholder value in several public corporations when they were not actively managed.

"Oxford Health Plans, as an example, lost close to 70 percent of its market value after its billing system failed a few years ago. In privately held or governmental organizations, operational risks are sources of higher operating costs. Therefore, how well the CIO, and by extension, his or her IT organization, manages the risks that reside therein can well determine the future viability of the corporation," he says.

"CIOs need to be - if they aren't already - extremely involved in the aggressive management of IT risks. Risk management can't be seen within the IT organization as some pro forma process that CIOs only give lip service to," Charette says.

Before the governance push in the past two or three years, many risk items were not really on the corporate agenda. Now many of these operational risks - those with the potential to affect people, profits and systems - come with legal ramifications. For instance a significant cost blow-out on an IT project can, in some countries, be deemed a material breach that must be reported.

"It's a whole different world out there now than it was five years ago, even three years ago," Charette says.

CIOs must continually ask themselves and their project managers about the risks that the IT organization and its systems create for the corporation, and how they can best be managed.

"I think the CIO has to, like most of the senior leadership, set the direction and the tone on how risks are going to be tolerated," Charette says, "and they have to be very positive. What's the risk appetite of the organization for the IT side? What's the behaviour you want to see within the organization? How do you want people to address risk? And what are you going to do to encourage them? It is more than a matter of demanding an end to dysfunctional behaviour? You really need to define the desired functional behaviour.

"If CIOs, for instance, don't ask for the risk information and then don't act on that information when it's given to them, again, the process just becomes pro forma and no one really does it."

In addition, CIOs must fully inform the CXOs and board about any and all risks that may materially affect the corporation's finances, strategic position, competitive capabilities, reputation and intellectual property, to help them understand what is being placed at risk, and what the consequences are if these risks turn into problems.

Charette says this especially holds true for "grey space" IT risks - IT issues that do not start out as governance-related issues but can quickly turn into them. For instance, should an IT project start to appear as if it will incur a major financial overrun that will materially affect, say, the corporation's profitability, then the project becomes a governance issue. "These types of risks need to be communicated as early as possible to senior managers. At the very least, CIOs need to ensure that IT creates no surprises for senior decision makers," he says.

There are plenty of organizations with risk management processes in place - even in their IT shops - that are never used and that are allowed to have no influence on any type of decision making. It is up to the CIO to ensure risk information is identified, analyzed, communicated and most important of all, acted upon. Unless it is, there is no point in attempting ERM.

With this increased accountability, the CIO is now certainly in the hot seat concerning many corporate governance issues. The upshot is that IT risks are becoming de facto enterprise-level risks, and it is the CIO and his or her team that is responsible for ensuring that the risks are managed effectively.

So for instance, back with IAG, their Technology Services division is subject to Group Risk Assurance Reviews, performed in light of the technology and business environment and reassessed on a quarterly basis. Coleman says such reviews embrace "IT security, logical access controls, application development, testing/acceptance, service continuity/disaster recovery, logical controls, change control and network/infrastructure management".

"In addition, key projects - both business and technology - are subject to review depending on the risk profile of the project. These independent reviews may be in the form of risk identification workshops, project health checks or ongoing review. Some recent technology projects include our insourcing of critical IT infrastructure, changing of desktop configurations and integration of technology systems across newly acquired business. Issues or risks identified through the reviews are followed up on a monthly basis at Operational Review meetings involving the executive team," Coleman says.

"IT project and product risk are part of the enterprise view of risk management spectrum that needs to be managed," Charette says. "So the CIO is one of your most important risk managers in the corporation. If IT is really that important to the corporation then the CIO had better be managing those risks extremely well.

"Meanwhile in ERM-oriented organizations, the senior leadership tends to be focused more towards the future rather than trying to unravel past decisions. Take a look at where companies get into difficulty - the senior leadership is spending most of its time unravelling decisions that they've made. Really good enterprise risk management organizations are looking at where they're going to position the company, how to connect to the curve today; they're not spending a lot of time on trying to undo what they decided yesterday."