STEP 4: GET OUT OF THE OFFICE
Leaving your office to walk the shop floor, meet managers in other departments or travel to the organization's key installations is an acknowledged best practice for IT leadership. And it is particularly important for leading ERM. That's because ERM requires a mind-set change. There's a tendency for employees to ignore ERM and go back to traditional ways of thinking about risk if the ERM philosophy and practices are not reinforced.
"Leading the ERM effort requires the development of personal relationships," Sharon says. "You have to solve the problems that are important to your business partner, whether they appear trivial or not, and then introduce processes that expand their awareness of the operations of the business."
STEP 5: BE A MODEL CITIZEN
Your actions and your attitude must match your message. "If leaders don't follow through with behaviour, then the rest of [these steps] are nonsense," warns Robert Charette, director of the Cutter Consortium's ERM and governance practice.
Business unit managers and executive suite colleagues may view someone who points out risks in their area of responsibility as criticism. In turn, those who bring perceived risks to you about IT systems may seem to be criticizing you. Resist the tendency to take information about risks posed by IT as negative. Instead, encourage your staff and colleagues to identify enterprise IT risks by positioning the information about such risks as a chance to solve problems. Former US Secretary of State Colin Powell, also a former chairman of the Joint Chiefs of Staff, encouraged soldiers to bring him problems. "The day [they] stop bringing you their problems is the day you have stopped leading them," he says.
One way to walk the ERM walk is to continually reinforce the need for constant attention to ERM through business continuity testing. Just like school kids practising fire alarm drills to emphasize the importance of fire safety, CIOs should insist on testing business continuity plans to send the message that the organization is serious about managing enterprise risks that stem from IT.
Steve Randich, CIO with Nasdaq, relies on regular tests of his data centre's business continuity plans to remind his staff that ERM is a core principle for the organization. About 3300 companies are listed on the Nasdaq, which processes about 20,000 transactions a second and receives information from about 350,000 desktops and workstations worldwide. If Nasdaq can't operate its transaction systems, it has to close the market. "We're then out of business," says Randich.
After 9/11, it took four months for Nasdaq to permanently relocate its New York City offices. The data centre was able to continue operating (although the government shut down the markets for four days), but Randich realized that the company needed a more detailed risk management plan. Nasdaq's new plan included the extra equipment it would need (such as desktops and Internet access), procedures for communicating with employees and alternative work sites in case of a disaster.
Randich checks his assumptions on a biweekly basis. He doesn't just run tests of his backup systems; he also makes sure that new employees are informed of where to go and what to do in case of an emergency. In addition, he confirms that he has enough mobile phones to give to employees in the event that landlines are down. Randich also designated a team who, in the event of a catastrophe, will check in with the 300-plus market makers who trade on the stock exchange to determine whether the dealers can create enough demand to keep the market open. "If [that list] is out of date, it's not worth the paper it is written on," says Randich.
By testing the plan so often, Randich says the message is sent loud and clear to the entire company that the IT department is serious about keeping the trading network up no matter what. "The idea is not trying to figure all this out in the middle of a crisis," he explains. "You make sure you have it all ironed out."
The bottom line is that ERM is now essential to running a company in a world where risks are ubiquitous and IT is both the source and the conduit of many of those risks. To adopt ERM, companies need a credible leader, someone, says Barclays' Weymouth, who is "senior and respected in the organization, someone [who] knows the fabric of the business".
That person, says Weymouth, is you.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.