Part 3 of CXO Priorities | RISK

It's the stuff of CIO nightmares and the cause of many a sleepless night: The fear that the next business continuity threat, malicious code attack or data breach will bring the organization down. Or that a poorly conceived technology investment, system upgrade or system retirement will hit the corporate bottom line and see acrimony heaped on the hapless CIO's head.

High-profile cases of poor IT insecurity or project failure can embarrass the organization, provoke damaging lawsuits, and jeopardize careers. Risk management - and the need to explain those risks to the CEO - has never been more critical or its successful mitigation never more tied to the CIO's fate. And the key to facing and beating those risks would appear to be embracing them, while pushing to achieve the highest possible levels of organizational effectiveness.

IT risk is a growing component of total operational risk and organizations across sectors and industries are starting to consolidate functions to develop a more comprehensive, focused approach to IT risk. Extensive structured interviews with IT professionals around the world this year led Symantec to conclude IT professionals rate themselves more effective in their deployments of technology than of process controls, see management of IT assets and configuration and change processes as particular problem areas, and believe people and process improvements offer the greatest opportunities for them to move from good to great. (For more survey findings, see "The New Game of Risk", at end of this story.)

There's no doubt that the current crop of CIOs today are being judged as never before on their ability to recognize and manage risk, Cutter Consortium senior consultant Robert Charette says. Today's CIOs must understand that in their quest for senior executive positions, they will be evaluated on their risk management decisions.

"I have interviewed many CEOs and board members on what they use as criteria for hiring and promoting folks to the very highest levels of the company. Since almost everyone has a resume a mile long and most are similar, the question they end up using is: How well will this person make difficult decisions - that is, how will they make the ones filled with risk and uncertainty. That is what senior executives get paid for: the yellow risks," Charette says.

Red and green risks are easy to manage; it is those that have no certain course of action that are the most difficult. A senior executive management's job is risk management, Charette points out. Even if you are hired to pursue new opportunities, it is the downside of the opportunities that need to be managed most.

Yet, he says, relatively few CIOs have good risk management skills. Most don't know how to manage resource allocations - which are as much about what you don't do as what you do - very well. Most can't properly calculate opportunity costs, especially in framing the decisions they need to make. In fact Charette thinks most CIOs could benefit from a really good course of decision making to enhance their chances of reaching "the big chair" in the future.

Back on the Front Lines

The good news is that with greater risk comes new opportunity. Deloitte says the current high-risk environment provides a unique transformational opportunity for IT leaders with the vision and ambition to grasp it.

In a paper called "The Risk Intelligent CIO" the professional services firm notes that today, with the negative consequences of poor risk management escalating, CIOs are once again on the front lines. But while yesterday's problems usually had a monetary solution - companies could pay for a fix and move on - today's risks can't be managed just by throwing money at them.

"The blows that a company can take to its brand and reputation (often followed by a hit to market capitalization) can stagger even the most resilient organization. Additionally, with changes in commercial law, and with organizations increasingly judged by negligence standards (a lower standard of proof under which defendants pay for harm caused by their unreasonable activity), today's CIO faces the grim prospect of fines or even incarceration for failure to live up to their expanded fiduciary duties or to stop a crime on their watch.

"In this new world, CIOs need to understand various types of risk: Risk inside their IT operation; risks facing the broader organization; risks in the use and deployment of technology; and strategic risk. Of these, the last is often the most neglected. Yet the task of leveraging technology to enhance strategic risk taking, of using technology to gather business information that can provide insights into the management of strategic risks, should rank among the most important," Deloitte says.

Risks can have various levels of impact, and different risks can combine or interact to create new and greater risks. They can also be categorized as "rewarded" or "unrewarded". While unrewarded risks such as those affecting IT systems availability or compliance with laws and regulations typically bring no benefit to an organization, rewarded risk-taking can sometimes bring substantial benefits. "For example, well-managed risks associated with new technologies, products, markets, business models, alliances, and acquisitions can result in increased profitability and market capitalization," Deloitte notes.

"CIOs have always had to prioritize risks when deciding how to allocate resources. What's different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And everyone has a different set of information advantages and disadvantages - call this risk intelligence - for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating," Deloitte says.

The risk intelligent CIO can also help minimize risk by instilling a positive "can-do" attitude and culture within the IT department. The bulk of the business-aware CIO's activities are risk-related in one way or another, Clive Bailey, director, head of client focus with Pentafin Services, points out. Unfortunately, the necessary risk aware/mitigation mind-set often gets in the way of IT actually supporting the business strategy, because too many IT professionals concentrate too much of their effort on the risks of doing something rather than figuring out how to do something whilst managing the associated risks along the way.

"If you talk to many business executives you will too often hear them say that IT is an impediment to them doing business and invariably the reason for this is IT's risk-averse mentality. This attitude is made even worse if IT is rewarded for managing risk rather than delivering business value," he says.

Assessing and managing risk is important because it provides context for the decisions a CIO has to make in balancing the requirements of the internal client (the business) and the (external) customer, notes Australian Government Information Management Office (AGIMO) division manager Patrick Callioni.

Doing this right requires CIOs consider and manage many factors, often competing with one another for attention and for resources.