When CIO Means 'Chief Isolated Officer'
Many organizations think that the greatest threat to their technological competence is an outside one—a cyberattack, a system failure that is beyond their control (say from a natural disaster), or the development of newer, better technology that renders their investment obsolete. I disagree. I think the biggest danger is internal, and very well may be in the corner office. If the C-suite and the board, especially the chairperson, don’t understand how critical it is to involve the CIO early and often in the development of an Enterprise Risk Management (ERM) program and leverage collaboration and cooperation, the CIO won’t understand how best to meet the needs of the entire organization.
When it comes to ERM, too often CIO stands for Chief Isolated Officer—not Chief Information Officer. Given that technology is critical to the running of any business, that its complexity has grown exponentially, and related threats have increased in scope, scale, and number, the CIO’s input in implementing and/or maintaining an ERM program is essential to any company’s success. But this can only happen when you—the CIO—have the cooperation of and ability to collaborate with the appropriate members of the senior leadership team.
So how do you make sure you are appropriately involved? It starts with looking at who is tasked with working with you, and it also depends on whether your organization is looking to upgrade an existing ERM program or establish one.
Let’s say your organization is starting from scratch. Who is sponsoring the project? Is it the Chief Risk Officer? Is it the board? Why has the organization decided to get serious about managing and monitoring risks? When the board’s involvement doesn’t include the chairperson, oversight of the ERM project may be given to the Audit Committee and be seen as more of a compliance function than a truly strategic one. If you aren’t seeing involvement from the chairperson, demand it.
Of course, you need to be able to make a good case for getting the chairperson’s ear. You may need to educate the chairperson—and other members of senior leadership—about what could happen if you are brought in too late. The organization could end up with software that isn’t compatible with the organization’s existing technology platform—a surprisingly common and very costly mistake; the organization could end up with software that won’t serve its real information collection and analysis needs and therefore won’t help the organization meet its business goals; or the organization could overestimate the power of the technology.
You need to educate/remind senior management that the software, even if it is state of the art, is only a tool; one piece of a robust ERM program. If there isn’t an intellectual capital infrastructure to put the data in context and use it well, it doesn’t matter how good your system is. Your organization won’t have a sustainable process but rather a lot of data that it doesn’t know what to do with on a consistent basis.
“By making the CIO the Chief Involved Officer, you are much more likely to have an effective and highly visible risk-management program”
Your ongoing partner should be the senior risk manager or person responsible for managing and monitoring the organization’s enterprise-wide risks. Too often, the only time the CIO and Risk Manager speak is when it comes time to renew Privacy and Network Security insurance. Make sure you have an open line of communication not just during the insurance renewal process but also during the development or refinement of your organization’s ERM program.
Once you know who is sponsoring and leading the ERM program—whether it is new or an upgrade—talk to that person about the current operating systems, budget, the rationale, and goals.
- Is the ERM process going to leverage existing risk-reporting systems to conduct enterprise-wide risk assessments and create enterprise-level risk-management and monitoring tools or reports?
- How do business units currently use operating systems to communicate and manage risks?
- What is the organization’s IT culture?
- Is the organization willing to invest in an outside consultant to help with the process? And if so, what sort of IT background in addition to ERM expertise should the consultant have?
- Do you need someone to help with the selection of a Governance, Risk and Compliance (GRC) or more customized risk reporting platform, the implementation, or the education?
Any one of these processes can be a full-time job and too great a burden for either the CIO or the Risk Manager to take on without assistance. Answers to these questions are critical for establishing a sustainable ERM program.
When it comes to why the company is making the investment, you need to know what kind of reports senior management is looking for. Different stakeholders will have different needs and wants; is it critical that they all be met? Some might be necessary; others nice to have; others completely unnecessary. If you know what people are looking for and why, you can make sure what goes into place is really meeting business needs and adding value.
If you have an existing ERM program, you want to assess its adequacy. Start with those reports that you already use and refine them to reflect best business practices. Migrate them into the ERM program. Are there components that they are missing? Is management satisfied with what they have? This is a question for anyone who has a vested interest in risk—not just senior management but also business-unit level employees. They need to be drawn into the conversation as well.
One of the great advantages that you as a CIO have—I might even say it is an arrow in your quiver—is that you know all the business operating systems. You really are uniquely qualified not only to participate early in the conversation and add value by making sure that the ERM process runs smoothly, but that it becomes part of the culture. You do that by leveraging as best you can the platforms that are already in place and the types of software and operations that people are already familiar with. You want to stay away from something that will be totally new for people to learn. This not only helps automate the process but makes it a part of the organization’s culture.
Finally, another advantage to establishing or upgrading ERM with the CIO as a central, involved figure is the message it sends throughout the organization: “We are serious about risk.” Not everyone interacts with the CIO, but what a CIO does and the decisions he or she makes affects and touches everyone and every aspect of the organization. By making the CIO the Chief Involved Officer, you are much more likely to have an effective, highly visible risk-management program, which is one of the building blocks of an enterprise-wide risk-aware culture. And that should really be the goal of your ERM program—to make everyone feel like risk is their responsibility. And the CIO can be both the catalyst and the hero of that process.