Many CIOs are creating IT risk leaders and teams. In doing so, some are struggling to get value, others are more successful. To help you be successful, here are five steps to hiring your leader for managing IT-related risk to the business.
1. Clearly define why you need to emphasize IT risk management
Was it due to a problem? Regulatory examination? Audit finding? Test failure? Customer commitment missed? Difficulty in managing the acquisition of another company? System failure? System breach? Data loss? Project cost overruns? Or, is it an effort to improve business performance? Smarter investment decisions? Better integrate acquisitions? Expand more easily? More efficient business processes? Reduce business operations cost? Get more value from business-IT spend? Clearer executive communication?
2. Begin with “the business”
In hiring an IT risk leader, and designing the department that goes with the leader, it’s helpful to start with the enterprise’s business objectives, business model and business risks that most threaten those objectives. For example, how much business competitive differentiation depends on differentiated IT capability? How critical are IT operations to the business? How is the business seeking to grow profitable revenue and how does this depend on IT for success? Of course, these questions can be answered differently by business line or geographic units. The point is understanding how IT-related business risk interacts with “the business.”
3. Be clear on what IT-related business risk management is – and isn’t
It’s not: A fancy name for IT security, audits, controls or compliance management. It’s also not just “self-assessments” done to check controls. While all those involve and use aspects of risk management, they are not the same. IT security is just one area within the operations/service delivery category of IT-related business risk management. Controls are one of the tools (along with preparedness tools) that can be used to reduce risk. Compliance is one of the benefits or outcomes (along with performance) of good risk management. Audit is an assurance function, risk management is, well, a management function. It is, in a financial sense, about reducing risk to returns (revenue, cost, profit, share value). In an operations sense, it is about reducing risk to business objectives (production, quality, customer satisfaction). IT-related risk management, as described by ISACA’s Risk IT Based on COBIT (the leading IT-related risk management framework and best practice developed by the 95,000 member, 160 country organization) covers three areas: IT investment portfolio (the risk of “doing the wrong thing” and making the wrong investment decisions), program and project management (“doing it wrong” in implementation), and operations/service delivery (“doing it wrong” in daily activity).
4. Five key capabilities define an excellent IT-Related Business Risk Management Leader:
• Understand the business products and processes and how they depend on IT. This is not general understanding, but knowledge from a candidate who has done business process analysis and improvement. Having a person with experience in your industry is good. However, since specific products and process (and competitive approaches) can vary from company to company, the real key is a person who has the skill to dig into and understand business processes and their dependencies on IT. So look for business process improvement/reengineering, and/or product management experience. "Knowing the business" is crucial. The Operational Risk Handbook for Financial Companies (Harriman House, London, 2011) makes the crucial linkage more explicit.
• Understand business-IT finance. A leader can’t frame IT-related business risk in “business” terms unless s/he first understands Finance. This is more than IT budget. IT should include business-perspective on cost/benefit analysis, return on investment and business case development. This not only allows the leader to improve communications, but also to dig into business projects to see areas of risk and help you as CIO be proactive in framing and managing those risks (and along with the CFO and CRO).
• Understand multiple risk disciplines. A person with single-discipline experience can struggle to learn the frameworks, concepts and terminology of other risk disciplines. As the overall IT risk leader, the candidate must cross the silos and bring people into a team. Thus, experience in operations, change management, release management, project management, business continuity, physical security, IT security, facilities, disaster recovery, or availability management are all valuable. They key is to have enough knowledge to relate to people in multiple disciplines and leverage them to build a stronger team.
• Understand “tools of the trade.” This is critical for efficiency and effectiveness. This asks if the candidate is deeply knowledgeable in using IT risk management best practices and frameworks such as Risk IT Based on COBIT and others. Strong frameworks are built with the insight of practitioners from around the world and are supported with a range of guidance documents and user groups. To you as CIO, this means two benefits: First, you can more easily talk with your customers, partners, suppliers and regulators who also use popular frameworks; and Second, that your people can be more productive with access to training and other information without “reinventing the wheel.” The candidate should also be familiar with whatever your business risk leaders use for general-purpose enterprise-wide risk management such as OCEG’s “Redbook” 2.0, COSO’s ERM Integrated Framework, the UK & European A Risk Management Standard (ARMS) or ISO 31000. A caution flag should go up if the candidate is only familiar with single-discipline frameworks such as those in security, project management or disaster recovery.
• Team and collaborate. Whether operating in a centralized or decentralized environment, the IT Risk leader must not only cross the IT silos of risk, but also work with business leaders, geographic region leaders, functional leaders, corporate-wide risk team, finance, legal, compliance, audit and more. They need to help people bridge the gap and communicate in terms of business objectives. Matrix-runners are good. With these five capabilities, you can now create an IT Risk Leader job description for your needs. If you (or your Human Resources partner) would like more detailed information on job skills for either creating job descriptions or job analyses, you might find the job tasks and knowledge statements recommended by ISACA helpful. (On the web page, click the “Display or Hide All Task & Knowledge Statements” toggle to see all the details.)
5. The Organization Design to Enable Success
• Given the scope of responsibilities of the IT risk leader, the ideal reporting is direct to you, the CIO, with dotted line to the chief risk officer or similar corporate role. Some organizations may have policy to prefer the reverse. The IT risk leader would also be a member of corporate or divisional risk committees. Finally, the IT risk leader would be a voting or non-voting member of the enterprise governance of IT board (voting if IT has several members, non-voting if the CIO is the only IT member).
• The IT risk leader would have as reports all the IT silo risk leaders (security, disaster recovery and such) although some might be matrixed or have a liaison (sometimes project management is in this category) plus a core team. In decentralized organizations, the IT risk leader would have solid or dotted line reports from divisional IT organizations. Of course, the IT risk organization requires staffing, training and support to be successful.
• Finally, do your IT risk leader a favor, do not name the department “risk and controls,” “security and risk,” “risk and compliance” or something similar that pigeon-holes risk in a protect-only role that does not also embraced improved business performance and value. A performance perspective helps both you and your IT risk leader demonstrate your personal value to the business. In a survey of 158 business and 100 IT leaders in seven countries conducted by George Westerman of the MIT Sloan Center for Information Systems Research and your author here, desired outcomes of IT risk management were: Avoiding negative incidents, Managing costs, Ensuring that current functionality is aligned with business needs, Supporting changes in the business. Three of the four are solidly business-focused.
What is troubling as I talk with a range of enterprises, is the similarity of the problems that orgaizations face. Taken together, these five actions can set the stage for avoiding the majority of unpleasant "surprises." A more systematic approach to risk managment has the power to "see in dark corners" and fix problems. Yet, risk management is not an end in itself -- the objective is always to achieve better business performance outcomes.