ITBusiness.ca

CIOs lack authority to assume responsibility for risk

Victor Oliva’s colleagues thought they had good reason to give him the nickname Dr. No. He was handling insurance-related issues for Irving Trust Co., a financial institution that was later bought by the Bank of New York. When projects were proposed that hadn’t been thoroughly researched, it was Oliva who waved the red flag. When a deal wasn’t properly financed or if it exposed the bank to liability, he was the one who turned it down. Someone had to. Though he doesn’t seem bitter about it now, the issue for Oliva is that he shouldn’t have been the only one

“Who here is responsible for managing enterprise risk in your organization?” he asked during a presentation at Teradata’s Partners 2006 conference last month. A few hands went up. It was a trick question, because Oliva, now an analyst with Gartner Group, said risk is a burden everyone needs to carry. For IT professionals, risk management is something that begins and ends – if it begins at all – with tasks such as setting up a firewall and writing a disaster recovery plan.

Oliva has a much more comprehensive view. Think about offshore outsourcing deals, he said, which are based in countries that may be subject to significant geopolitical instability. Think of a Web-based application in one country that somehow violates the privacy laws of another country. This is an area Oliva calls enterprise risk management (ERM), something that doesn’t consist of a specific application but takes in corporate philosophy and operational hierarchies. “It can be managed, it can be handled, but we cannot take our eye off that ball.”

As Oliva pointed out, companies have managed (after considerable difficulty) to achieve a granularity of detail in the data that’s handled through customer relationship management or enterprise resource planning applications. Why not apply the same granularity to risk? He referenced the insurance companies that went out of business after Sept. 11, 2001. The companies that had insured the businesses in the World Trade Center would probably have known what kind of coverage their clients had in certain areas, but not in aggregate.

Consider the insurance such companies would pay to cover not only their employees’ lives, worker’s compensation and disability, but business interruption and the art that hung on their walls.

“They didn’t have that number,” Oliva said. Other enterprises are even less prepared.

Apart from acronym fatigue, I have a hard time imagining many CIOs putting ERM at the top of their priority list. For one thing, they lack the operational authority, while many COOs probably lack the IT expertise. Companies can appoint a chief risk officer, of course, but in the small- and mid-sized enterprises that make up most of Canada, that’s got to be the CEO. According to Oliva’s data, some 2,000 CEOs have changed within the Fortune 1,000 during the past 18 months. “These are people who have failed,” he said.

On the other hand, Oliva said organizations such as Standard and Poor’s were starting to base their company ratings, in part, on IT risk within a public company. If that doesn’t resonate at the CEO level, nothing will. ERM pressures, then, should be the force that turns CIOs and IT managers into the trusted advisors of senior management that they are supposed to be. That doesn’t mean creating specific ERM technologies but building ERM awareness throughout the IT department and incorporating it into the projects they lead. There’s a big difference between Dr. No and Dr. Know.

Exit mobile version