Organizations today face risks that are unprecedented in corporate history. To effectively manage these risks, a risk intelligent enterprise—with support from a risk intelligent CIO—is required.
The term "risk intelligence" is ascribed to enterprises that have attained the highest state of risk management. Risk intelligent organizations possess many admirable characteristics, including the ability to do the following.
Bridge Silos. In addition to nurturing risk expertise within divisions, departments, and units, risk intelligent enterprises also build bridges between these risk "silos." Doing so enables them to open lines of communication, share information across the organization, consider risk scenarios, and take the potential interaction of multiple risks into account.
Assess Impact. It would be a Sisyphean task to try to plan for every threat that might affect the enterprise. Organizations, after all, face an infinite number of risks. That's why they should focus on the finite impacts that could result from innumerable threats. For this task, business impact analyses are invaluable. But rather than establishing separate contingency plans for, say, brownouts, fire, hurricanes, terrorist attacks, or sabotage, companies should create one plan that addresses the impact of network outages—regardless of the cause.
Embrace Risk Taking for Reward. Risk intelligent enterprises embrace not only risk mitigation, but also risk taking as a means to value creation. Risk taking for reward can assume many forms, from strategic acquisitions to research and development to entering new markets.
In our work, we have found that organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, over time, outperform those that are less so. In short, companies make money by taking intelligent risks, and they lose money by failing to manage risk intelligently.
How the CIO Fits in
What, then, is the role of the chief information officer (CIO) in the risk intelligent enterprise? Savvy CIOs understand that information technology (IT) has a critical role to play in corporate governance, risk management, and regulatory compliance efforts. They also understand that, when it comes to deploying technology for risk management initiatives, they must adopt a broader view. This calls for:
Identifying the right people to manage risk
Providing people with appropriate training
Championing a philosophy that includes intelligent risk taking for reward as well as risk mitigation
Advocating a consistent risk and control assessment process that links business processes to their supporting IT resources
Harnessing technology to embed risk management into the organization's day-to-day operations
Risk intelligent CIOs instill a shared language for discussing risk and implement common metrics for measuring it. They unite risk-management and monitoring initiatives across the corporate culture, rather than relying on separate processes for individual departments. They work in active partnership with other functional executives in the organization. They also can help risk committees improve their decision-making capabilities by providing timely access to relevant information, bringing into line the various risk issues confronting the separate business units, and facilitating an enterprise-wide view of risk.
Needless to say, managing risk isn't solely about technology solutions—it's also about management and leadership. That's why CIOs must change (by adapting to new realities) or be changed (by being replaced or redeployed, or by retiring). CIOs must be catalysts for change, not just "order takers."
Becoming a Risk Intelligent CIO
Organizations today face risks that are unprecedented in corporate history. As the executive team seeks guidance for increasingly complex corporate governance, regulatory compliance, and risk-management issues, CIOs must make sure they have a seat at the table.
To that end, CIOs must devote the required attention and resources to:
Applying risk-management processes to the IT department, including identifying, assessing, managing, and reporting IT-specific risks such as privacy, security, and business continuity
Applying the technology infrastructure across the enterprise to help other groups identify, assess, manage, and report their risks
Understanding how it all comes together at the enterprise level
Ensuring that strategic risks are considered appropriately
Helping the board understand an enterprise's risks as well as the corresponding action plans
CIOs must redefine their roles and become more creative, proactive, innovative, and strategic than ever before. They must adopt a deeper and broader perspective. And they must ensure that IT evolves from its conventional duties of protecting enterprise assets to a more strategic role of creating value and enhancing the competitiveness of the organization.
By taking on this elevated role, CIOs will improve not just the fortunes of the IT department, but also that of the entire enterprise.
Chris Lee is a senior partner in Deloitte & Touche LLP, working in the U.S. Security & Privacy Services group. He can be reached at 408-704-4314.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.