Page Format ARTICLES

http://www.cio.com/archive/031505/riskplan.html

ENTERPRISE RISK MANAGEMENT
Running The Risk
CIOs are the executives best positioned to champion enterprise risk management. Use this five-step leadership strategy to get the ball rolling.
BY ALLAN HOLMES


Reader ROI

+ Why CIOs are taking a leadership role in enterprise risk management

+ The leadership skills essential for the ERM effort

+ Ways that CIOs demonstrate ERM leadership








Printer Friendly Version
Email Article to a Friend Subscribe to CIO
















Resources by Topic

CIO Executive Resource Center

ERP Resource Center

Security and Privacy Resource Center




Advertisers
On Feb. 1, 2003, the space shuttle Columbia, its aluminum frame melting under 3,000 degree heat, disintegrated high in the Texas sky, killing all seven astronauts on board. Nearly seven months after the tragedy, the independent Columbia Accident Investigation Board assigned the blame not only to a chunk of foam insulation that broke off during liftoff and damaged the left wing but equally to a NASA management culture that short-circuited communication between agency offices responsible for different aspects of the shuttle program. Managers in the geographically dispersed NASA space centers charged with shuttle safety had no formal process for discussing their concerns with each other or devising a comprehensive strategy for mitigating them.

After the investigation, NASA executives prompted their top managers to improve internal communications. That's when Acting Deputy CIO Scott Santiago, who's in charge of IT security, began to look at ways he could reduce IT security risks throughout the agency. Although IT security played no part in the shuttle disaster, Santiago knew that the IT systems supporting the shuttle and dozens of other NASA programs were critical to the success and safety of space missions.

He noticed that information supporting NASA's programs spanned the agency's space centers. Thousands of people across the country were involved in creating or using information that was shared among different operations. These people rarely communicated and followed different policies and procedures for IT security. The lack of consistency created unacknowledged risks that a virus or some other breach could compromise information that secures people and equipment.

Scott Santiago
NASA Acting Deputy CIO Scott Santiago built commitment to managing enterprise security risks through months of meetings with division CIOs, security staff, engineers and line-of-business managers.
To begin accounting for those risks and mitigating them, Santiago took an enterprise approach: a discipline called enterprise risk management. ERM focuses on maximizing shareholder value or ensuring business continuity by creating a single view of all risks (internal and external) and an executive-level strategy to deal with those risks. Done right, ERM increases business value, while reducing the potential for losses or catastrophes, through better decisions about IT investments and improved systems management.

Like Santiago, many CIOs are now faced with the challenge of managing enterprise risks, for the simple reason that businesses depend more than ever on IT to be able to function (see "CIO, It's You," Page 68). Yet ERM is complex; it's esoteric; and it requires a culture change that is frequently resisted by organizations, because people view identifying risks as a form of criticism. Santiago knew it wasn't going to be easy to get NASA managers to change the project-oriented risk management approach they had used for decades. "People tend to think technical, like firewalls and VPNs," Santiago explains. "But we must look at the bigger picture of what is the risk associated with information, what [do] I need to do to protect that information and how [do] I manage it."

To get the ERM ball rolling, CIOs need a leadership strategy. So we synthesized one based on interviews with nearly 2 dozen consultants, academics and CIOs who are practicing ERM. You'll notice that the five steps in this strategy apply to many other leadership challenges. Here's how to make them work for ERM.


Step 1: Find Inspiration
Some CIOs find the inspiration for ERM unavoidable: Without an enterprisewide view of risk, people could die. For example, IT has become central to the way the Navy fights. The CIO for the Department of the Navy, Dave Wennergren, is in the midst of deploying an enterprisewide Navy-Marine Corps Intranet, which, when completed this year, will provide a standard way for land bases and ships at sea to exchange real-time battle information. If the system fails, sailors and fighter pilots won't get the information they need in combat, Wennergren notes. The Sept. 11 attack on the Pentagon, which took out the Navy command center, exposed the risk to military operations from locating communications equipment in a single location and underscored for Wennergren why ERM is critical.

Bill Sharon Bill Sharon, a consultant and the former CIO of McCann WorldGroup, took the opportunity to educate colleagues about risk while working on IT projects.
But sometimes, especially if you've been handed a mandate from the CEO or the board of directors to deploy an ERM strategy, it takes a little more work to convince yourself of ERM's value. Up until the mid-1990s, executives at J.P. Morgan made decisions about investments in new business ventures based on the forcefulness of the executive making the argument. That strategy led to some unpleasant surprises for the bank when new investments didn't work out as well as they could have, says Bill Sharon, the bank's former chief risk officer for technology, who is now a consultant. J.P. Morgan executives, Sharon recalls, would decide to open offices in new countries without considering a range of operational risks, including the impact on IT and telecommunications.

The bank's chairman at the time asked executives for a better decision-making process for choosing investments. Sharon, working with the head of the bank's corporate real estate business, took the initiative to devise a process for scoping out the requirements—including the IT needs—for any new business initiatives. When he was finished, he realized that the process he had developed amounted to analyzing enterprise risks; he became sold on ERM.

Sharon asked people in every department how they were affected by a new business initiative. He then developed a list of conditions to address before someone could present a new product or location to the executive committee, including what IT investments or support were needed. For the project to be approved, the project sponsor had to gather information from each business line or department to demonstrate that they had addressed the necessary implementation issues. For example, if a new office was opened in Mexico City, project sponsors had to report on how many computers would be needed, the network connections required and the reliability of electric power. None of these questions were being asked routinely, yet they were often critical to a new venture's success.

"I learned that your responsibilities in IT or anywhere in the business aren't bounded," Sharon explains. "You can't just do your piece and go home. Second, in [IT], no one really knows what the business strategy is. That's when I realized ERM gets people on the same page."


Step 2: Define your message
CIOs who have become ERM leaders in their companies say defining your message for why ERM is necessary is one of the most important steps to raising awareness about it—and it is arguably the most difficult. Because ERM spans the enterprise, you must understand the intricacies of the operations in each line of business. It also requires you to think about events or consequences that you may have either ignored or preferred not to consider, especially if the culture of the corporation views thinking about risks as pessimistic.

"You must find a way to describe the risk," says David Weymouth, former CIO with Barclays Bank, who now heads the bank's business ethics strategy. "If you can't find a way to describe it, then you'll never get anywhere."

That may require you to devise a new way of talking about IT with your executive colleagues and staff alike. At NASA, Santiago created an enterprise model for IT security that is replacing the traditional view that each NASA center should manage its own IT security. From his perch at NASA headquarters, Santiago saw that most space programs and the systems that supported them spanned multiple NASA centers, which made what happened at one location dependent on what happened at others.

What Is Enterprise Risk Management?
Learn what ERM is and why it's important.

Read More
Santiago's message centers around the fact that information must be available to those who need it. Thus, it has to be protected from threats. Rather than talk about securing individual systems, he talks about securing what he calls "containers" of information used by NASA employees. He maps out who manages the information in the container, who has access to it and the risks if that information becomes inaccessible or is altered in any way. That map can be used to prioritize risks to data and determine how best to mitigate them.

A definitive ERM message includes facts that can be used to sway doubters, says Barclays' Weymouth. He instituted a monitoring system to collect data on Barclays' operational systems, such as the number of times the bank intercepted a fraudulent payment or blocked a denial-of-service attempt. By capturing how often the IT shop has reduced the number of incidents that could have disrupted bank business—which, for Weymouth, are equivalent to risks—he is able to calculate savings. He is also able to use the data to show that Barclays must continue to invest in IT to mitigate those risks.


Step 3: Be Flexible
Not everyone understands risk, and people view risks differently. That means you have to be patient and give your audience time to understand what you are talking about. Flexibility is the key here so that you may adapt your message for the different attitudes toward risk you encounter.

George Westerman, a research scientist at MIT's Sloan School of Management who is studying ERM in relation to IT, illustrates the point with a story about his 4-year-old daughter, who enjoys climbing on a jungle gym. When she reaches about halfway up, she says, "Daddy, look at me."

"My impulse is to say, 'Great. Go all the way to the top,' hoping to avoid the risk of overprotecting her," Westerman explains. "Her mother's inclination is to say, 'Get down now,' hoping to avoid the risk that our daughter may fall and hurt herself. We both have different ideas of risk, yet we both have our daughter's welfare first. It turns out that an appropriate response is to stand beside her and let her climb as high as she wants and be there in case she falls." The message, Westerman says, is that his daughter can take a bigger risk, given the appropriate safeguards.

Sometimes delivering your ERM message requires you to not talk about risks at all. When Sharon was CIO at the advertising agency McCann WorldGroup, he sometimes avoided the topic altogether. During one project for the agency's global accounts group, he knew account managers wouldn't understand what he meant about managing risks. The group, which was responsible for more than 100 markets, was having trouble keeping track of its e-mail and faxes from the company's various lines of business. These communications were frequently lost or took a long time to locate, increasing the risk that the group could not respond quickly enough to clients.

Instead of discussing risks, Sharon talked about how an Intranet could improve the group's service to customers. He told them he understood how hard they were working, and offered to help them with logistics so that they could focus on serving clients better. Once the website was deployed, he recalls, the group started making business decisions in real-time, reducing the risk that dissatisfied clients would take their business elsewhere.

Other times, the straightforward approach works best. Westerman relates the story of a CIO at a Fortune 100 company who needed to sell his board of directors on taking what seemed to be a bigger than usual risk on a large corporatewide IT project. The company's IT department had never missed a deadline or run over budget. The reason was that the IT department had always doubled its estimates of the amount of time and money needed to complete its projects.

The CIO decided this management approach was too risky for the company because it didn't give the board accurate information with which to make business decisions. It also gave the IT department an incentive to spend too much money. The CIO decided that this time he would give the board the most accurate cost estimate and time line for the project, and explain that he might have to come back for more money and time.

Westerman says that before the meeting, the CIO, typically a steady individual, was "shaking in his boots." The CIO assumed the board would think his approach lacked proper analysis and increased the risk of project failure. But the board approved the project and did not condemn the CIO's judgment when he came back a few months later to say that the project would be two months late and would cost more. The CIO had prepared them by outlining the risks.


Step 4: Get Out of the Office
Leaving your office to walk the shop floor, meet managers in other departments or travel to the organization's key installations is an acknowledged best practice for IT leadership. And it is particularly important for leading ERM. That's because ERM requires a mind-set change. There's a tendency for employees to ignore ERM and go back to traditional ways of thinking about risk if the ERM philosophy and practices are not reinforced.

CIO, It's You
Why IT must champion enterprise risk management

Read More
"Leading the ERM effort requires the development of personal relationships," Sharon says. "You have to solve the problems that are important to your business partner, whether they appear trivial or not, and then introduce processes that expand their awareness of the operations of the business."

Santiago says he has met with several hundred people across NASA to explain his view of ERM for IT security. He has traveled to NASA centers, conducted teleconferences and workshops to offer advice and to explain his enterprisewide approach for reducing IT security risks. His audience includes NASA's divisional CIOs, IT security staff, line-of-business managers and engineers—anyone who will listen. After nine months, they're beginning to absorb his lessons.

Santiago held an IT security workshop last December that was attended by computer security officials from the space shuttle program. The purpose of the workshop was to define the steps needed to construct a master plan for IT security. One task was to decide what information that moves between centers must be kept secure. Then, the group was able to identify the risks to the information—such as its vulnerability to viruses and cyberattack, or to its alteration (intentionally or not) by an employee—as well as steps to mitigate these risks.

"People began arguing with me on how to get it done," Santiago says. "That means they own it. I know I'm successful when they stop referring to me and my plan and start using the words I and we." He observes that the IT security staff throughout NASA has begun to look for operational risks on a daily basis. ERM has become a part of their job.


Step 5: Be a Model Citizen
Your actions and your attitude must match your message. "If leaders don't follow through with behavior, then the rest of [these steps] are nonsense," warns Bob Charette, director of the Cutter Consortium's ERM and governance practice.

Business unit managers and executive suite colleagues may view someone who points out risks in their area of responsibility as criticism. In turn, those who bring perceived risks to you about IT systems may seem to be criticizing you. Resist the tendency to take information about risks posed by IT as negative. Instead, encourage your staff and colleagues to identify enterprise IT risks by positioning the information about such risks as a chance to solve problems. Former Secretary of State Colin Powell, also a former chairman of the Joint Chiefs of Staff, encouraged soldiers to bring him problems. "The day [they] stop bringing you their problems is the day you have stopped leading them," he says.

One way to walk the ERM walk is to continually reinforce the need for constant attention to ERM through business continuity testing. Just like school kids practicing fire alarm drills to emphasize the importance of fire safety, CIOs should insist on testing business continuity plans to send the message that the organization is serious about managing enterprise risks that stem from IT.

Steve Randich
Steve Randich, CIO with Nasdaq, demonstrates his commitment to managing enterprise risks through regular tests of his business continuity plan.
Steve Randich, CIO with Nasdaq, relies on regular tests of his data center's business continuity plans to remind his staff that ERM is a core principle for the organization. About 3,300 companies are listed on the Nasdaq, which processes about 20,000 transactions a second and receives information from about 350,000 desktops and workstations worldwide. If Nasdaq can't operate its transaction systems, it has to close the market. "We're then out of business," says Randich.

After 9/11, it took four months for Nasdaq to permanently relocate its New York City offices. The data center was able to continue operating (although the government shut down the markets for four days), but Randich realized that the company needed a more detailed risk management plan. Nasdaq's new plan included the extra equipment it would need (such as desktops and Internet access), procedures for communicating with employees and alternative work sites in case of a disaster.

Randich checks his assumptions on a biweekly basis. He doesn't just run tests of his backup systems; he also makes sure that new employees are informed of where to go and what to do in case of an emergency. In addition, he confirms that he has enough cell phones to give to employees in the event that landlines are down. Randich also designated a team who, in the event of a catastrophe, will check in with the 300-plus market makers who trade on the stock exchange to determine whether the dealers can create enough demand to keep the market open. "If [that list] is out of date, it's not worth the paper it is written on," says Randich.

CIO LEADERSHIP AGENDA
This story targets the Leadership Agenda topic, "RUN I.T. EFFICIENTLY AND EFFECTIVELY." You'll find more material on this and four other topics for 2005 on the new, dedicated Leadership Agenda website. Look there throughout the year for articles, tools and webcasts on driving innovation, proving IT value, running IT efficiently, developing leaders and managing expectations.
By testing the plan so often, Randich says the message is sent loud and clear to the entire company that the IT department is serious about keeping the trading network up no matter what. "The idea is not trying to figure all this out in the middle of a crisis," he explains. "You make sure you have it all ironed out."

The bottom line is that ERM is now essential to running a company in a world where risks are ubiquitous and IT is both the source and the conduit of many of those risks. To adopt ERM, companies need a credible leader, someone, says Barclays' Weymouth, who is "senior and respected in the organization, someone [who] knows the fabric of the business."

That person, says Weymouth, is you. end

Washington Bureau Chief Allan Holmes covers risk and the public sector. Reach him at aholmes@cio.com.