"IT goes to the boss and says the company has this big problem and [it] needs $1 million to fix it. The problem with that, is that it's not your problem. It's their problem," Nolan said. "By telling them what to do, you sound like you're selling them, as opposed to helping them solve the problem. Last time I checked, executives want to tell you what to do, not the other way around."
Nolan offered the advice, along with some best practices on risk management, in a focus session at this week's SIMposium 2005, a leadership conference that drew some 600 IT leaders. Forsythe Solutions is a subsidiary of Forsythe Technology Inc., a Skokie, Ill.-based information technology consulting company.
The message resonated for Joe Wolke, the former head of Chicago-based Aon Corp.'s global business continuity program office. "This validated a lot of stuff that we ended up putting in place. We had a lot of various plans that went nowhere. Why? In some cases, IT would say, 'To do this right it's gonna cost $10 million' and it stopped. In other instances, the business said it's an IT issue, and that's all," Wolke said. His office formally combined disaster recovery with the business side, having a business analyst right in the office.
Defining risk management begins with an inventory of the company's vulnerabilities, Nolan said. Not an easy task, given that most IT infrastructures were built ad hoc and are putting on weight by the day. "You guys were minding your business and now you're responsible for the phone network, too."
Nolan said to think of risk management in terms of five pieces: disaster recovery, business continuity, confidentiality, accountability and data integrity.
Forsythe then advises CIOs to come up with a concise way to translate business and regulatory requirements into technology decisions. A simple method Forsythe uses is to spell out six key elements: content security, hosts security, application security, identity management, network security and security information management -- or CHAINS.
Once the vulnerabilities are identified, IT puts them on the table "like the 600-pound elephant and says what you want to do about them?" Nolan said. IT should avoid the mistake of suggesting the solution to soon. First, get company executives to agree there is a problem. And only when they ask to see their options, lay out the solution, he said.
Nolan suggests creating a tier of service levels, A,B and C, and spelling out how each service level addresses the risk and what it will cost, so that the solution is directly linked to corporate policy.
"At the end of the day there are three answers. The company can accept the risk, assign the risk or mitigate it. If they choose to do nothing, they sign here and accept the risk, that's fine. You may choose to leave the firm because you can't live with that decision, but at the end of the day it's the decision of the executive officers," Nolan said.
Pat Skarulis, CIO at Memorial Sloan-Kettering Cancer Center in New York, found Forsythe's "chain" approach of categorizing threats useful.
"I thought that was particularly helpful," she said, and agreed that negotiating risk management requires some finesse. "As IT people, we are so used to be being analysts and problem solvers. I thought he made a good point about having business take the ownership position."
Getting her bosses to agree that risk management is a big issue is perhaps not as difficult as in other businesses.
"All of the decisions that hospitals and medical centers make are really life and death decisions. So I think business is attuned to accepting and understanding risk, on a day-to-day business," Skarulis said.