An Interview with Microsoft CIO Tony Scott on Operational Risk
- Published on June 23, 2009
- Written by MICHELE TURNER, MBCP, FBCI, CISA, ITIL
Tony Scott is corporate vice president and the chief Information officer (CIO) for Microsoft. In addition to information technology efforts, Scott is also the executive sponsor for Microsoft’s operational enterprise risk management (OERM) efforts including enterprise program framework, information security risks, enterprise business continuity, enterprise crisis management and pandemic planning. Scott has a bachelor of science in information systems management from the University of San Francisco and also holds a juris doctorate with a concentration in intellectual property and international law from Santa Clara University.
Turner: Tony, as the CIO for MS, what are the core objectives within the operational risk programs that you are executive sponsor?
Scott: The core objectives are to 1) create awareness of potential areas of risk, 2) assess those risks and help the organization think about and quantify risks what they represent, 3) have plans to address and mitigate in the most effective way and 4) have continuous feedback on how we are doing against our plans/gauging the effectiveness of those plans.
Turner: Given MSs reach, how do you go about driving these critical aspects across the organization?
Scott: We have high visibility scorecards and assessments that are done by our professionals stating where we are versus plan. We have dedicated resources throughout the organization (operations enterprise risk as well as enterprise business continuity) that work with the business groups to conduct education and awareness sessions to assist in planning. We know that this is not just a part time job. This is important and is not voluntary.
Turner: From an executive perspective, what advice would you give to those who are struggling on gaining executive sponsorship for their operational risk programs? Do you have any advice on what has not worked well when you’ve been approached?
Scott: What hasn’t worked well is to trying to scare people into working on this. Fear as a motivator is not good in this area. It gives a sense of desperation. What works better is a good grasp of facts, real data and setting up a conversation where you can review in an objective way. For challenges that affect dollars, reputation and our people, they have to be addressed in concrete, non emotional terms. This is the best way to have an effective program. This is not a political issue, but a business issue that needs to be addressed by presenting data, facts and making a rational business agreement to do something different than the way one has always done it. Anyone can do a “chicken little,” but execs don’t always react well to that.
Turner: In addition to MS, you have also been an executive at companies such as Bristol Myers Squibb, General Motors and Disney. Based on these experiences, relative to business continuity, what lessons learned can you share about critical success factors for BCM in specific?
Scott: While at Disney, I had an opportunity to participate in a DR exercise that delivered many benefits. I’ve learned that in many cases, you will usually do better than what you think. The fact that you take this as a serious effort creates that focus that’s needed. The other lessons learned is like any other discipline: practice, practice, practice, practice, practice makes better (not perfect). Rehearsal is important as it allows you to self-critique and makes the actual event a better process. Perfect would mean that you wouldn’t have to exercise a DR plan in the first place.
Turner: What are your thoughts on how a company’s senior management and board should adjust or emphasize risk management to survive the current economic crisis and promote risk management to become a competitive advantage?
Scott: I am hopeful. There is awareness now. We are in a digital, not an analog world and learning can be transferred using better means. In addition, as a society, we will start to apply more science and understanding around how systems and processes work. Using modeling tools or process to better understand the what, why and how we can mitigate risk. Using enhanced predictive methods could potentially drive fewer incidents. The world is becoming bigger and more complex. Ensuring early warning systems to indicate potential systemic weaknesses in the ecosystem will be key.
The current economic situation points out the need for a broader lense of focus around risk management. Risk should be amplified in awareness and commitment. It’s hard to market “competitive advantage,” but the evidence of risk management certainly will show up in operational results. Boards tends to ask those tough questions around the real risks and how do we identify those emerging risks, we need to weigh those with the day to day operational items. The balance of the two is what makes a good risk management effort. This develops the muscle to respond.
Michele Turner is the senior manager of the operations enterprise risk management pillar at Microsoft as well as a member of the DRJ Editorial Advisory Board. Michele has more than 16 years experience in business continuity management and risk related efforts.