Mitigating Operational Risks - Advice for CIOs

1 2 Page 2
Page 2 of 2

Other areas to analyse?

I have listed a handful of categories to consider as well as some relevant questions that should give an indication of the current risk situation. Depending on your line of business you may want to expand that list with areas like SW development and testing, operations, manufacturing, logistics and so forth.

IT processes

It is vital that the IT function regularly document processes, code changes, configurations and so forth. Unfortunately, it is also common that "fire fighting" daily issues interfere with proper standards and procedures, documentation, training and BDR planning and rehearsals. When was the last full scale BDR exercise held? What does the change management documentation look like? Are all processes and procedures documented? Is ITIL implemented? Are job and role descriptions in place? As an example, I was in close contact with a large business that had invested in process development throughout the Group, except for the IT function and its project management processes.

HR and the IT organisation

What has the HR function to do with operational risk? It is about securing that the right competencies are in place within IT and don't represent single point of failures. Do you have succession plans and relevant documentation in place allowing a quick replacement, should key staff suddenly leave? Many years ago an entire IT operations team resigned the very same day in an international company that was planning to outsource IT operations – the company had no choice but to re-hire the entire team as contractors, at a significantly higher cost.

IT strategy and governance

Do you have a documented, approved and communicated IT strategy? Are there technical and system road maps and an architectural target picture in place? Are there performance management controls to effectively monitor and control the IT function's delivery? Is IT represented on C-level or does IT report into CFO or COO with financial savings as the number one responsibility? Global companies that failed to align IT strategies with market opportunities such as digital innovation include a well-known photo technology provider and one of the oldest music industries in the world.


CSR including environment has rapidly grown in importance. Are there processes and technology in place that minimise energy consumption by IT and in premises? Do you measure the reduction of paper consumption and air travel? Is there an environmental policy communicated throughout the organisation? Does the organisation have control of subcontractors (child labour, environmental issues)? Are management in control over how international business is carried out across the globe? The effects of not having CSR controls in place can be severe, like a leading Nordic Telecom provider is a recently experienced.

Finance processes

There are a number of operational risks that relate to finance. Examples of materialised risks might relate to lack of or incorrect reconciliation in Accounts Payable and Receivables, incorrect VAT or interest rates, interest fees on late payments. Keywords include transaction intensity, automated reconciliation and any previous history of incorrect or late payments (where lack of errors might be an indicator as such).

Other processes include "Record to Report", "Order to Cash", management reporting and business intelligence. For example, it is crucial that customer bonuses are calculated on actual booked sales, not estimated sales and that BI development is properly tested like any other system development project.

I have personally seen a case where managers did not book larger received invoices during end-of-quarter, seemingly to "improve" the business unit's result and hence bonuses, which, if actually the case, is defined as fraud or fraudulent behaviour. Publicly known fraud cases include several global companies in Banking and Financial Services.

Finally, it is important to ensure that IT is stand-by to support Finance and payroll system during end-of-month and salary processing as a delay might cause significant losses.


Obviously this is one of the most complex, complicated and important risk mitigation areas and one that most companies are in good control of. Many organisations have a CSO working full time on IT security. There are other types of security risks that we want to control including information security and physical security (access to premises). Sometimes it is hard to separate Security from IT delivery – disaster recovery planning, for example. However, as long as CIO manages both the business should be in good hands.

Personally, because of my technology skills, I have always relied partly on subject matter experts dealing with IT security risks. Examples of questions to ask as part of an assessment include; history of security breaches, attempts and frequency, and results of external penetration tests and security audits? Are documented and tested fall-back procedures relating to relevant IT and telephony in place? When did IT and senior management perform the last disaster recovery exercise? Is there a communicated information security policy in place and is it understood? Addressing IT security, it is important to investigate any outsourced IT, which leads us to the final risk area.

IT vendors

I recently wrote an article for another journal (CFO World) where I stated: ''I will now reveal a hidden truth; most 'leading' IT vendors have little or no control over their operational risks!''. If we take that into account we can, and should, assess operational risks outside our organisation the same way as we do internally. The major difference is about getting access to information and about understanding the contractual agreements and legal implications if an IT vendor cause, directly or indirectly, significant disturbances and financial losses to your business? An SLA 'guaranteeing' 99.99% availability is nice to have, but what if the penalty clause only offer a fraction of the losses occurred in our business during a prolonged period of down time? It is difficult to assess all the legal documentation in retrospect, especially if a former employee was responsible for the outsourcing deal. My advice is to at least look into the most important agreements, and to do this together with an expert IT lawyer.

Finally, management of software licences and fixed assets (computers, tablets, cell phones) that are improperly handled can mean significant additional costs including penalties or even lawsuits. Do you have functioning process and properly maintained AD and a Fixed Assets directory in place? Do all employees sign off for hardware, mobile devices and are you in control of all the software that is used, and not used?

When to consider making an Operational Risk Analysis?

Companies with operational risk as a regular agenda item on Board of Director and Executive Team level, where operational risk management are a clearly defined C-level responsibility, as well as organisations performing internal IT audits on a regular basis are likely to be in better control. Regardless, I would recommend an operational risk assessment to be made:

  • Prior to strategic decisions about major development or ERP projects, transformations, outsourcing or other strategic ventures; here an independent risk review is recommended.
  • As newly appointed and externally recruited Chairman, CEO, CFO or CIO.
  • Should the Board have doubts about management's ability to control the operational risks.

I recently spoke about operational risks with a NED in a listed company who told me; "There are some boxes in this company that we do not wish to open". Pretty scary stuff!

The bottom-line; as CIOs it is our responsibility to mitigate and minimise operational IT risks in the businesses we work for. Doing this correctly and effectively will save money even if it may not make us into headline news. However, the better we mitigate operational IT risks the smaller the 'chance' that we become headline news for all the wrong reason.

Bjorn Ovar Johansson is a Manchester-based interim CIO with a background in Senior IT Leadership roles across Europe


Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams