October 13, 2012, 9:17 PM — Commercial espionage. Compliance. Crazy weather. Credit default swaps. Risk is everywhere and if you're just trying to minimize it within IT, you're missing the point.
Instead, learn to be a "risk intelligent" CIO who can help your organization wisely take--and profit from--risks.
1. Get your own house in order first
You should certainly identify and plan for events that can affect your ability to provide a stable, available, protected, and recoverable technology infrastructure. But you have to look beyond risk that directly encroaches on IT's turf, such as network violations or data breaches, and see more broadly where in the organization technology can play a role in protecting - or exposing -- assets. "So many IT departments I see are really only managing IT perimeter risk, or data breach losses, but nobody's doing anything about intellectual property," says Brian Barnier, a risk advisor with ISACA and principal analyst at ValueBridge Advisors in Norwalk, CT. And over-communicate risk priorities to your technology staff, because they may be focused on a more granular set of threats than you are.
2. It's not (just) about compliance
Yes, compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations is obviously a piece of the risk management puzzle. But don't let it drive your approach. "When we talk about risk intelligence, it's the CIO understanding that he or she is providing the core information technology infrastructure to support the business, and understanding all the things that put you at risk," says Deloitte & Touche LLP Principal Bill Kobel. Instead of focusing only on compliance, ask whether you have the right kind of people and technology to stay ahead in your market. But if you're stuck in the compliance mindset and running around filling out checkboxes on paperwork, you've lost sight of business objectives, Barnier says.
3. Enterprise risk management is a career opportunity
The CIO is very well positioned to drive an enterprise-wide, more sophisticated approach to managing risk. Especially in companies that are very dependent on IT-driven processes, the CIO usually has the best access to information. "The more the CIO understands about the business processes, and the business dependencies on IT, the more the CIO can be a real advocate in the C-suite of doing risk management right," says Barnier. A CIO who's implemented an IT-oriented risk framework "can easily flip it right back into a driver of enterprise wide risk management," he adds. That can help the CIO personally and help their organization drive more profitable revenue by taking risks where they make sense.
4. There are cheat sheets