5 Things You Need to Know About Risk Management
Instead, learn to be a "risk intelligent" CIO who can help your organisation wisely take - and profit from - risks.
1. Get your own house in order first
You should certainly identify and plan for events that can affect your ability to provide a stable, available, protected, and recoverable technology infrastructure. But you have to look beyond risk that directly encroaches on IT's turf, such as network violations or data breaches, and see more broadly where in the organization technology can play a role in protecting - or exposing - assets. "So many IT departments I see are really only managing IT perimeter risk, or data breach losses, but nobody's doing anything about intellectual property," says Brian Barnier, a risk advisor with ISACA and principal analyst at ValueBridge Advisors in Norwalk, Connecticut. And over-communicate risk priorities to your technology staff, because they may be focused on a more granular set of threats than you are.
2. It's not (just) about compliance
Yes, compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations is obviously a piece of the risk management puzzle. But don't let it drive your approach. "When we talk about risk intelligence, it's the CIO understanding that he or she is providing the core information technology infrastructure to support the business, and understanding all the things that put you at risk," says Deloitte & Touche LLP Principal Bill Kobel. Instead of focusing only on compliance, ask whether you have the right kind of people and technology to stay ahead in your market. But if you're stuck in the compliance mindset and running around filling out checkboxes on paperwork, you've lost sight of business objectives, Barnier says.
3. Enterprise risk management is a career opportunity
The CIO is very well positioned to drive an enterprise-wide, more sophisticated approach to managing risk. Especially in companies that are very dependent on IT-driven processes, the CIO usually has the best access to information. "The more the CIO understands about the business processes, and the business dependencies on IT, the more the CIO can be a real advocate in the C-suite of doing risk management right," says Barnier. A CIO who's implemented an IT-oriented risk framework "can easily flip it right back into a driver of enterprise wide risk management," he adds. That can help the CIO personally and help their organisation drive more profitable revenue by taking risks where they make sense.
4. There are cheat sheets
While no one can save you the hard work of understanding the risks connected to all your technology and business operations, there are multiple frameworks and standards that can put you on the road to good practices. Important ones include Risk-IT from technology governance nonprofit ISACA (the group is best known for COBIT, a more general enterprise IT management framework) and ISO 31000. But be mindful about how you apply those frameworks, Kobel warns. Frequently, specialists in a company understand different domains of a framework - such as security, privacy, business continuity, or compliance - and the framework winds up being used at what he calls a sterile, tactical level of controls and requirements rather than being connected to the way the business really operates.
5. The bad guys REALLY know how to get aligned with your business
If you aren't connecting risk management directly to business processes, you must realise that your opponents are. The bad guys are probing for vulnerabilities by looking at your fundamental operating behaviour, at your products and services, Kobel says, and figuring out how to attack you either through social engineering or through your infrastructure. The same goes for insiders: "They have an innate knowledge of a business process, or a set of activities, and they begin to navigate through the seams, to circumvent internal controls to achieve their objective," he adds. "What they're doing is targeting the business side."
Chief flexibility officer: The next CIO role?
The world is changing so quickly, and every company's business model has to change as well, says V.C. Gopalratnam, vice president, IT at Cisco. 'You really have to build an organisation that is as flexible as hell.'
Rob Fyfe receives CIO Lifetime Contribution Award
Cited for 'his approach to innovation and his courage and leadership in supporting technology based initiatives' as CIO and CEO at Air New Zealand.
CONNECT WITH @ CIO NZ
CIO is bringing together the best of MIS NZ and CIO, the new look CIO is the only magazine that focuses on the unique management needs of senior IT professionals.
Get the latest news from CIO delivered via email.
MIS 100 REPORT
The definitive guide to New Zealand's largest and most significant ICT users.
READ NOW »