CIOs must not fend off risk alone

Should IT risk management be the responsibility of the CIO or should it be a company-wide process? Will Sturgeon argues in favour of the latter and discusses the reasons why a chief risk officer may even be the order of the day.

Responsibility for IT risk management must not begin and end with the IT department.

The CIO may have the wherewithal to block removable storage devices or IM use, for example, but will he or she always have the inclination to do so? And if so is it done for the right reasons? Likewise do CIOs know as much about regulation as the legal department or as much about enforcing personnel policies as HR?

Businesses may well have asked themselves any or all of these questions: does the company need to ensure no data is ever taken out of the organisation in an unencrypted format? Does Skype need to be blocked? Is VoIP a viable option when it comes to replacing the PBX? Should employees be allowed to blog? Should employees be able to access webmail services? Should the company outsource its call centre, data centre or use a managed security service? What does software as a service mean for the business?

The CIO should have an opinion on all of these but understanding the risk - the careful balancing of business benefit against liability - should not be a decision IT makes in isolation.

Everything from understanding the regulatory environment to determining how staff are educated around key risk issues needs to be part of a company-wide process aligned to structured IT risk management processes.

If nothing else, the introduction of tighter regulations and custodial sentences for senior executives at transgressing companies should have helped get that message up the food chain.

Robin Hollington, director at Peapod Consulting, told silicon.com: "Businesses must involve all management and stakeholders in the process. Risk management needs organisation-wide buy-in and understanding in order to be effective."

It's a view shared by Timothy Coats, business continuity practice lead at EMC. "Too often companies leave it to the IT department and assume that everything is taken care of," Coats said.

"IT can only build to the requirements that it knows about."

As such, IT planning and the management of risk have to be seamlessly integrated with the entire business.

Paul Dorey, chief information security officer at BP, told silicon.com: "You cannot disconnect IT risk from the business that is supported by IT."

In fact, in terms of where the buck stops, Dorey said: "In the end the CEO is always the risk officer of last resort."

It makes sense. Risk is a high-stakes game and the CEO has the most to lose. So it is perhaps unsurprising that investment is increasing in IT risk management, in line with burgeoning awareness at board level.

Research commissioned earlier this year by Atos Origin revealed a growing focus on risk within businesses.

What kind of CIO are you?

♦  Paratrooper
♦  Consultant
♦  Executive
♦  Professional

Check out the full CIO profile report here and silicon.com's own 2007 CIO Agenda survey.

But still 70 per cent of companies said the head of IT was increasing their focus on risk, while only 50 per cent said the board was getting more involved.

Although there remains some disconnect between the CIO and the rest of the business, one positive result of increasing board level awareness is an increasing budget, according to the Atos findings.

As the working lives of senior execs encompass more risk management planning, the budget increases accordingly - perhaps in small part due to the greater personal liability they recognise.

And according to Simon Perry, senior VP security at CA, "more forward-thinking" companies are recognising that risk management requires its own dedicated professional, bridging the gaps between all parts of the business.

Perry told silicon.com: "Businesses must ensure their level of security matches their level of risk and to that end we are seeing more forward-thinking companies considering the appointment of a chief risk officer (CRO) to oversee risk management activity."

"It is generally envisaged that such a CRO would work closely with IT in order to ensure better alignment between corporate and IT governance and risk management," he added.

Such an appointment would also refocus other business heads and force them to realise they have as much duty as the CIO to report in to the CRO and act upon recommendations.

Within any organisation, the CIO generally has enough on his or her plate. And as risk becomes a more essential part of proper business planning, it's unsurprising many businesses are recognising the need to focus more energies or more resources outside the IT department on risk management.

But whatever approach a company takes, and appointing a chief risk officer may be beyond some companies' budgets or requirements, the need to make risk management a company-wide process, not focused on any one department, is vital in order for businesses to operate effectively in as risk-free an environment as possible.