You might be having the best day that you’ve ever had since you accepted the CIO job and then all of sudden it hits you: what am I doing to protect the company from the risks that it faces? IT, of all departments, poses one of the biggest doorways for risk to enter your company because of the importance of information technology. As CIO, what do you need to be doing in order to help the company prepare for the things that might happen?
3 Types Of Risk
Not all risk is the same. As CIO, you are going to need to be able to help your company to realize that the world is filled with different types of risks and that it needs to create plans for dealing with each type.
The first type of risk that must be managed is the preventable type of risks. These are the risks that are more often than not caused by the actions of your employees in the IT department. It can run the range from bribing vendors to unethical behavior. The good news is that the best way to deal with this kind of risk is simple: educate your IT staff as to what proper behavior is.
The next type of risk is strategy risk. Your IT department has a set of goals that you want to accomplish this year. However, each one of these goals has a set of risks associated with it. The bigger the goal, the larger the risks. Rules won’t eliminate these risks. Instead, you’re going to need a risk management system that is going to help you to reduce the probability of any of the possible risks from happening.
The final type of risk is external risks. None of us control the world that we live in and this means that things can happen that are out of our control. Great examples of this include both natural and political changes. Since we have no control over this type of risk occurring, we need to first make sure that our IT department is aware when something is happening and secondly we need to take steps to mitigate the impact of this type of event.
3 Ways To Manage Risk
Given that we live in a risky world, what’s a CIO to do? You can’t make risk go away, so your next best option is to find ways to manage it. The good news is that there are three different ways to go about doing this and depending on how your IT department operates, one of them will be right for you.
The first approach is to set up an independent group of experts who will review the risks that are associated with each of the projects that the IT department is working on. These cross-functional experts will play the role of devil’s advocates and will challenge all of the assumptions that the project team have made. The thinking is that by doing this the project team will be forced to think about their project in new ways that will expose the risks that it may be facing.
The next approach is to use facilitators to identify risks that might not normally be visible. In many IT departments there are multiple projects going on and many different existing functions. The end result of implementing multiple new projects may have an adverse impact on the IT department; however, none of the project teams will be able to determine this because they can only see their individual projects. The role of the facilitators is to gather information from all ongoing projects and evaluate if they will be introducing risk into the IT department.
Finally, in many IT departments things move fast. Changes have to be made quickly as the IT department reacts to changes that the overall business is experiencing. In this type of IT environment, the people who are in charge of tracking and managing the risk that the department is facing need to be embedded with the IT staff who are working on the project. Only by working side-by-side with the people making the changes can the important “what if” questions be asked on a day-by-day basis.`
What All Of This Means For You
CIOs have to realize that their company faces a whole host of significant risks every day. As the CIO, you play a key role in helping your company to prepare for the unknown future. You need to be the one who is helping your company to prepare today for what may come tomorrow.
Risks don’t all look the same. They can come in three different varieties: preventable risks, strategy risk, and external risks. In order to deal with these different types of risks, every company has to create its own unique plan. These plans may involve independent experts, facilitators, or embedded experts.
The good news about risk is that you can anticipate it and you can prepare for it. The one thing that the person in the CIO position can’t allow to happen is for an event to occur that nobody saw coming. Instead, taking the time to plan for risk today will provide you with an effective strategy for handling whatever comes your way tomorrow.
Question For You: What percentage of a CIOs time do you think should be spent dealing with company risk?
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
What kind of rules does your company operate under? Are there certain things that your employees (sales in particular) are not permitted to tell your customers? How can you determine if they are following the rules? How long do you have to retain your copies of all types of communication? Not to get all NSA on you or anything, but since you have the CIO job, are you doing a good enough job of reading everyone else’s mail? This has become yet another part of the importance of information technology for all companies.