Running the Risk

CIOs who have become ERM leaders in their companies say defining your message for why ERM is necessary is one of the most important steps to raising awareness about it - and it is arguably the most difficult.

CIOs are the executives best positioned to champion enterprise risk management. Use this five-step leadership strategy to get the ball rolling.

Reader ROI

  • Why CIOs are taking a leadership role in enterprise risk management
  • The leadership skills essential for the ERM effort
  • Ways that CIOs demonstrate ERM leadership

Many CIOs are now faced with the challenge of managing enterprise risks, for the simple reason that businesses depend more than ever on IT to be able to function (see "CIO, It's You", page 53). Yet enterprise risk management (ERM) is complex; it's esoteric; and it requires a culture change that is frequently resisted by organizations, because people view identifying risks as a form of criticism.

To get the ERM ball rolling, CIOs need a leadership strategy. So we synthesized one based on interviews with nearly two dozen consultants, academics and CIOs who are practising ERM. You'll notice that the five steps in this strategy apply to many other leadership challenges. Here's how to make them work for ERM.


Some CIOs find the inspiration for ERM unavoidable: Without an enterprise-wide view of risk, people could die. For example, IT has become central to the way the US Navy fights. The CIO for the Department of the Navy, Dave Wintergreen, is in the midst of deploying an enterprise-wide Navy-Marine Corps intranet, which, when completed this year, will provide a standard way for land bases and ships at sea to exchange real-time battle information. If the system fails, sailors and fighter pilots won't get the information they need in combat, Wintergreen notes. The September 11 attack on the Pentagon, which took out the Navy command centre, exposed the risk to military operations from locating communications equipment in a single location and underscored for Wintergreen why ERM is critical.

But sometimes, especially if you've been handed a mandate from the CEO or the board of directors to deploy an ERM strategy, it takes a little more work to convince yourself of ERM's value. Up until the mid-1990s, executives at JP Morgan made decisions about investments in new business ventures based on the forcefulness of the executive making the argument. That strategy led to some unpleasant surprises for the bank when new investments didn't work out as well as they could have, says Bill Sharon, the bank's former chief risk officer for technology, who is now a consultant. JP Morgan executives, Sharon recalls, would decide to open offices in new countries without considering a range of operational risks, including the impact on IT and telecommunications.

The bank's chairman at the time asked executives for a better decision-making process for choosing investments. Sharon, working with the head of the bank's corporate real estate business, took the initiative to devise a process for scoping out the requirements - including the IT needs - for any new business initiatives. When he was finished, he realized that the process he had developed amounted to analyzing enterprise risks; he became sold on ERM.

Sharon asked people in every department how they were affected by a new business initiative. He then developed a list of conditions to address before someone could present a new product or location to the executive committee, including what IT investments or support were needed. For the project to be approved, the project sponsor had to gather information from each business line or department to demonstrate that they had addressed the necessary implementation issues. For example, if a new office was opened in Mexico City, project sponsors had to report on how many computers would be needed, the network connections required and the reliability of electric power. None of these questions were being asked routinely, yet they were often critical to a new venture's success.

"I learned that your responsibilities in IT or anywhere in the business aren't bounded," Sharon explains. "You can't just do your piece and go home. Second, in [IT], no one really knows what the business strategy is. That's when I realized ERM gets people on the same page."

Page Break


CIOs who have become ERM leaders in their companies say defining your message for why ERM is necessary is one of the most important steps to raising awareness about it - and it is arguably the most difficult. Because ERM spans the enterprise, you must understand the intricacies of the operations in each line of business. It also requires you to think about events or consequences that you may have either ignored or preferred not to consider, especially if the culture of the corporation views thinking about risks as pessimistic.

"You must find a way to describe the risk," says David Weymouth, former CIO with Barclays Bank, who now heads the bank's business ethics strategy. "If you can't find a way to describe it, then you'll never get anywhere."

That may require you to devise a new way of talking about IT with your executive colleagues and staff alike. A definitive ERM message includes facts that can be used to sway doubters, says Weymouth. He instituted a monitoring system to collect data on Barclays' operational systems, such as the number of times the bank intercepted a fraudulent payment or blocked a denial-of-service attempt. By capturing how often the IT shop has reduced the number of incidents that could have disrupted bank business - which, for Weymouth, are equivalent to risks - he is able to calculate savings. He is also able to use the data to show that Barclays must continue to invest in IT to mitigate those risks.


Not everyone understands risk, and people view risks differently. That means you have to be patient and give your audience time to understand what you are talking about. Flexibility is the key here so that you may adapt your message for the different attitudes toward risk you encounter.

George Westerman, a research scientist at MIT's Sloan School of Management who is studying ERM in relation to IT, illustrates the point with a story about his four-year-old daughter, who enjoys climbing on a jungle gym. When she reaches about halfway up, she says: "Daddy, look at me."

"My impulse is to say: 'Great. Go all the way to the top', hoping to avoid the risk of overprotecting her," Westerman explains. "Her mother's inclination is to say: 'Get down now', hoping to avoid the risk that our daughter may fall and hurt herself. We both have different ideas of risk, yet we both have our daughter's welfare first. It turns out that an appropriate response is to stand beside her and let her climb as high as she wants and be there in case she falls." The message, Westerman says, is that his daughter can take a bigger risk, given the appropriate safeguards.

Sometimes delivering your ERM message requires you to not talk about risks at all. When Sharon was CIO at the advertising agency McCann WorldGroup, he sometimes avoided the topic altogether. During one project for the agency's global accounts group, he knew account managers wouldn't understand what he meant about managing risks. The group, which was responsible for more than 100 markets, was having trouble keeping track of its e-mail and faxes from the company's various lines of business. These communications were frequently lost or took a long time to locate, increasing the risk that the group could not respond quickly enough to clients.

Instead of discussing risks, Sharon talked about how an intranet could improve the group's service to customers. He told them he understood how hard they were working, and offered to help them with logistics so that they could focus on serving clients better. Once the Web site was deployed, he recalls, the group started making business decisions in real time, reducing the risk that dissatisfied clients would take their business elsewhere.

Other times, the straightforward approach works best. Westerman relates the story of a CIO at a Fortune 100 company who needed to sell his board of directors on taking what seemed to be a bigger than usual risk on a large corporate-wide IT project. The company's IT department had never missed a deadline or run over budget. The reason was that the IT department had always doubled its estimates of the amount of time and money needed to complete its projects.

The CIO decided this management approach was too risky for the company because it didn't give the board accurate information with which to make business decisions. It also gave the IT department an incentive to spend too much money. The CIO decided that this time he would give the board the most accurate cost estimate and time line for the project, and explain that he might have to come back for more money and time.

Westerman says that before the meeting, the CIO, typically a steady individual, was "shaking in his boots". The CIO assumed the board would think his approach lacked proper analysis and increased the risk of project failure. But the board approved the project and did not condemn the CIO's judgment when he came back a few months later to say that the project would be two months late and would cost more. The CIO had prepared them by outlining the risks.

Page Break


Leaving your office to walk the shop floor, meet managers in other departments or travel to the organization's key installations is an acknowledged best practice for IT leadership. And it is particularly important for leading ERM. That's because ERM requires a mind-set change. There's a tendency for employees to ignore ERM and go back to traditional ways of thinking about risk if the ERM philosophy and practices are not reinforced.

"Leading the ERM effort requires the development of personal relationships," Sharon says. "You have to solve the problems that are important to your business partner, whether they appear trivial or not, and then introduce processes that expand their awareness of the operations of the business."


Your actions and your attitude must match your message. "If leaders don't follow through with behaviour, then the rest of [these steps] are nonsense," warns Robert Charette, director of the Cutter Consortium's ERM and governance practice.

Business unit managers and executive suite colleagues may view someone who points out risks in their area of responsibility as criticism. In turn, those who bring perceived risks to you about IT systems may seem to be criticizing you. Resist the tendency to take information about risks posed by IT as negative. Instead, encourage your staff and colleagues to identify enterprise IT risks by positioning the information about such risks as a chance to solve problems. Former US Secretary of State Colin Powell, also a former chairman of the Joint Chiefs of Staff, encouraged soldiers to bring him problems. "The day [they] stop bringing you their problems is the day you have stopped leading them," he says.

One way to walk the ERM walk is to continually reinforce the need for constant attention to ERM through business continuity testing. Just like school kids practising fire alarm drills to emphasize the importance of fire safety, CIOs should insist on testing business continuity plans to send the message that the organization is serious about managing enterprise risks that stem from IT.

Steve Randich, CIO with Nasdaq, relies on regular tests of his data centre's business continuity plans to remind his staff that ERM is a core principle for the organization. About 3300 companies are listed on the Nasdaq, which processes about 20,000 transactions a second and receives information from about 350,000 desktops and workstations worldwide. If Nasdaq can't operate its transaction systems, it has to close the market. "We're then out of business," says Randich.

After 9/11, it took four months for Nasdaq to permanently relocate its New York City offices. The data centre was able to continue operating (although the government shut down the markets for four days), but Randich realized that the company needed a more detailed risk management plan. Nasdaq's new plan included the extra equipment it would need (such as desktops and Internet access), procedures for communicating with employees and alternative work sites in case of a disaster.

Randich checks his assumptions on a biweekly basis. He doesn't just run tests of his backup systems; he also makes sure that new employees are informed of where to go and what to do in case of an emergency. In addition, he confirms that he has enough mobile phones to give to employees in the event that landlines are down. Randich also designated a team who, in the event of a catastrophe, will check in with the 300-plus market makers who trade on the stock exchange to determine whether the dealers can create enough demand to keep the market open. "If [that list] is out of date, it's not worth the paper it is written on," says Randich.

By testing the plan so often, Randich says the message is sent loud and clear to the entire company that the IT department is serious about keeping the trading network up no matter what. "The idea is not trying to figure all this out in the middle of a crisis," he explains. "You make sure you have it all ironed out."

The bottom line is that ERM is now essential to running a company in a world where risks are ubiquitous and IT is both the source and the conduit of many of those risks. To adopt ERM, companies need a credible leader, someone, says Barclays' Weymouth, who is "senior and respected in the organization, someone [who] knows the fabric of the business".

That person, says Weymouth, is you.

Page Break


Why IT must champion enterprise risk management

Among enterprise risk management experts, there's widespread agreement that the CIO is the most appropriate senior-level executive to lead her company's transformation to a risk-managed organization - whether or not she wants to. "CIOs are going to be dragged into the leadership position on ERM," warns Robert Charette, a risk management expert with the IT consultancy Cutter Consortium.

CIOs will be in the ERM hot seat for several reasons. First and foremost: IT is now critical to most business operations. When systems are down because of a virus or power outage, so is your business. Second: Because IT supports every department, the CIO is the senior executive with the broadest knowledge of his company's business processes. Because of these trends, some ERM experts predict that corporations will begin to appoint board members who have a deep understanding of IT and its risks. These board members will want to talk to you.

For all of these reasons, even if a company hires a chief risk officer - an ERM specialist - to handle the corporate-wide effort, the CIO will still have a prominent leadership role. Charette notes that as technology products become commodified, companies will differentiate themselves according to how effectively they use IT- including how well they manage its risks.

Besides, says Bill Sharon, who recently left his job as CIO at McCann WorldGroup to start his own risk management consultancy, Strategic Operational Risk Management Solutions, the chief risk officer's job is to find problems; it's the CIO's job to solve them.