Posts Tagged ‘risk management’

CIOs Need To Get Involved In Some Risky Business

Wednesday, April 21st, 2010
Image CreditRisky Business Can Be Good If You Are A CIO

Risky Business Can Be Good If You Are A CIO

What You Don’t Know About Risk Might Hurt You

Does anyone besides me remember the movie “Risky Business” from the ‘80s? You know, it’s the one that launched Tom Cruise’s career – he plays a kid who takes some big chances, has an adventure, and then ends up with the girl in the end. Well, CIOs have a opportunity to star in their own version of Risky Business – but their role has to do with selecting and implementing risk management applications that just might save the company…

All About Risk-Management Solutions

The global economic meltdown of 2008-2009 revealed that most companies really have no idea what kind of risks they are taking when they make business decisions. The world has gone global and so just about every decision that a company makes could come back to haunt it. If only there was some way to see into the future.

Sadly, a magical crystal ball that will reveal the effects of a company’s decisions has not yet been invented. However, we’ve already got the next best thing: risk-management systems.

As more and more companies start to investigate how a risk-management system could help them to make better decisions, the opportunity for future CIOs to step up and lead the charge has arrived. Robert Iati over at the TABB Group says that spending on risk-management solutions grew at 11.5% from 2009-2010.

As a future CIO, you may be called on to help sort out just exactly what kind of risk-management solution would work best for your company. Many solutions are designed specifically for financial services firms (this is where this type of application was born after all). However, there are a number of solutions that allow firms to monitor operational risks in their non-financial industry.

How To Use A Risk-Management Solution

The way that a risk-management system works is by collecting information from other systems and then processing it. The CIO is going to play a big role in making sure that the needed data is both accessible and available in a timely manner. Depending on the type of data, the risk-management system may need near real-time updates and this can put a strain on even the best run IT department.

As we in IT are only all too well aware, any risk-management application is only going to be as good as the quality of the data that is being fed to it. This means that there may be additional data scrubbing and / or normalization activities that need to take place before the data is presented to the risk-management solution.

After having gone through the effort of selecting, purchasing, and hooking up a complex risk-management solution the CIO has one more role to play – doubter. We all know how this goes: an application cranks out a pretty looking result and everyone stands around looking at it as though it had just come down the mountain carved into a couple of stone tablets.

The CIO needs to be the one to step back and remind everyone that any risk-management solution is not some sort of magic box no matter how much data you might be feeding into it. Instead, everyone needs to be reminded that the application is telling you what might happen in the future. It will tell you what you should do, but it won’t take the action for you – that’s going to still require human decision making.

What All Of This Means For You

We’re always talking about that IT / Business alignment thing and trying to come up with different ways to make it happen. The global economic crises of 2008-2009 has caused firms to start to seek out risk-management solutions and this opens a door of opportunity for CIOs to help out the business.

There are many different types of risk-management solutions and a CIO can help with the selection process. The system needs company data in order to operate correctly and where that data will come from (and how frequently) is something that the CIO will need to determine.

Opportunities to use IT to help out the entire company like this don’t come along often enough. CIOs need to size this moment and use it to once again show the value of the IT department to the rest of the company.

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills

Question For You: Do you think that a CIO should play a role in selection which risk-management solution a company chooses?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

I’m sure that when you picture yourself becoming a CIO in the future you see yourself sitting at the corporate strategy table with the CIO using your deep understanding of IT to help the company move faster and do more. Umm, one problem with that vision – you’re not going to make it to the big table if you don’t solve the problem of run-away IT costs…

Tags: , , , , , , , , , , , , ,
Posted in risk | 2 Comments »

Risk Management In IT: How Do You Do It Correctly?

Monday, November 10th, 2008
IT Departments Need To Do A Better Job Of Risk Managment

IT Departments Need To Do A Better Job Of Risk Management

The financial melt-down of 2008 had at its core one simple mistake that a whole bunch of companies made at the same time: they did a lousy job of risk management. They made investments in things that were very risky without realizing just how risky they really were. IT departments face the same challenges: at the start of each year we have a number of different projects that we could possibly work on; however, we rarely if ever do a good job of evaluating the risk associated with each of these projects. Instead we focus on things like ROI, business alignment, and which Sr. VP is sponsoring the project to make our decisions. If we don’t want to get caught in our own special version of an IT meltdown, then we had better see if we can figure out a way to measure the risk of an IT project…

So what is risk when you are talking about an IT project? In the simplest terms risk is the chance that an IT project will fail to produce the results that you are expecting because of a given event or set of events. The purpose of risk management is to make sure that you fully understand the risks associated with a project before you start it as well as managing those risks while you are working on the project.

In the world of IT projects, risk is more often then not associated with the company data that we are in charge of collecting, maintaining, and processing. IT teams need to retrain themselves to focus on the value of the data that an IT project is going to be processing and then determine the likelihood that the project won’t be able to do the processing, or in the worst case will corrupt or lose some / all of that data.

What’s really interesting is that outside of IT, the rest of the business has always used risk analysis to determine when they should roll out new products, determine how to spend marketing budgets, and pick which capital investments they want to make. Implementing a good risk management practice within the IT department is yet another way that CIOs can better align their departments with the rest of the business.

Risk management needs to be baked into all of the steps in your IT department’s projects. This runs from project planning all the way to post-production. Everyone knows that fixing a risk earlier in the process is much cheaper than trying to fix it later on down the line.

How much is all of this going to cost? Actually, a fair amount if you end up doing it correctly. You’re going to have to spend money to determine the value of proposed projects, product lines, and any proposed services. Next you’ll have to assign risks to each of these. This can be quite time consuming; however, the process will pay off over time. The key is to have a strategy for how you want to go about doing this. Focusing on where you want the IT department to be in 5 years is a key part of the process because you want whatever project you select to help you to get there.

How can you tell if all of this effort is worth it? There are actually three ways to go about doing this. Most firms use internal audits in order to determine if their IT risk management activities are are paying off. Depending on the industry that you work in, another way is to use regulatory compliance as your measure. Finally, external audits are an expensive but more complete way to measure your effectiveness.

In most IT departments that have an effective risk management function, the funding for the activity comes out of the IT budget. In most companies the belief is that a well executed risk management program will end up saving them money.

In the end, a risk management program will help your IT department to choose the right projects to work on. Once those projects are selected, then it will help you to develop risk mitigation policies, and fix risk vulnerabilities that may end up yielding process efficiencies. It goes without saying that all of this can end up helping a company meet its regulatory compliance needs.

Does your IT department have a way of evaluating the risk of proposed projects? Does your risk management process exist throughout your project process from start to finish? Have you been able to see any savings since you implemented your risk management program? Leave a comment and let me know what you are thinking.

Tags: , , , , , , , , ,
Posted in risk | 3 Comments »