CIOs are learning to manage a new set of externally generated risks.
CIOs have learned to handle business continuity, information security, and project management. Many have learned to continually raise the bar on their performance in managing these risks, improving success rates for IT projects, managing outsourcer relationships with increasing skill, and by bringing business managers into the business continuity planning process.
Risk management was not in the top 10 business drivers for enterprises two years ago. But in Gartner's 2003 CIO survey it rose to number four. Some things must have changed in the past 12-18 months - and they certainly have! The change appears to come from new kinds of risks: terrorism and anti-terrorism campaigns, executive criminality, the rising incidence of identity theft, the interconnection of businesses, and IT failures.
Terrorist attacks raised the perceived potential for catastrophic damage. Large companies have failed because of massive executive criminality. There is a rising incidence of identity theft, and thefts of databases containing sensitive personal information. And anti-terrorist mass surveillance programs have made consumers fear for their personal security and privacy - often with good reason as we have seen in the past months with extensive airline customer information being shared with the military in a way that I expect few customers ever imagined.
We also see increasing interconnection of businesses. This increases exposure to theft and misuse of intellectual property. On the horizon and drawing closer is legal liability for IT failures.
Almost every aspect of business operations, in almost any business of any size, now depends on IT. So, no matter which of these risks is under discussion, the CIO is involved in efforts to manage it. The April indictment of US HealthSouth Corporation's CIO on felony charges under the Sarbanes-Oxley Act shows exactly how involved a CIO can be.
Risks need to be identified, examined then managed.
To identify risks, start by sketching out enterprise-level scenarios. What will our strategies lead us to do? How will we do it? What might happen if we do that? What might cause us not to do it as well as expected? How will markets, competitors and regulators react? There is always a danger of myopia when discussing the nature and importance of risks, so it may be useful to consult external specialists.
With new risks at the enterprise level identified, the next step is to see how the enterprise's practices and activities contribute to these risks. This analysis needs to be at the level of business processes, not business functions. (A process generally cuts across multiple functions, starting and ending with a customer. Shipping is a function; supply chain management is a process.)
Ask senior managers to identify the most important risks and potential consequences they see in the business processes they are involved in. Encourage truth-telling by helping and funding those who report risks. Be sure they understand they are ultimately responsible for risks within their purview, whether they identify them or not. No one can prioritise or focus on a list with more than five to seven items. Classify risks into categories, then assign responsibilities and compare risks within and between categories.