As we drift along in our little Information Technology”bubble”, it would be easy to look over at this rolling financial disaster and breath a sign of relief that this time it has nothing to do with us. But wait: that would be the wrong thing to think. This is the time for CIO’s to show innovation and that that they still bring value to the company. CIO’s and their IT team can, and indeed must, use this opportunity to quickly learn what went wrong here so that we don’t fall into the same trap. Errors in judgment by our CFO brethren, the inability to properly manage risk, and the failure of existing stress tests have already resulted in global bank losses of over $265 billion. IT could easily make the same mistakes (and in fact we might be doing so right now).
IT by it’s very nature has a great deal of risk associated with it. The subprime mess is a result of mismanagement of risk. The banks that have gotten walloped the hardest by the events of the past few months range from Merrill Lynch to Citigroup. Each of these firms shared what is called a siloed approach to risk and compounded this problem by having poor business information communication between their risk, finance, and operations groups. Is this really all that surprising? No — attaching a high profile to risk management, whether it’s in finance or IT has never been the trend.
How did this problem come about? One cause is that bankers play with investor money — not their own. Since they are betting with the bank’s capital, not their own, bankers don’t feel as though they have a lot of “skin in the game”. If a high risk IT project goes well, then everyone gets a promotion and a larger bonus. If it fails, then it’s a vendor or another department’s problem.
So why does IT have the same problem? For one thing, IT splits the analysis of a project’s risk up between the development team and the support team. The two sets of risk are rarly evaluated together — instead, the development issues are dealt with by one team and the operations issues by another team. Additionally, if the CIO gets behind a project, then speaking up and talking about project risk can often be a career limiting move.
So out of all of the chaos, who has handled the subprime situation correctly? Goldman so far is the clear winner. In December of 2006 they noticed that they were starting to see mortgage related losses. They called a meeting that included all parties involved in the mortgage business, reviewed the situation, and then Goldman started to hedge and reduce its exposure to mortgages. They still ended up taking a hit to the tune of $1.5 billion; however, they are doing a lot better than their competition.
What can CIO’s and IT learn from both the subprime mess and Goldman’s actions? First, that IT project and operations risk needs to be seen in its totality — bits and pieces can’t hid in multiple departments. Secondly, don’t allow the CIO to scare staff into not speaking up. Forget open door, the email system has to be wide open so that all comments and thoughts on various IT risk can be collected. Finally, when the risk of a project or operation changes, the IT department needs to come together as a whole, evaluate the changed situation, and make the correct long term decision.