In the digital era, IT isn’t part of the business, IT is the business. But as IT’s value has risen, so too has IT risk, and left unmanaged it can easily be the undoing of a company.
Most attention to technology-related risk is focused on information risk, aka “cyber,” but there is a broader set of risks enterprise leaders worry about, best called “IT risk.” IT risk is the potential for unexpected (typically negative) business results associated with the use, ownership and adoption of information technology. No Fortune 1000 company has gone out of business from a cyber-attack or an IT system failure. However, dozens of large companies have disappeared after being too slow to adapt to technology-driven changes in their business models.
IT risk is now a primary focus for assurance functions like enterprise risk management, compliance, legal and internal audit. Additionally, we’re hearing from IT leaders that their boards are asking hard questions about how IT risks are being managed. Unfortunately, most IT leaders do not have good answers to questions about these risks, because they don’t have the right people, governance structures or processes in place to manage IT risks effectively.
CIOs need to get serious about IT risk management. To do so they must internalize three imperatives to ensure that business leaders know how much IT risk they’re exposed to, and help those leaders manage that risk to the right level.
Imperative 1: Start focusing on the right risks
When asked about IT risk, most business leaders immediately think about a cyber-attack. This risk is salient and hence has long had a formal manager, the CISO. However, multiple studies show that data breaches are not material from a cost or long-term stock price perspective. Conversely, few leaders would think of the risks that are most existential in the digital era, risks like IT staff readiness for new roles or insufficient responsiveness to business needs.
To help broaden IT’s risk view, create a taxonomy of IT risks to be managed. This will define the scope of IT risk managers’ responsibilities and help everyone speak the same language about risks. To get started, expand the risks within these seven categories:
- IT talent (employees and contractors)
- IT capacity
- Reliability and quality
- Legal and compliance
- Security and privacy
- Business enablement
For example, IT talent risks can be expanded to include “insufficient staff,” “staff are not ready for today’s roles” and “staff are not ready for new roles.”
Imperative 2: Formalize management and governance over IT risk
With the risk taxonomy defined, the first step to formalizing IT risk management is to identify an entity responsible for holistic oversight of IT risks. Whether it’s via a single leadership role or management by committee, the responsible party must formalize risk management processes, ensure accountability for risk decisions and raise awareness of IT risks throughout the enterprise.
Second, ensure that risk decisions are left to the true owners of risk. Professional risk managers help identify risks and define and manage the process to analyze and treat them. But risk managers should not make risk treatment decisions since they lack the necessary understanding of the business context in which these decisions take place. Decisions made by risk managers are often more risk averse than the company’s risk appetite, which in turn slows productivity, agility and innovation.
Third, after shifting responsibility for risk decisions, accountability must follow. For risk management to work, companies must take two steps to create operational discipline around risk accountability. To start, processes must include formal acceptance of accountability for risk decisions. Then they must create management practices (such as reporting and incentives) to reinforce accountability.
Imperative 3: Ensure IT staff understand their role in managing, and encouraging, informed risk-taking
IT staff have long been trained to view risk as a bad thing to be minimized and often see themselves as protecting technology from employees on the business line who “don’t get it.” But risk aversion hinders staff from taking the bold steps necessary to transform IT and the business in the digital era. It also creates friction with corporate functions that are more open to risk.
CIOs need to ensure their staff understand the company’s risk appetite and improve their comfort with risk. Top-down messaging should consistently reinforce an openness to risk taking and failure. CIOs should implement bottom-up training, performance management and adjustments to hiring criteria to improve IT staff’s comfort with risk.