The Role of the CIO in the Risk Intelligent Enterprise
February 2009
Organizations today face risks that are
unprecedented in corporate history. To effectively manage these risks, a
risk intelligent enterprise—with support from a risk intelligent CIO—is
required.
by Chris Lee and
Bill Kobel
edited by Mark Layton
Deloitte & Touche
The term "risk intelligence" is ascribed to enterprises that have
attained the highest state of risk management. Risk intelligent
organizations possess many admirable characteristics, including the ability
to do the following.
Bridge Silos. In addition to
nurturing risk expertise within divisions, departments, and units, risk
intelligent enterprises also build bridges between these risk "silos." Doing
so enables them to open lines of communication, share information across the
organization, consider risk scenarios, and take the potential interaction of
multiple risks into account.
Assess Impact. It would be a
Sisyphean task to try to plan for every threat that might affect the
enterprise. Organizations, after all, face an infinite number of risks.
That's why they should focus on the finite impacts that could result from
innumerable threats. For this task, business impact analyses are invaluable.
But rather than establishing separate contingency plans for, say, brownouts,
fire, hurricanes, terrorist attacks, or sabotage, companies should create
one plan that addresses the impact of network outages—regardless of the
cause.
Embrace Risk Taking for Reward. Risk intelligent
enterprises embrace not only risk mitigation, but also risk taking as a
means to value creation. Risk taking for reward can assume many forms, from
strategic acquisitions to research and development to entering new markets.
In our work, we have found that organizations that are most effective and
efficient in managing risks to both existing assets
and to future growth will, over time, outperform those that are less so. In
short, companies make money by taking intelligent risks, and they lose money
by failing to manage risk intelligently.
How the CIO Fits in
What,
then, is the role of the chief information officer (CIO) in the risk
intelligent enterprise? Savvy CIOs understand that information technology
(IT) has a critical role to play in corporate governance, risk management,
and regulatory compliance efforts. They also understand that, when it comes
to deploying technology for risk management initiatives, they must adopt a
broader view. This calls for:
- Identifying the right people to manage risk
- Providing people with appropriate training
- Championing a philosophy that
includes intelligent risk taking for reward as well as risk mitigation
- Advocating a consistent risk and control assessment process that links
business processes to their supporting IT resources
- Harnessing technology to
embed risk management into the organization's day-to-day operations
Risk
intelligent CIOs instill a shared language for discussing risk and implement
common metrics for measuring it. They unite risk-management and monitoring
initiatives across the corporate culture, rather than relying on separate
processes for individual departments. They work in active partnership with
other functional executives in the organization. They also can help risk
committees improve their decision-making capabilities by providing timely
access to relevant information, bringing into line the various risk issues
confronting the separate business units, and facilitating an enterprise-wide
view of risk.
Needless to say, managing risk isn't solely about technology
solutions—it's also about management and leadership. That's why CIOs must
change (by adapting to new realities) or be changed (by being replaced or
redeployed, or by retiring). CIOs must be catalysts for change, not just "order takers."
Becoming a Risk Intelligent CIO
Organizations
today face risks that are unprecedented in corporate history. As the
executive team seeks guidance for increasingly complex corporate governance,
regulatory compliance, and risk-management issues, CIOs must make sure they
have a seat at the table.
To that end, CIOs must devote the required
attention and resources to:
- Applying risk-management processes to the IT
department, including identifying, assessing, managing, and reporting
IT-specific risks such as privacy, security, and business continuity
- Applying the technology infrastructure across the enterprise to help other
groups identify, assess, manage, and report their risks
- Understanding how it all comes together at the enterprise level
- Ensuring
that strategic risks are considered appropriately
- Helping the board
understand an enterprise's risks as well as the corresponding action plans
CIOs must redefine their roles and become more creative, proactive,
innovative, and strategic than ever before. They must adopt a deeper and
broader perspective. And they must ensure that IT evolves from its
conventional duties of protecting enterprise assets to a more strategic role
of creating value and enhancing the competitiveness of the organization.
By taking on this elevated role, CIOs will improve not just the fortunes of
the IT department, but also that of the entire enterprise.
Chris Lee
is a senior partner in Deloitte & Touche LLP, working in the U.S.
Security & Privacy Services group. He can be reached at 408-704-4314 or at
chrislee@deloitte.com.
Bill Kobel is a principal of Deloitte & Touche LLP,
providing information protection and business security solutions. He can be
reached at 214-840-7120 or at
bkobel@deloitte.com.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.