At the same time, business interest in the Web as a promising new commerce channel was rising. Thus, a challenge and opportunity were presented to chief information officers (CIOs) and their staff: if the risks associated with e-commerce, both real and perceived, could be integrated, a company would be well positioned to reap the benefits.
Of course, as is well documented, the security solution was found. The introduction of Internet security technology known as Secure Sockets Layer (SSL) by Netscape in 1994 helped pave the way toward the booming era of e-commerce. And CIOs played a central role in this charge.
Indeed CIOs emerged as key figures to help companies address multiple and varied risks in pursuit of the revenue-generating opportunities. Those that embraced risk would usher in success, and, at the same time, prove how technology could effectively enable business growth.
It was a prime example of risk, intelligently managed.
Driving future success (and avoiding failure) requires that CIOs, as part of the business, develop a vision around improving IT risk management, services, and revenue-generating opportunities for the organization. Developing a sound perspective regarding risk can help CIOs direct IT efforts that not only meet the compliance, operational, and strategic goals of the IT function, but also contribute to those of the organization. Visionary CIOs should not only be a positive force in risk management efforts, but should also help gain competitive advantage for the organization.
Today’s fast-paced world is full of new opportunities to use IT for growing the business, that is if the management team, especially the CIO, proactively recognize and deal with the risks. While addressing IT risks (e.g. security, privacy, and business continuity) is a core duty of the CIO, this alone is not enough to help elevate the company. CIOs should not only expend effort on mitigating all the bad things that can happen to their systems, but they should also consider ways to extend technology to improve business performance. Just as in the example of e-commerce and SSL, technology can be a key enabler or even a primary driver of growth that can directly impact the bottom line.
Consider the ongoing issue of round-the-clock availability, essential for e-commerce today. In an age in which customers everywhere are accessing the Internet 24 hours a day, 7 days a week, downtime may be just as great an issue for companies and CIOs as access control or privacy protection. For instance, customers who have poor online experiences attempting to visit a site that may be down or simply sluggish, are likely to move on quickly to a competitor’s site for products or information. This is far more than an IT issue; the danger is not just about losing sales, but about losing customers. Viewed in a positive light, a resilient Web site might be well positioned to attract increased sales.
By proactively addressing the risks associated with 24/7 availability, and by understanding both the positive and negative scenarios resulting from these risks, CIOs can develop solutions that not only mitigate potential loss but also contribute to business growth. CIOs can set IT priorities that include investing in and enhancing systems to achieve resilience (or something close to it). To defend against downtime and mitigate risk, many large companies have hundreds or even thousands of servers in multiple locations. Companies that invest in efforts aimed at resilience are actively enabling potential revenue gains.
Of course, CIOs should think expansively about risk not only in terms of keeping these servers running, but also about enhancing IT, operations, processes, priorities, and risk skill-sets of IT professionals.
The Risk Intelligent CIO
Rather than perceiving risk management as yet another initiative thrust upon them, CIOs should be more proactive in helping the organization address various types of risk within and beyond IT. To advance to a higher level of risk management – to become what we call “risk intelligent” – CIOs should cultivate a greater understanding of the effects of risk on the role that IT plays in driving value in the organization. This involves adopting a broader view of risk as an engine of revenue and profits, and harnessing the power of technology to enhance strategic risk-taking.
Developing risk intelligence can lead to significant benefits for CIOs and their organizations such as elevating the role of IT as a strategic contributor to the organization and transforming the IT role from supporting the business to being the business. Risk intelligence can help improve the ability to prevent and detect critical risk issues in IT and the enterprise, bolster system reliability and reduce downtime, automate and monitor control compliance, and reduce costs with improved efficiencies.
The promise of such gains and efficiencies raises the question: What is the CIO’s path to risk intelligence?
As senior members of the management team, CIOs should continue to collaborate with their peers in the C-suite to understand existing and future business risks and their organizations’ risk management needs. Long gone are the days when IT leaders only managed data centers. Today’s CIO plays a stronger leadership role. CIOs should consider how the IT function and the organization both as a whole deal with risk now. CIOs should proactively reflect on ways that IT can be a significant contributor to risk management and serve the organization better. CIOs can apply the principles of risk intelligence to the business and technology realms to help the organization make use of, as well as combat, the risk issues unique to IT. Key concepts of risk intelligence include:
1. Mitigating risk and taking risk are essential elements for value creation. To generate and protect enterprise value, both the positive and negative aspects of risk should be addressed. In other words, CIOs should not only take steps to avoid something negative (preventing a hacker from stealing the customer database) but also embrace risk to enable attaining something positive (providing customers with real time access to their accounts).
From a CIO’s perspective, risk intelligence not only means protecting proprietary and sensitive information from ending up in the wrong hands, but also creating the processes and systems to allow the same information to be quickly and easily accessed by authorized personnel to inform decision making. By properly aligning and leveraging IT assets in the organization, CIOs can help their companies better protect and expand enterprise assets.
Beyond addressing IT risk effectively and thinking about how technology can be used to support risk mitigation in the organization, there is another aspect to becoming a risk intelligent CIO: developing a vision around potential revenue-generating opportunities. Many CIOs already play this role in their organizations, but the role and the opportunity should be more fully realized. Visionary CIOs have the potential to generate significant value for the organization, especially when IT is central to the organization’s mission. CIOs should consider how IT solutions can be developed or used in streamlining key business operations. For example, major retailers and their CIOs leveraged radio frequency identification (RFID) technologies to achieve efficiencies in their distribution and supply chains, creating enormous competitive advantages, not to mention cost savings, for their organizations.
2. Reducing risk exposure requires a cross-functional approach. Although knowledge of specific risks and responses is essential, problems can surface if any department or division works in isolation, unaware of another’s activities. Risk intelligent CIOs should build connections and foster communication between departments in the business (including finance, facilities, and other functions) as well as within IT to share information about risk. In the IT function, CIOs should make sure various areas like information security and business continuity management are coordinated and involved in decision-making around new products, services, and infrastructure.
CIOs should communicate with colleagues on the topic of risk, not only to help with information sharing but also to spur ideas on how IT can better serve the business. Furthermore, having the CIO offer the IT perspective on various business issues, strategies, or events can help the whole company better anticipate and manage potential risk.
3. Developing preparedness can be strengthened by applying risk management principles. A long list of threats faces business today, including data breaches, hacking, viruses, phishing, natural disasters, and more. As most companies know, business disruptions can have a significant impact on the bottom line. If CIOs help design and develop resilience in IT systems, then the organization can become more resilient; or, at the very least, the business can recover faster following a disruption. In turn, a speedy recovery can generate a potential lead over competitors who were less prepared.
Risk intelligent CIOs, equipped with a broad understanding and view of risk should be explicit about which risks are (and are not) reasonable and manageable. Mission critical activities should be clearly identified. Processes, roles, and responsibilities for a rapid response to a variety of potential business threats, including but not limited to IT risks, should be documented. Breaking down risk management activities into four stages – anticipation, preparation, response, and recovery – can help achieve the desired benefits.
Indeed, improving the level of IT and organizational preparedness by thinking about business disruption and continuity boosts the company’s ability to respond quickly to market opportunities. In turn, enhanced preparedness can facilitate value-creating and strategic efforts.
Company executives in both IT and in the business areas can address upside and downside risks to capitalize on opportunities (and mitigate risk) in the marketplace. Companies that seek to generate such business gains and competitive advantage require effective risk strategies. And CIOs should continue to play a key role.
Visionary CIOs who dare to pursue new growth opportunities and manage evolving risks associated with technology, service delivery, geography, and time can effectively position their companies to achieve revenue gains, as well as reap rewards faster than their competitors.
Steven J. Ross is a director in Deloitte & Touche LLP’s security and privacy services practice. He specializes in business continuity management and information security, and serves as the national and global leader of business continuity management services. A knowledgeable professional in information security, control, and recoverability, Ross is a frequent speaker on information security and business continuity management. Ross earned bachelor’s and master’s degrees from Columbia University in New York City.
"Appeared in DRJ's Spring 2008 Issue"