Archive for the ‘risk’ Category

How Guilty Are CIOs (and IT) In The Global Financial Crisis?

Wednesday, February 23rd, 2011
Image Credit
When Things Go Wrong, IT Always Plays A Role…

When Things Go Wrong, IT Always Plays A Role…

Global financial crises are no fun. Those of us in IT find ourselves just like everyone else standing around and scratching our heads trying to figure out just what happened. It turns out that IT may have been a big part of the problem – we are part of the reason that the crisis happened in the first place. What do CIOs need to know about this and how can it be prevented from happening again?

What Does IT Do In Today’s Financial Markets?

It really doesn’t matter what market your products play in, if you’ve read any newspapers or watched any TV in the past 9 months, then you know that the world of finance has gone from bad to worse. Each one of the stories about this global crisis seems to have included the name of one of the guilty parties: IT.

It wasn’t always this way. Roman Beck recently wrote about how two dramatic events have shown just how resilient the world of financial IT systems is. The attacks on September 11, 2001, on the American financial district should have brought the U.S. financial clearing and settlement systems to a halt. But they didn’t. Instead, just a mere 3 hours after the attack the backup finance IT systems were up and running in international locations and U.S. currency processing was once again running normally.

The second major event was the attack on the London Stock Exchange (LSE) on July 7, 2005. In this case, the LSE could not handle the tsunami of automated trades that hit it when it was partially shut down. A few calls to trading firms got them to turn their “black box” trading systems off for a few hours and that gave the LSE IT systems enough time to get back up on their feet.

Beck points out that these were attacks that came from the outside and the financial IT systems were able to deal with them. However, the global financial crisis was caused by internal issues and this is where the CIO’s who are in charge of the financial IT systems dropped the ball…

What Happened To All Of The Liquidity?

In the current global financial crisis, what started as serious problem got out of hand quickly because of what was done with the financial IT systems that were involved. Everything started when Northern Rock, the 5th largest bank in the U.K. failed in February of 2008. This caused ripples, but not waves in the financial industry. However, when Lehman Brothers failed on September 15, 2008, everything came crashing down.

In the world of finance, Lehman Brothers acted as an investment bank. Basically, they were in the middle of other people’s financial transactions. When they went away, it caused everyone to have to rethink their risk exposure.

If Lehman Brothers could fail, who would be next? The IT systems that the financial firms were using automatically traded money between firms. It turns out that when Lehman Brothers failed, there were $100′s of millions of dollars in the system already flowing to Lehman Brothers – and there was no way to stop this from happening.

In order to prevent sending additional money to failing institutions, all of the CIOs in the financial markets instructed their teams to “pull the plug”. This brought the global financial IT infrastructure to a halt. This all happened because for one simple reason: financial firms had no way to calculate the credit risk at the same speeds that they were doing transactions.

The Problem With Exchanging Data

Ultimately this all comes down to a problem that financial industry CIOs have not been able to solve: how to exchange financial data. It seems strange that an industry that has been built on IT systems has not been able to solve such a fundamental problem.

One of the reasons that this has gone unsolved for so long is the simple fact that the modern financial market is driven by products – lots of products. The time between when a new financial product is dreamed up and when it starts to be sold is very, very short. Trying to standardize just exactly what is being traded would always be playing a game of catch up.

There are solutions out there that could at least start to address these issues. The Financial product Markup Language (FpML) is one such standardization approach.

Financial industry CIOs have a responsibility to change how they do business so that another global financial crisis like the one that has occurred recently does not happen again. To do this they are going to have to find ways to support the calculation of the risk of each financial transaction just as quickly as they support the transactions themselves. It’s not going to be easy to do, but it is going to be necessary.

What All Of This Means For You

Like it or not, IT is truly at the heart of almost everything that a business does. While this makes both IT and the role of CIO more valuable than they have ever been, it also means that IT plays a role in every unfortunate business event that occurs.

The recent global financial crisis came about due in part to the high-speed IT systems that made it so easy to quickly develop new financial products and trade them in milliseconds. What was lost in all of this was the simple fact that the risk of a trade had not kept pace and therefore trades were being made in which neither party had the IT tools that they needed in order to properly evaluate it.

CIOs run the IT department and ultimately they are responsible for the tools that IT produces and how they are used. It appears as though the world is going to eventually recover from this financial crisis. However, we might not be so lucky next time and so it’s the responsibility of CIOs to make sure that there is never a “next time”…

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that some CIOs should have gone to jail or lost their jobs because of their role in causing the global financial crisis?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

With a little luck, every CIO realizes that they are only as good as the people that they have working for them. What this means is that they need to be a good boss if they want to be successful. This leads to a critical question: how good of a boss are you? It turns out that most of us seem to think that we’re a better boss than we probably really are…

Tags: , , , , , , , , , , , ,
Posted in risk | 5 Comments »

CIOs Need To Get Involved In Some Risky Business

Wednesday, April 21st, 2010
Image CreditRisky Business Can Be Good If You Are A CIO

Risky Business Can Be Good If You Are A CIO

What You Don’t Know About Risk Might Hurt You

Does anyone besides me remember the movie “Risky Business” from the ‘80s? You know, it’s the one that launched Tom Cruise’s career – he plays a kid who takes some big chances, has an adventure, and then ends up with the girl in the end. Well, CIOs have a opportunity to star in their own version of Risky Business – but their role has to do with selecting and implementing risk management applications that just might save the company…

All About Risk-Management Solutions

The global economic meltdown of 2008-2009 revealed that most companies really have no idea what kind of risks they are taking when they make business decisions. The world has gone global and so just about every decision that a company makes could come back to haunt it. If only there was some way to see into the future.

Sadly, a magical crystal ball that will reveal the effects of a company’s decisions has not yet been invented. However, we’ve already got the next best thing: risk-management systems.

As more and more companies start to investigate how a risk-management system could help them to make better decisions, the opportunity for future CIOs to step up and lead the charge has arrived. Robert Iati over at the TABB Group says that spending on risk-management solutions grew at 11.5% from 2009-2010.

As a future CIO, you may be called on to help sort out just exactly what kind of risk-management solution would work best for your company. Many solutions are designed specifically for financial services firms (this is where this type of application was born after all). However, there are a number of solutions that allow firms to monitor operational risks in their non-financial industry.

How To Use A Risk-Management Solution

The way that a risk-management system works is by collecting information from other systems and then processing it. The CIO is going to play a big role in making sure that the needed data is both accessible and available in a timely manner. Depending on the type of data, the risk-management system may need near real-time updates and this can put a strain on even the best run IT department.

As we in IT are only all too well aware, any risk-management application is only going to be as good as the quality of the data that is being fed to it. This means that there may be additional data scrubbing and / or normalization activities that need to take place before the data is presented to the risk-management solution.

After having gone through the effort of selecting, purchasing, and hooking up a complex risk-management solution the CIO has one more role to play – doubter. We all know how this goes: an application cranks out a pretty looking result and everyone stands around looking at it as though it had just come down the mountain carved into a couple of stone tablets.

The CIO needs to be the one to step back and remind everyone that any risk-management solution is not some sort of magic box no matter how much data you might be feeding into it. Instead, everyone needs to be reminded that the application is telling you what might happen in the future. It will tell you what you should do, but it won’t take the action for you – that’s going to still require human decision making.

What All Of This Means For You

We’re always talking about that IT / Business alignment thing and trying to come up with different ways to make it happen. The global economic crises of 2008-2009 has caused firms to start to seek out risk-management solutions and this opens a door of opportunity for CIOs to help out the business.

There are many different types of risk-management solutions and a CIO can help with the selection process. The system needs company data in order to operate correctly and where that data will come from (and how frequently) is something that the CIO will need to determine.

Opportunities to use IT to help out the entire company like this don’t come along often enough. CIOs need to size this moment and use it to once again show the value of the IT department to the rest of the company.

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills

Question For You: Do you think that a CIO should play a role in selection which risk-management solution a company chooses?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

I’m sure that when you picture yourself becoming a CIO in the future you see yourself sitting at the corporate strategy table with the CIO using your deep understanding of IT to help the company move faster and do more. Umm, one problem with that vision – you’re not going to make it to the big table if you don’t solve the problem of run-away IT costs…

Tags: , , , , , , , , , , , , ,
Posted in risk | 2 Comments »

Who You Going To Call When IT’s Down? NOBODY!

Thursday, November 20th, 2008
Every IT Department Needs To Have A Business Continuity Plan

Every IT Department Needs To Have A Business Continuity Plan

Quick question: does your IT department have a business continuity plan? If you don’t or, even worse, if you’re not sure then basically you are going to eventually lose your job.  How many of us work in a building that at least once a year has a fire drill? We all look around, stand up and go outside where we mill around for 15 minutes before they let us back in the building (except for those folks who use this as an opportunity to take off for the rest of the day!) Gosh, if we are willing to do that much work to prepare for a fire, shouldn’t we doing at least as much to prepare for something happening to our IT systems?

I suspect that if you talk to any firm that works in New Orleans or New York City, they probably have a IT business continuity plan – they’ve learned the hard way just how valuable one of these is. Now for the rest of us, what are we waiting for – the eventual arrival of Bird Flu?

Once of the big problems that IT has is that we never remember to budget for a disaster plan. It turns out that these things actually do cost money and they take time and planning to put in place. We end up buying more boxs, wireless access points, and PDAs and then the money is all gone and we still don’t have a disaster plan.

So how should an IT department go about creating a disaster recovery plan even if they have very little funding? Simple, assign responsibility to a group of IT staffers and then give them an outline of what they need to create. What they basically need to do is to identify all of the IT processes that your department uses to run the business. Next, they need to prioritize which ones are critical and MUST NOT GO DOWN, or at least need to be the first ones to come back up. The result of this type of internal inspection can be quite surprising. More than one firm has come to realize that the processes that they thought were mission critical were instead nice to haves and the processes that they had not been paying attention to were in reality the ones that they could not afford to do without.

The difference between a disaster recovery plan which everyone gives lip service to and a business continuity plan is that you can take months or even years to implement a disaster recovery plan. However, an IT business continuity plan tells you what you are going to be doing in order to keep the firm’s doors open the day after a disaster strikes. In other words, it deals with a much shorter timeframe. In these darkest hours, everyone in the firm is going to be running around trying to figure out what to do. This is the time that a CIO and an IT team that has planned ahead can really shine.

Everyone will remember you if you have a good IT business continuity plan. Oh, and they will REALLY remember you if you don’t…!

Does your firm have an IT business continuity plan? When was the last time that you tested it? Is it a “living document” or does it sit in a binder on someone’s desk? Leave me a comment and let me know what you are thinking.

Tags: , , , , , ,
Posted in risk | 3 Comments »

Risk Management In IT: How Do You Do It Correctly?

Monday, November 10th, 2008
IT Departments Need To Do A Better Job Of Risk Managment

IT Departments Need To Do A Better Job Of Risk Management

The financial melt-down of 2008 had at its core one simple mistake that a whole bunch of companies made at the same time: they did a lousy job of risk management. They made investments in things that were very risky without realizing just how risky they really were. IT departments face the same challenges: at the start of each year we have a number of different projects that we could possibly work on; however, we rarely if ever do a good job of evaluating the risk associated with each of these projects. Instead we focus on things like ROI, business alignment, and which Sr. VP is sponsoring the project to make our decisions. If we don’t want to get caught in our own special version of an IT meltdown, then we had better see if we can figure out a way to measure the risk of an IT project…

So what is risk when you are talking about an IT project? In the simplest terms risk is the chance that an IT project will fail to produce the results that you are expecting because of a given event or set of events. The purpose of risk management is to make sure that you fully understand the risks associated with a project before you start it as well as managing those risks while you are working on the project.

In the world of IT projects, risk is more often then not associated with the company data that we are in charge of collecting, maintaining, and processing. IT teams need to retrain themselves to focus on the value of the data that an IT project is going to be processing and then determine the likelihood that the project won’t be able to do the processing, or in the worst case will corrupt or lose some / all of that data.

What’s really interesting is that outside of IT, the rest of the business has always used risk analysis to determine when they should roll out new products, determine how to spend marketing budgets, and pick which capital investments they want to make. Implementing a good risk management practice within the IT department is yet another way that CIOs can better align their departments with the rest of the business.

Risk management needs to be baked into all of the steps in your IT department’s projects. This runs from project planning all the way to post-production. Everyone knows that fixing a risk earlier in the process is much cheaper than trying to fix it later on down the line.

How much is all of this going to cost? Actually, a fair amount if you end up doing it correctly. You’re going to have to spend money to determine the value of proposed projects, product lines, and any proposed services. Next you’ll have to assign risks to each of these. This can be quite time consuming; however, the process will pay off over time. The key is to have a strategy for how you want to go about doing this. Focusing on where you want the IT department to be in 5 years is a key part of the process because you want whatever project you select to help you to get there.

How can you tell if all of this effort is worth it? There are actually three ways to go about doing this. Most firms use internal audits in order to determine if their IT risk management activities are are paying off. Depending on the industry that you work in, another way is to use regulatory compliance as your measure. Finally, external audits are an expensive but more complete way to measure your effectiveness.

In most IT departments that have an effective risk management function, the funding for the activity comes out of the IT budget. In most companies the belief is that a well executed risk management program will end up saving them money.

In the end, a risk management program will help your IT department to choose the right projects to work on. Once those projects are selected, then it will help you to develop risk mitigation policies, and fix risk vulnerabilities that may end up yielding process efficiencies. It goes without saying that all of this can end up helping a company meet its regulatory compliance needs.

Does your IT department have a way of evaluating the risk of proposed projects? Does your risk management process exist throughout your project process from start to finish? Have you been able to see any savings since you implemented your risk management program? Leave a comment and let me know what you are thinking.

Tags: , , , , , , , , ,
Posted in risk | 3 Comments »