Antonio Vázquez sees the potential for problems everywhere.
Vázquez, who started in January 2021 as the first CIO at tech company Bizagi, offers a lengthy list of areas where something could go wrong: security, data privacy, compliance, vendor relationships, cost management, employee access to systems, staffing, and IT projects.
He’s thinking about whether employees understand and follow the company’s cybersecurity policies and standards; whether his vendors and suppliers will modernize at a pace that meets his company’s needs; whether supplier costs will spiral; and whether transformational investments will deliver the experiences that customers want — or instead jeopardize the relationship with them.
“From the moment you think about projects, contracts, or new procedures, you also have to think about risk,” Vázquez says, noting that the past year has shown everyone that new, unexpected risks can arise at any time.
He adds: “The landscape has changed quite a bit, and maybe two years ago we felt we had everything under control. Now we see we sometimes don’t. You could have in place the best documents and standards but suddenly something happens and everything changes.”
There’s nothing new about the need for enterprise leaders to identify risk and understand their appetite and tolerance for it. But the types of risks they face are changing, as is the velocity of those changes, forcing many organizations to more frequently evaluate and re-evaluate their thresholds for acceptable risks.
The CIO’s role in these discussions is also evolving, as technology has become ever more critical to the enterprise in terms of success and survival — as the pandemic and other recent events have shown. That leaves CIOs tasked with assessing new areas of risk as well as resetting their risk appetite, tolerance, and threshold — all of which are shifting as they face a post-pandemic world of new challenges and new business opportunities.
“It goes to how much risk you can bear, and it’s going to be different depending on each project and process. And for many CIOs it has changed; post-pandemic, you find the parameters for risk have shifted,” Vázquez says.
A new era of IT risk
Even as CIOs deal with more risks than ever before, the consequences of misjudging those risks are getting higher. Organizations have become completely dependent on robust systems for all of their functions, so falling back to pen and paper in a pinch is no longer an option.
CIOs must get the risk calculus right — and they have a lot to take into consideration.
Security risks top many CIOs’ list of concerns, for example. The rash of ransomware attacks during the late spring, including the May 2021 attack on Colonial Pipeline that was blamed on an unprotected VPN, certainly highlights the challenges for CIOs in this area.
CIOs are increasingly focused on compliance risk, too, as more regulations and laws such as the “right to be forgotten” require them to accurately know where data resides.
“That’s a function of the technology landscape and the architecture and the applications you have in your shop,” explains Benjamin Rehberg, managing director and senior partner at Boston Consulting Group. “And the more you’re not clear on what is the actual single source of truth, and whether your systems only access that single source of truth, the greater the compliance risk.”
Risks associated with legacy systems are also top concerns. The pandemic highlighted risks associated here, as organizations that had replaced old technology with cloud solutions more easily shifted to remote work and new business models than those stuck with older systems.
On the other hand, modernization and transformation efforts — along with the expected rapid pace for delivering those — also create risks that CIOs must consider.
“We’re often pushed to deliver more and more quickly, and we’re not taking time to get stakeholder feedback in a timely fashion,” says Eric Naiburg, COO of Scrum.org. “And that’s a risk because as the team keeps building more, it becomes harder to change. It causes delays because you’re then going to have to rearchitect.”
Vendor-related risks are also leading issues for CIOs. High-profile failures such as the 2020 SolarWinds breach demonstrate how problems with tech suppliers can introduce trouble within the enterprise IT shop and, thus, the organization as a whole. There are also risks to consider from the enterprise’s ecosystem, such as those introduced by managed service providers and business partners. A system outage at a cloud provider, for example, can be a big risk for a CIO if that provider hosts a critical system.
Risks related to data integrity have also moved up the list. Organizations are increasingly relying on data to drive decisions, automation, and intelligent systems, according to Forrester analyst Alla Valente. As a result, many have seen their tolerance for less-than-perfect data integrity decrease.
And then there’s systemic risks external to the business: hurricanes, wildfires, recessions, and pandemics, to name a few.
How CIOs weigh all these risks varies from one organization to the next, according to the analysts, executive advisors, and CIOs interviewed on the topic. There doesn’t appear to be an overarching trend beyond CIOs more frequently revisiting the issue as they work with their executive colleagues to plot their post-pandemic strategies.
“They’re learning from what just happened and adapting, and deciding where and how to remove risks,” Naiburg says.
The business context for strategizing risk
Saby Waraich, CIO of Clackamas Community College in Oregon, offers a similar, all-encompassing list when talking about risks. And similar to others, he says his tolerance for risk is shifting for a variety of reasons. For example, Waraich is reconsidering risks the college’s data center faces after a recent wildfire struck close to it for the first time.
In considering the risks that fall to him as CIO, Waraich sees them all being interrelated — and intertwined with the business. “There is no IT risk. We have to change that language and ask, ‘What are the business risks?’” he says.
After all, if the data center catches fire, it won’t just hamper IT, it stymies and could even temporarily shutter the organization as a whole.
Waraich adds: “So if IT assesses these risks in a siloed approach, it won’t be very successful [in that task]. You might make a decision, but if that’s not what the business is concerned about, then it’s not the right decision.”
The pandemic reinforced the value of that approach, he adds. “Two years ago, more of the focus was on technology and the risk to technology. The pandemic was a wakeup call for CIOs to focus on business risks, so they can always keep the business running,” he says.
Waraich assesses risks with that in mind, thinking about how problems or failures — whether at the data center or as a result of a transformational initiative — could impact business functions and the business as a whole.
He then identifies which risks could jeopardize business operations and to what degree, a process that he uses to then prioritize work that mitigates the risks, translating those into top IT goals.
For example, he considered the lack of round-the-clock staffing on the help desk as an unacceptable risk given how many users need help at odd hours; he’s implementing chatbots to help mitigate that risk.
Meanwhile, he’s working with other college leaders to evaluate security protocols and technology controls in light of both increasing cyberattacks and rising cyberinsurance premiums.
Forrester analysts agree with that approach. “Technology risk is a business risk,” says Naveen Chhabra, senior analyst for infrastructure and operations at Forrester.
According to Forrester, a growing number of organizations have created risk committees, with the CIO participating, to identify risks and establish risk appetite and risk tolerance. That helps provide direction on what the CIO needs to do within the IT domain to align with those parameters.
Bryce Austin, an experienced CIO and CISO now serving as CEO of the cybersecurity consulting firm TCE Strategy, similarly sees value in CIOs working alongside other executives on this topic. He notes that risks within IT don’t only pose a risk to existing business functions but also present a risk to future business opportunities.
That’s one reason he advises CIOs to think about risks alongside strategic planning and to adjust both as circumstances change. By framing the conversation around how risks, if they come to pass, could hurt strategic objectives, CIOs can better determine the tolerance they have for each risk within IT.
On the other hand, however, CIOs can’t be too risk-averse — particularly now, as the world moves forward and prepares for whatever comes next, Rehberg says.
“CIOs who are willing to make very bold moves and who are willing to take a risk in the spirit of taking risks away will survive in the long run,” he says. “Technology is now a strategic factor for how businesses go to market. That should help define the risk appetite and what CIO should be willing to do. And that’s a very individual company discussion, a joint business and technology decision.”
Vázquez agrees, explaining that he embraces the notion of he calls “risk by design” — an approach by which he identifies areas of risk, implements mitigations to bring those risks to acceptable levels, and adjusts if and when needed. That way, he says, the business is protected but IT isn’t wasting resources by being overly cautious.