Advertisment

Chief Information Officer or Corporate Risk Manager?

author-image
CIOL Bureau
Updated On
New Update





"The level of risk management required to cope with emerging issues has
increased significantly both for the CIO and the corporation as a whole. As a

result, the need for enterprise risk management and governance has never been

greater or more urgent," says Cutter Consortium Fellow Robert N. Charette.

Advertisment

The new laws and directives for improved accountability and transparency,

such as Sarbanes-Oxley and the Turnbull requirements in the UK, are greatly

expanding the CIO's role in identifying and managing enterprise risks, as well

as in supporting the organization's risk governance requirements. And more

governance directives are likely to appear over the next several years. Explains

Charette, "Since managing many of the enterprise systems and processes falls

into the domain of the CIO, the CIO is now right in the middle of corporate

governance compliance. For instance, e-mail and other corporate data that were

once routinely destroyed may now need to be saved. What once were considered

nonfinancial IT systems may now require consideration as financial, if such

systems produce, gather, or transmit financial information.

"Furthermore, given the new corporate governance requirements, many

IT-related issues that previously weren't perceived as corporate governance

issues are developing into them. For example, an IT project that is in trouble

and that may materially affect a corporation's financial condition can become a

governance issue if the CIO does not disclose that information in a timely

fashion."

What should a CIO's main focus be in relation to enterprise risk management

and governance?






Charette has outlined three priorities in the Cutter Consortium report titled
"The Rise of Enterprise Risk Management and Governance":

  • Become familiar with the intricacies of corporate governance, since many

    risks and problems of implementing it travel directly through the IT

    organization. Especially important are the gray-space risks: the IT issues

    that don't begin as governance problems but end up as them.
  • Determine how the IT organization can become a zero-trauma organization.

    "No surprises" should be the watchword, with operational excellence as the

    objective.
  • Develop and implement a strong risk management culture to evaluate

    operational IT risks. Culture will be increasingly important as many of the

    emerging risks that corporations and CIOs will have to deal with will be

    caused by societal changes in risk awareness.






    More on this topic can be had from
    www.cutter.com/IT
    reports
  •  
tech-news