Mitigating Operational Risks - Advice for CIOs

After 15 years in different businesses across Europe and having come across hundreds of IT leadership role descriptions, I believe two of the most relevant yet underestimated are Performance Management and Operational Risk Mitigation.

Having covered performance management last month, I will now present some advice on operational risk mitigation, which I regard one of the most important areas to measure and control as CIO. My ambition is to give an introduction and to present examples of why I believe it is vitally important that we know how to manage this discipline.

One of the first things I do as incoming CIO, interim or permanent, is to quickly assess the situation regarding operational risks, especially in IT, however also in other relevant parts of the organisation. Based on that high-level assessment I know significantly more about inherent risks, awareness (or risk appetite) and can prioritise my work going forward.

What is Operational Risk?

Operational risk is defined (after Basel II) as the risk of monetary losses as a result of faults and errors in process, technology or skills or due to external factors, operational risk may also include other risks such as fraud, legal, physical, and environmental risks.

A Practical Approach

There are ways to quickly introduce or improve risk mitigation and thus increase quality, which in turn can lead to cost reductions and improved control over both IT and operational risk. I recommend that Executive management, including the CIO and the IT function, work together to identify, prioritise and reduce operational risks over time.

There are various ways to apply operational risk management; more formal models and frameworks, including establishing a risk audit and control function, which might be preferable in large companies and in the financial sector. However, many organisations benefit from a more pragmatic and hands-on methodology, which include;

  • Identification of risks and risk areas.
  • Analysis, compilation and assessment of current risks.
  • Assessment of risk levels - if possible including financial implications.
  • Decisions about actions (activity plans and budgets).
  • Decisions and introduction of risk management model, tools and governance.
  • On-going risk mitigation as part of daily operations.

By identifying, documenting, analysing and assessing operational risks across the board we can quickly get an understanding of current risk level and what needs to be done.

The next step is to prioritise and mitigate risks on a tactical level by reducing the most acute risks and make a plan for future risk reduction. In some areas, such as IT security, major programmes and vendor management, it might be wise to consult an independent specialist.

Finally, the organisation should introduce a governance model and tools such as a risk log and a dashboard for risk mitigation reporting. A risk committee, especially if there are several major risks, might be worthwhile. The CFO or CIO can, together with other executives, lead the strategic work to reduce risks over time. The risk committee can report to the management team, or even to the Board, once or twice per year.

Focus Areas

The level of complexity depends on the type of business, number of functions, processes, and maturity level and so forth, and each business has a unique set of operational risks. In my opinion however, there are a couple of key categories to always look into early on:

  • Risks with regard to major transformations or the total project portfolio (I refer to this as Change Management).
  • Management and control of the IT function and IT delivery internally and externally, if services are outsourced.

I focus on these areas first since, according to my experience, they represent if not the most common risks, certainly the risks which are likely to cause significant economic damage compared to most other operational risks in general.

Change Management

It is a fact that major transformations that are not properly planned, managed or governed might in fact jeopardise an entire business – I am referring to "Black Swans". One single IT programme that exceed budget by two or three times, or a project portfolio out of control, may inflict significant financial damage and even risk the company's existence. There are several recent examples in Banking, Life Science and in the Public sector where large programmes spun out of control, causing multi-million pound losses. As seasoned CIOs we are aware of these risks, however, if you have less experience as transformation director you may want to consider bringing in an external advisor to help in the risk assessment and with programme governance.

IT Delivery and Reliability

This is another well-known area for CIOs. But still, don't underestimate the risks! I have experienced an international company with a non-redundant core business system, one listed company where the communication network had a single point of failure just outside the head office and one company that had outsourced its WAN to a vendor that did not provide a back-up solution causing 24 hours total downtime for that business.

Almost daily, we read headlines about major IT disturbances in Banks, Food and Retail, Transportation (even airports), the Public sector and others including some of the largest and most successful IT companies.

What can CIOs do in order to avoid major business disruptions due to IT glitches? Properly introduced ITIL, ISO certifications and so forth are helpful. Bottom line though, it is about investigating all relevant areas from server rooms, hardware, networks, power supply, Business Disaster Recovery planning, configuration and change management and so forth. It can be helpful to look at the history of IT disturbances and to understand, not only frequency and severity, but what the organisation has done to make sure the root cause was resolved. This is nothing but hard and continuous work and work that should be prioritised.

Related:
1 2 Page 1
Page 1 of 2
Security vs. innovation: IT's trickiest balancing act