Risk management: A CIO's strategic role

Your new book is about managing strategy in turbulent times. What factors must a CIO, in particular, balance when responding to a crisis?

Cusumano: In different kinds of crises-product, economic, political-one common thread is the information available to executives.

In the Toyota recalls, we now know there were a number of cases of poor quality going back to the mid-1990s. Frame corrosion in trucks in North America. Pedal problems first in Europe. Software problems with braking in the United States and Japan. None of that information was aggregated, analyzed and presented to senior executives.

CIOs can make sure that the information systems are available for aggregating reports from the field or news media. But it's not just a technology problem. People have to respond to the data. It has to be put into a form that senior executives can absorb quickly on a regular basis.

CIOs need to champion not only that the IT systems are there. They have to try to make sure the processes are in place to use the information.

You have lots of indications that the whole credit market was put in a very high-risk situation. CIOs are in a unique position, because of the data and systems they see, to give special advice to their CEO and colleagues. Managers chose to ignore the risk elements. CIOs can make sure information is collected, but it's what people do with the data that's critical.

What have CIOs learned about business risk recently?

They can't just offload responsibility for risk, or for interpreting events, or for making sense of the data we're collecting. It has to be a collective activity among senior executives and people with deep knowledge of a company's and industry's processes.

Since the CIO is in a critical cross-functional position, maybe CIOs should take on more of a role regarding how people are thinking about what information means. IT enables almost everything a modern organization can do, so it does put a special pressure on the CIO.

When a crisis hits, how should internal information be handled?

You have to bring people together who can make change happen. Frequent physical or virtual meetings are important.

The CIO, CTO and head of software development should all be there to answer questions about what it's possible to do with IT, as well as to keep on top of how executives are looking at information and what they want to see. Any CIO worth his salt is guided by the principle that information is only meaningful if people use it. That's the foundation for what drives a modern CIO.

Why do you love meetings?

Just sending an e-mail to 300 people won't get anything done. People ignore it. There's no substitute for looking someone in the eyes and saying, "Did you do this? Are you going to do this? What do you think about this?"

Meetings don't have to be long. One of the things we've learned from agile development is that a daily meeting is productive. It's a stand-up meeting where no one gets comfortable. You tell everyone what you plan to do that day. You're synchronizing what you're doing with what other people are doing. You're helping each other respond practically in real-time.

That approach sounds useful in everyday operations.

Yes. Different industries have different paces of change. For industries where the pace of change and what customers and competitors do is fast or where risks are high, you need to have an information-sharing structure so people can respond quickly to urgent situations that come up all the time.

Michael Cusumano is a professor of management and engineering systems at MIT's Sloan School of Management and author of Staying Power: Six Enduring Principles for Managing Strategy and Innovation in an Uncertain World.