Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Playing by New Rules

Almost every aspect of business operations, in almost any business of any size, now depends on IT. So, no matter which of these risks is under discussion, the CIO is involved in efforts to manage it.
Page:

CIOs are learning to manage a new set of externally generated risks.

CIOs have learned to handle business continuity, information security, and project management. Many have learned to continually raise the bar on their performance in managing these risks, improving success rates for IT projects, managing outsourcer relationships with increasing skill, and by bringing business managers into the business continuity planning process.

Risk management was not in the top 10 business drivers for enterprises two years ago. But in Gartner's 2003 CIO survey it rose to number four. Some things must have changed in the past 12-18 months - and they certainly have! The change appears to come from new kinds of risks: terrorism and anti-terrorism campaigns, executive criminality, the rising incidence of identity theft, the interconnection of businesses, and IT failures.

Terrorist attacks raised the perceived potential for catastrophic damage. Large companies have failed because of massive executive criminality. There is a rising incidence of identity theft, and thefts of databases containing sensitive personal information. And anti-terrorist mass surveillance programs have made consumers fear for their personal security and privacy - often with good reason as we have seen in the past months with extensive airline customer information being shared with the military in a way that I expect few customers ever imagined.

We also see increasing interconnection of businesses. This increases exposure to theft and misuse of intellectual property. On the horizon and drawing closer is legal liability for IT failures.

Almost every aspect of business operations, in almost any business of any size, now depends on IT. So, no matter which of these risks is under discussion, the CIO is involved in efforts to manage it. The April indictment of US HealthSouth Corporation's CIO on felony charges under the Sarbanes-Oxley Act shows exactly how involved a CIO can be.

Risks need to be identified, examined then managed.

To identify risks, start by sketching out enterprise-level scenarios. What will our strategies lead us to do? How will we do it? What might happen if we do that? What might cause us not to do it as well as expected? How will markets, competitors and regulators react? There is always a danger of myopia when discussing the nature and importance of risks, so it may be useful to consult external specialists.

With new risks at the enterprise level identified, the next step is to see how the enterprise's practices and activities contribute to these risks. This analysis needs to be at the level of business processes, not business functions. (A process generally cuts across multiple functions, starting and ending with a customer. Shipping is a function; supply chain management is a process.)

Ask senior managers to identify the most important risks and potential consequences they see in the business processes they are involved in. Encourage truth-telling by helping and funding those who report risks. Be sure they understand they are ultimately responsible for risks within their purview, whether they identify them or not. No one can prioritise or focus on a list with more than five to seven items. Classify risks into categories, then assign responsibilities and compare risks within and between categories.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, Entrust, Exposure, Gartner, Gartner Research, HealthSouth, Rose, SEC, Securities and Exchange Commission, VIA

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Revolutionizing Enterprise Storage Infrastructure with Enterprise Flash Technology
    Businesses increasingly rely on datacenters to provide access to services, applications, and data. As demand rises and applications grow in complexity, datacenter infrastructure must provide tremendous capacity and rapid access to information in order to keep pace with business priorities. Read on.
    Learn more »
  • Government Communications 2.0
    The problem with data is that it’s only useful if you share and use it. Equally, the more data we share electronically, the greater the risk of it falling into the wrong hands. Public sector organisations can’t function without legitimately gathering and using personal information about the citizens they are mandated to serve. Technology has made a significant contribution to that process, but has also brought new risks. Read on.
    Learn more »
  • Seven SOA Practices to Unlock Business Value
    The fact is that companies are increasingly using SOA to gain competitive business advantage. Distilled down to seven essential SOA practices, the following list enables IT professionals to tightly align SOA investments with their organization’s business priorities. Using these practices can help with driving competitive advantage and adding measurable business value...and that’s a sure way for IT pros to win recognition and ongoing support within their companies.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments