"The level of risk management required to cope with emerging issues has
increased significantly both for the CIO and the corporation as a whole. As a
result, the need for enterprise risk management and governance has never been
greater or more urgent," says Cutter Consortium Fellow Robert N. Charette.
The new laws and directives for improved accountability and transparency,
such as Sarbanes-Oxley and the Turnbull requirements in the UK, are greatly
expanding the CIO's role in identifying and managing enterprise risks, as well
as in supporting the organization's risk governance requirements. And more
governance directives are likely to appear over the next several years. Explains
Charette, "Since managing many of the enterprise systems and processes falls
into the domain of the CIO, the CIO is now right in the middle of corporate
governance compliance. For instance, e-mail and other corporate data that were
once routinely destroyed may now need to be saved. What once were considered
nonfinancial IT systems may now require consideration as financial, if such
systems produce, gather, or transmit financial information.
"Furthermore, given the new corporate governance requirements, many
IT-related issues that previously weren't perceived as corporate governance
issues are developing into them. For example, an IT project that is in trouble
and that may materially affect a corporation's financial condition can become a
governance issue if the CIO does not disclose that information in a timely
fashion."
What should a CIO's main focus be in relation to enterprise risk management
and governance?
Charette has outlined three priorities in the Cutter Consortium report titled
"The Rise of Enterprise Risk Management and Governance":
- Become familiar with the intricacies of corporate governance, since many
risks and problems of implementing it travel directly through the IT
organization. Especially important are the gray-space risks: the IT issues
that don't begin as governance problems but end up as them. - Determine how the IT organization can become a zero-trauma organization.
"No surprises" should be the watchword, with operational excellence as the
objective. - Develop and implement a strong risk management culture to evaluate
operational IT risks. Culture will be increasingly important as many of the
emerging risks that corporations and CIOs will have to deal with will be
caused by societal changes in risk awareness.
More on this topic can be had from
www.cutter.com/ITreports