09:55 AM
Connect Directly

Risk Management Implications for CIOs in a Challenging Year

Whether they aim to thrive, or merely survive, the current atmosphere of change puts a premium on CIOs as risk managers. With failures splashed across the news, the question is how to make IT-related risk management easier and more effective.

By Brian Barnier, ValueBridge Advisors

Carrier CIOs are bracing for a triple threat in 2010 - market pressure on investment margins, competitive pressure on underwriting margins and tightening regulatory examinations with an eye toward broader change. Some CIOs must also digest acquisitions or support expansions. This is a rare combination of challenges. Whether they aim to thrive, or merely survive, the current atmosphere of change puts a premium on CIOs as risk managers. With failures splashed across the news, the question is how to make IT-related risk management easier and more effective.Ninette Caruso, vice president of internal audit at Nationwide Insurance frames the business need this way: "We want to be aware of our current position and prepared to change quickly in response to situations such as new products, new regulations, market conditions or new technology. To perform, we must manage those risks effectively and efficiently."

CIOs can think of change in four buckets: 1) business driven change (e.g., acquisition, consolidation, product change, new regulations); 2) technology management change (e.g., consolidation, shared services); 3) technology change (e.g., cloud, mobile, virtualization); and 4) failure-driven change (e.g., actual, audit finding, testing finding or compliance gap).

These changes must be addressed to earn return - in underwriting, claims or investments. Yet, risk challenges the ability to earn return. CIOs can do little about investment or underwriting risk, but they can do something about strategic risk (through investing in IT infrastructure with the agility and cost structure to create strategic options) and a great deal about risk in program/project management and in operations/service delivery.

CIOs who recognize and try to manage risk from change face two more hurdles. First, within their own operations, they face the pain of coordinating across all the IT silos with different approaches to risk (e.g., continuity, project, change, availability, security, recoverability and energy). This wastes time and cost inside IT. Also, business line leaders want a view of risk that matters to "my business, not all of your silos." Business line leaders often roll their eyes at the parade of IT people who arrive to detail risk (and ask for money) for each silo.

Second, regulators and boards are putting pressure on carrier executives to manage risks on an enterprise basis. With carriers more dependent than ever on technology, the CIO is in the hot seat. This forces the CIO to gather up all the silos of IT risk management and link these to the enterprise-wide risk management approach.

In stepping up to these challenges, CIOs have common cause with other leaders. Ms Caruso continues, "Our intent in audit planning is to partner with IT leaders to understand the risks that could affect our ability to achieve our mutual business objectives. These risks range from compliance with regulations and accurate financial reporting to having appropriate strategies and processes in place to achieve desired business outcomes."

With all these moving parts, leaders are looking for a simpler way to get started and a path to mature. As a result, many have turned to various best practices that represent the collective experiences of experts across enterprises, industries and countries. Leveraging best practices saves time, cost and effort; provides educational material, training, a user community and updates; and makes it easier to work across supply chains. However, these practices vary. Into this environment came the needs of ISACA's 86,000 constituents in 160 countries, as well as other users of the COBIT and Val IT frameworks and best practices. They were looking for practical guidance that would bridge from generalized frameworks (COSO ERM, ARMS from the UK, 4360 standard from Australia and New Zealand or ISO 31000) to IT and then help integrate the various domain-specific IT risk practices. The result of survey research, practitioner requests, a five-country task force and 1,600 submitted comments is the new Risk IT framework and best practice.

"Risk IT saves time, cost and effort by providing a clear method to focus on IT-related business risks such as late project delivery, compliance, misalignment, obsolete IT architecture and IT service delivery problems," comments Urs Fischer, VP of IT Governance and Risk Management at Swiss Life and chair of the team that created Risk IT. "It provides the guidance to help executives and management ask the key questions, make better risk-adjusted decisions and guide their enterprises so that risk is managed more effectively."

Risk IT is based on ISACA's popular COBIT framework. It covers Risk Governance, Risk Evaluation and Risk Response. Each includes process descriptions, maturity models for benchmarking, role responsibility charts and other guidance. Risk IT is a framework, not a standard, so it can be tailored to a particular organization, maturity, objectives, and business challenges. Based on ISACA's history of keeping other frameworks fresh, users will likely see the same benefit from Risk IT. The Risk IT framework, like all ISACA principal documents, is a free download with registration at

Practitioners wanted Risk IT to focus on business objectives, cross silos and tie to broader risk management. Due to this design, CIOs can use Risk IT to both reduce the risk of business change to performance, and manage compliance and risk within the IT organization. This is a defense against the 2010 triple threat.

About the Author: Brian Barnier, CGEIT, is a principal at ValueBridge Advisors. He has worked in both business line and IT roles. He researches, teaches and writes on business-IT effectiveness. Brian served on the international task force that created Risk IT and chaired ISACA's IT Governance, Risk and Compliance Conference. He contributed to the Wiley & Sons book, Risk Management in Finance. Contact him at they aim to thrive, or merely survive, the current atmosphere of change puts a premium on CIOs as risk managers. With failures splashed across the news, the question is how to make IT-related risk management easier and more effective.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.