Antonio V\u00e1zquez sees the potential for problems everywhere.\nV\u00e1zquez, who started in January 2021 as the first CIO at tech company Bizagi, offers a lengthy list of areas where something could go wrong: security, data privacy, compliance, vendor relationships, cost management, employee access to systems, staffing, and IT projects.\n[ Learn from your peers: Check out our State of the CIO 2021 report on the challenges and concerns of CIOs today. | Find out the 7 skills of successful digital leaders and the secrets of highly innovative CIOs. | Get weekly insights by signing up for our CIO Leader newsletter. ]\nHe\u2019s thinking about whether employees understand and follow the company\u2019s cybersecurity policies and standards; whether his vendors and suppliers will modernize at a pace that meets his company\u2019s needs; whether supplier costs will spiral; and whether transformational investments will deliver the experiences that customers want \u2014 or instead jeopardize the relationship with them.\n\u201cFrom the moment you think about projects, contracts, or new procedures, you also have to think about risk,\u201d V\u00e1zquez says, noting that the past year has shown everyone that new, unexpected risks can arise at any time.\nHe adds: \u201cThe landscape has changed quite a bit, and maybe two years ago we felt we had everything under control. Now we see we sometimes don\u2019t. You could have in place the best documents and standards but suddenly something happens and everything changes.\u201d\nThere\u2019s nothing new about the need for enterprise leaders to identify risk and understand their appetite and tolerance for it. But the types of risks they face are changing, as is the velocity of those changes, forcing many organizations to more frequently evaluate and re-evaluate their thresholds for acceptable risks.\nThe CIO\u2019s role in these discussions is also evolving, as technology has become ever more critical to the enterprise in terms of success and survival \u2014 as the pandemic and other recent events have shown. That leaves CIOs tasked with assessing new areas of risk as well as resetting their risk appetite, tolerance, and threshold \u2014 all of which are shifting as they face a post-pandemic world of new challenges and new business opportunities.\n Bizagi\n\nAntonio V\u00e1zquez, CIO, Bizagi\n\n\n\u201cIt goes to how much risk you can bear, and it\u2019s going to be different depending on each project and process. And for many CIOs it has changed; post-pandemic, you find the parameters for risk have shifted,\u201d V\u00e1zquez says.\nA new era of IT risk\nEven as CIOs deal with more risks than ever before, the consequences of misjudging those risks are getting higher. Organizations have become completely dependent on robust systems for all of their functions, so falling back to pen and paper in a pinch is no longer an option.\nCIOs must get the risk calculus right \u2014 and they have a lot to take into consideration.\nSecurity risks top many CIOs\u2019 list of concerns, for example. The rash of ransomware attacks during the late spring, including the May 2021 attack on Colonial Pipeline that was blamed on an unprotected VPN, certainly highlights the challenges for CIOs in this area.\nCIOs are increasingly focused on compliance risk, too, as more regulations and laws such as the \u201cright to be forgotten\u201d require them to accurately know where data resides.\n Boston Consulting Group\n\nBenjamin Rehberg, managing director and senior partner, Boston Consulting Group\n\n\n\u201cThat\u2019s a function of the technology landscape and the architecture and the applications you have in your shop,\u201d explains Benjamin Rehberg, managing director and senior partner at Boston Consulting Group. \u201cAnd the more you\u2019re not clear on what is the actual single source of truth, and whether your systems only access that single source of truth, the greater the compliance risk.\u201d\nRisks associated with legacy systems are also top concerns. The pandemic highlighted risks associated here, as organizations that had replaced old technology with cloud solutions more easily shifted to remote work and new business models than those stuck with older systems.\nOn the other hand, modernization and transformation efforts \u2014 along with the expected rapid pace for delivering those \u2014 also create risks that CIOs must consider.\n\u201cWe\u2019re often pushed to deliver more and more quickly, and we\u2019re not taking time to get stakeholder feedback in a timely fashion,\u201d says Eric Naiburg, COO of Scrum.org. \u201cAnd that\u2019s a risk because as the team keeps building more, it becomes harder to change. It causes delays because you\u2019re then going to have to rearchitect.\u201d\nVendor-related risks are also leading issues for CIOs. High-profile failures such as the 2020 SolarWinds breach demonstrate how problems with tech suppliers can introduce trouble within the enterprise IT shop and, thus, the organization as a whole. There are also risks to consider from the enterprise\u2019s ecosystem, such as those introduced by managed service providers and business partners. A system outage at a cloud provider, for example, can be a big risk for a CIO if that provider hosts a critical system.\nRisks related to data integrity have also moved up the list. Organizations are increasingly relying on data to drive decisions, automation, and intelligent systems, according to Forrester analyst Alla Valente. As a result, many have seen their tolerance for less-than-perfect data integrity decrease.\n Scrum.org\n\nEric Naiburg, COO, Scrum.org\n\n\nAnd then there\u2019s systemic risks external to the business: hurricanes, wildfires, recessions, and pandemics, to name a few.\nHow CIOs weigh all these risks varies from one organization to the next, according to the analysts, executive advisors, and CIOs interviewed on the topic. There doesn\u2019t appear to be an overarching trend beyond CIOs more frequently revisiting the issue as they work with their executive colleagues to plot their post-pandemic strategies.\n\u201cThey\u2019re learning from what just happened and adapting, and deciding where and how to remove risks,\u201d Naiburg says.\nThe business context for strategizing risk\nSaby Waraich, CIO of Clackamas Community College in Oregon, offers a similar, all-encompassing list when talking about risks. And similar to others, he says his tolerance for risk is shifting for a variety of reasons. For example, Waraich is reconsidering risks the college\u2019s data center faces after a recent wildfire struck close to it for the first time.\nIn considering the risks that fall to him as CIO, Waraich sees them all being interrelated \u2014 and intertwined with the business. \u201cThere is no IT risk. We have to change that language and ask, \u2018What are the business risks?\u2019\u201d he says.\nAfter all, if the data center catches fire, it won\u2019t just hamper IT, it stymies and could even temporarily shutter the organization as a whole.\n Clackamas Community College\n\nSaby Waraich, CIO, Clackamas Community College\n\n\nWaraich adds: \u201cSo if IT assesses these risks in a siloed approach, it won\u2019t be very successful [in that task]. You might make a decision, but if that\u2019s not what the business is concerned about, then it\u2019s not the right decision.\u201d\nThe pandemic reinforced the value of that approach, he adds. \u201cTwo years ago, more of the focus was on technology and the risk to technology. The pandemic was a wakeup call for CIOs to focus on business risks, so they can always keep the business running,\u201d he says.\nWaraich assesses risks with that in mind, thinking about how problems or failures \u2014 whether at the data center or as a result of a transformational initiative \u2014 could impact business functions and the business as a whole.\nHe then identifies which risks could jeopardize business operations and to what degree, a process that he uses to then prioritize work that mitigates the risks, translating those into top IT goals.\nFor example, he considered the lack of round-the-clock staffing on the help desk as an unacceptable risk given how many users need help at odd hours; he\u2019s implementing chatbots to help mitigate that risk.\nMeanwhile, he\u2019s working with other college leaders to evaluate security protocols and technology controls in light of both increasing cyberattacks and rising cyberinsurance premiums.\nForrester analysts agree with that approach. \u201cTechnology risk is a business risk,\u201d says Naveen Chhabra, senior analyst for infrastructure and operations at Forrester.\nAccording to Forrester, a growing number of organizations have created risk committees, with the CIO participating, to identify risks and establish risk appetite and risk tolerance. That helps provide direction on what the CIO needs to do within the IT domain to align with those parameters.\nBryce Austin, an experienced CIO and CISO now serving as CEO of the cybersecurity consulting firm TCE Strategy, similarly sees value in CIOs working alongside other executives on this topic. He notes that risks within IT don\u2019t only pose a risk to existing business functions but also present a risk to future business opportunities.\n TCE Strategy\n\nBryce Austin, CEO, TCE Strategy\n\n\nThat\u2019s one reason he advises CIOs to think about risks alongside strategic planning and to adjust both as circumstances change. By framing the conversation around how risks, if they come to pass, could hurt strategic objectives, CIOs can better determine the tolerance they have for each risk within IT.\nOn the other hand, however, CIOs can\u2019t be too risk-averse \u2014 particularly now, as the world moves forward and prepares for whatever comes next, Rehberg says.\n\u201cCIOs who are willing to make very bold moves and who are willing to take a risk in the spirit of taking risks away will survive in the long run,\u201d he says. \u201cTechnology is now a strategic factor for how businesses go to market. That should help define the risk appetite and what CIO should be willing to do. And that\u2019s a very individual company discussion, a joint business and technology decision.\u201d\nV\u00e1zquez agrees, explaining that he embraces the notion of he calls \u201crisk by design\u201d \u2014 an approach by which he identifies areas of risk, implements mitigations to bring those risks to acceptable levels, and adjusts if and when needed. That way, he says, the business is protected but IT isn\u2019t wasting resources by being overly cautious.