IT Risk is present in most organizations and companies.  IT Risk is a "derivative risk": when an IT incident occurs, it will affect "main risks", such as continuity risk, confidentiality/privacy risk and reliability risk.  CIO's and IT directors tend to focus on technology.  However, most of the time, people and the lack of a proper IT risk framework are causing the major weaknesses and highest IT risks.

Organizations should start with identifying the (IT-) risks, define a risk-appetite and design appropriate measures to mitigate the risks.  New technologies emerge and the CIO should check whether they fit into the risk-appetite of the organization.  If not: new risk mitigating measures must be implemented, or the use of the new technology has to be postponed or cancelled.  The use of new technology can reduce operational costs and create a competitive advantage.  New technology has a cost itself and costs to reduce the IT risk related to the new technology.  A business case must support the implementation and use of any new technology.  Examples of new "hot" technologies are the Cloud and the iPad.

All participants of the roundtable agreed on two points:

- IT risk is not only for IT-people: it is a multi-discipline subject. E.g. IBM has an IT-risk committee (with all CxO's and representatives from operational departments);

- People are the weakest part in the "IT-risk/security"-chain.

Some measures which are proposed to manage the "human risk" are the use of social media (to engage and educate employees) and the certification of employees.  One participant suggested to link architects and security specialists together.

The roundtable agreed on the fact that there is a positive correlation between IT Complexity and IT Risk: the higher the complexity, the higher the risk.  So, reducing IT complexity reduces also IT Risk.  Architects can play an important role in reducing complexity.

Bigger companies should also think about cyber warfare departments.  Hacker communities are attacking companies when they don't agree with the company policies (e.g. credit card companies were attacked when they refused to accept Wikileaks payments).

I think the discussion was quite valuable.... for larger organizations.  Smaller businesses cannot afford risk-committees: they must rely on the quality of technology suppliers and IT-service suppliers.  In the Netherlands we had a very large scale security issue where a company, Diginotar, which supplied security certificates, was hacked - by hackers from Iran.  All websites from the Dutch government used those certificates.  Even Microsoft was affected.  A lot of websites had to close down for days and Diginotar went bankrupt within two weeks... (http://www.pcworld.com/businesscenter/article/239639/dutch_government_struggles_to_deal_with_diginotar_hack.html).

How can an organization avoid the use of non-secure certificates?  The security of Diginotar itself was a mess... Is certification of companies and people a solution?

The major question of the roundtable was whether IT Risk could be turned into a competitive advantage.  I think it cannot.  It will be a competitive disadvantage when the risk mitigating measures are not in place when an incident occurs. In that case a company can go bankrupt (and the owners are in a position get sued as well...).  Companies must be able to trust "IT- security" suppliers and they should define their own IT-Risk appetite with risk mitigating measures (with an allocated budget).

A "general" security/IT-Risk baseline (generally accepted by the market) could be of great help, especially to small- and mid-sized companies.

George Westerman

Join the Center for CIO Leadership for this interactive virtual roundtable for CIOs and other C-suite executives, IT Risk: Turning Business Threats into Competitive Advantage featuring Dr. George Westerman, Research Scientist, MIT Center for Digital Business and Kris Lovejoy, Vice President of Risk Management, IBM.  The roundtable will take place Tuesday, September 27, 2011 at 9:00 am EDT (New York, USA).   Recent press about cyber and malware attacks, combined with ever-increasing regulatory compliance burdens, has Boards demanding that CIOs keep their companies out of the headlines.  At the same time, the consumerization of IT and exploding use of social media across enterprises are increasing the challenges of managing risk.  Yet IT risk management efforts are often seen as preventing progress rather than managing risk.  This session will explore key elements of the risk management challenge, the approaches to successfully manage risk and the potential for CIOs to find new value from risk management.  The speakers will explain how CIOs can reframe the discussion to turn these challenges into business opportunities.  The session will also feature a case study on how IBM is tackling the risk management challenge.

Kris Lovejoy

To register for the September 27th Virtual Roundtable or if you would like further information, please contact event@cioleadershipcenter.com.

I wanted to underscore the comments made by Katharyn White, in the Virtual Roundtable "Partnering to Drive Change through Analytics" on March 23.  In my experience, surfacing IT Cost Transparency analytics for a large financial firm, the reporting alone was not the big win.  What took equal if not more effort, and helped produce actionable results was the leadership messages coming from IT to frame the new information and reporting—that this was a process that would transform the internal budgeting and cost allocation process, not simply another element added to the existing process.

The ability for a business partner to see exact detail of their IT spend is only valuable if the costing context is provided and the variables explained. So the CIO's role is far beyond finding the resources to get the job done, but must lead the transformation and communicate and manage expectations clearly across the organization.

Please join the Center for CIO Leadership for an exclusive Center-sponsored Virtual Roundtable for CIOs and other c-suite executives, Thursday, January 27, 2011.

The CIO Edge: Seven Leadership Skills You Need to Drive Results – featuring George Hallenbeck, Karen Rubenstrunk, and Graham Waller.

George Hallenbeck Director, Intellectual Property Development, Korn/Ferry Leadership and Talent Consulting	Karen Rubenstrunk Independent CIO Coach	Graham Waller Vice President and Executive Partner, Gartner Executive Programs

What makes a great CIO?  Three years of research conducted by experts from Gartner and Korn/Ferry International provide the answer, something high-performing CIOs all have in common: the ability to forge superior working relationships to collaboratively deliver business results through people, by people and with people.  This session will offer a wealth of practical strategies and valuable tips for mastering the seven “soft” leadership skills proven to yield hard results—professionally and personally.

Join us for this unique opportunity to talk directly with the researchers and authors of this new insight into how great CIOs consistently exceed stakeholder expectations and maximize the business value delivered through their company’s technology.

To register for the January 27th Virtual Roundtable or if you would like further information, please contact event@cioleadershipcenter.com.

You can learn more about the authors, the recently published book The CIO Edge: Seven Leadership Skills You Need to Drive Results, and follow their blog by clicking here.