February 04, 2010

By Brian Barnier, ValueBridge Advisors

Carrier CIOs are bracing for a triple threat in 2010 - market pressure on investment margins, competitive pressure on underwriting margins and tightening regulatory examinations with an eye toward broader change. Some CIOs must also digest acquisitions or support expansions. This is a rare combination of challenges. Whether they aim to thrive, or merely survive, the current atmosphere of change puts a premium on CIOs as risk managers. With failures splashed across the news, the question is how to make IT-related risk management easier and more effective.Ninette Caruso, vice president of internal audit at Nationwide Insurance frames the business need this way: "We want to be aware of our current position and prepared to change quickly in response to situations such as new products, new regulations, market conditions or new technology. To perform, we must manage those risks effectively and efficiently."

CIOs can think of change in four buckets: 1) business driven change (e.g., acquisition, consolidation, product change, new regulations); 2) technology management change (e.g., consolidation, shared services); 3) technology change (e.g., cloud, mobile, virtualization); and 4) failure-driven change (e.g., actual, audit finding, testing finding or compliance gap).

These changes must be addressed to earn return - in underwriting, claims or investments. Yet, risk challenges the ability to earn return. CIOs can do little about investment or underwriting risk, but they can do something about strategic risk (through investing in IT infrastructure with the agility and cost structure to create strategic options) and a great deal about risk in program/project management and in operations/service delivery.

CIOs who recognize and try to manage risk from change face two more hurdles. First, within their own operations, they face the pain of coordinating across all the IT silos with different approaches to risk (e.g., continuity, project, change, availability, security, recoverability and energy). This wastes time and cost inside IT. Also, business line leaders want a view of risk that matters to "my business, not all of your silos." Business line leaders often roll their eyes at the parade of IT people who arrive to detail risk (and ask for money) for each silo.

Second, regulators and boards are putting pressure on carrier executives to manage risks on an enterprise basis. With carriers more dependent than ever on technology, the CIO is in the hot seat. This forces the CIO to gather up all the silos of IT risk management and link these to the enterprise-wide risk management approach.

In stepping up to these challenges, CIOs have common cause with other leaders. Ms Caruso continues, "Our intent in audit planning is to partner with IT leaders to understand the risks that could affect our ability to achieve our mutual business objectives. These risks range from compliance with regulations and accurate financial reporting to having appropriate strategies and processes in place to achieve desired business outcomes."

With all these moving parts, leaders are looking for a simpler way to get started and a path to mature. As a result, many have turned to various best practices that represent the collective experiences of experts across enterprises, industries and countries. Leveraging best practices saves time, cost and effort; provides educational material, training, a user community and updates; and makes it easier to work across supply chains. However, these practices vary. Into this environment came the needs of ISACA's 86,000 constituents in 160 countries, as well as other users of the COBIT and Val IT frameworks and best practices. They were looking for practical guidance that would bridge from generalized frameworks (COSO ERM, ARMS from the UK, 4360 standard from Australia and New Zealand or ISO 31000) to IT and then help integrate the various domain-specific IT risk practices. The result of survey research, practitioner requests, a five-country task force and 1,600 submitted comments is the new Risk IT framework and best practice.

"Risk IT saves time, cost and effort by providing a clear method to focus on IT-related business risks such as late project delivery, compliance, misalignment, obsolete IT architecture and IT service delivery problems," comments Urs Fischer, VP of IT Governance and Risk Management at Swiss Life and chair of the team that created Risk IT. "It provides the guidance to help executives and management ask the key questions, make better risk-adjusted decisions and guide their enterprises so that risk is managed more effectively."

Risk IT is based on ISACA's popular COBIT framework. It covers Risk Governance, Risk Evaluation and Risk Response. Each includes process descriptions, maturity models for benchmarking, role responsibility charts and other guidance. Risk IT is a framework, not a standard, so it can be tailored to a particular organization, maturity, objectives, and business challenges. Based on ISACA's history of keeping other frameworks fresh, users will likely see the same benefit from Risk IT. The Risk IT framework, like all ISACA principal documents, is a free download with registration at www.isaca.org/riskit.

Practitioners wanted Risk IT to focus on business objectives, cross silos and tie to broader risk management. Due to this design, CIOs can use Risk IT to both reduce the risk of business change to performance, and manage compliance and risk within the IT organization. This is a defense against the 2010 triple threat.

About the Author: Brian Barnier, CGEIT, is a principal at ValueBridge Advisors. He has worked in both business line and IT roles. He researches, teaches and writes on business-IT effectiveness. Brian served on the international task force that created Risk IT and chaired ISACA's IT Governance, Risk and Compliance Conference. He contributed to the Wiley & Sons book, Risk Management in Finance. Contact him at brian@valuebridgeadvisors.com.Whether they aim to thrive, or merely survive, the current atmosphere of change puts a premium on CIOs as risk managers. With failures splashed across the news, the question is how to make IT-related risk management easier and more effective.