Commercial espionage. Compliance. Crazy weather. Credit default swaps. Risk is everywhere and if you're just trying to minimize it within IT, you're missing the point.
Instead, learn to be a "risk intelligent" CIO who can help your organization wisely take--and profit from--risks.
1. Get Your Own House in Order First
You should certainly identify and plan for events that can affect your ability to provide a stable, available, protected, and recoverable technology infrastructure. But you have to look beyond risk that directly encroaches on IT's turf, such as network violations or data breaches, and see more broadly where in the organization technology can play a role in protecting - or exposing -- assets.
"So many IT departments I see are really only managing IT perimeter risk, or data breach losses, but nobody's doing anything about intellectual property," says Brian Barnier, a risk advisor with ISACA and principal analyst at ValueBridge Advisors in Norwalk, CT. And over-communicate risk priorities to your technology staff, because they may be focused on a more granular set of threats than you are.
2. It's Not (Just) About Compliance
Yes, compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations is obviously a piece of the risk management puzzle. But don't let it drive your approach. "When we talk about risk intelligence, it's the CIO understanding that he or she is providing the core information technology infrastructure to support the business, and understanding all the things that put you at risk," says Deloitte & Touche LLP Principal Bill Kobel. Instead of focusing only on compliance, ask whether you have the right kind of people and technology to stay ahead in your market. But if you're stuck in the compliance mindset and running around filling out checkboxes on paperwork, you've lost sight of business objectives, Barnier says.
3. Enterprise Risk Management Is a Career Opportunity
The CIO is very well positioned to drive an enterprise-wide, more sophisticated approach to managing risk. Especially in companies that are very dependent on IT-driven processes, the CIO usually has the best access to information.
"The more the CIO understands about the business processes, and the business dependencies on IT, the more the CIO can be a real advocate in the C-suite of doing risk management right," says Barnier. A CIO who's implemented an IT-oriented risk framework "can easily flip it right back into a driver of enterprise wide risk management," he adds. That can help the CIO personally and help their organization drive more profitable revenue by taking risks where they make sense.
4. There Are Cheat Sheets
While no one can save you the hard work of understanding the risks connected to all your technology and business operations, there are multiple frameworks and standards that can put you on the road to good practices. Important ones include Risk-IT from technology governance nonprofit ISACA (the group is best known for COBIT, a more general enterprise IT management framework) and ISO 31000. But be mindful about how you apply those frameworks, Kobel warns.
Frequently, specialists in a company understand different domains of a framework - such as security, privacy, business continuity, or compliance - and the framework winds up being used at what he calls a sterile, tactical level of controls and requirements rather than being connected to the way the business really operates.
5. The Bad Guys REALLY Know Your Business
If you aren't connecting risk management directly to business processes, you must realize that your opponents are. The bad guys are probing for vulnerabilities by looking at your fundamental operating behavior, at your products and services, Kobel says, and figuring out how to attack you either through social engineering or through your infrastructure.
The same goes for insiders: "They have an innate knowledge of a business process, or a set of activities, and they begin to navigate through the seams, to circumvent internal controls to achieve their objective," Kobel says. "What they're doing is targeting the business side."