Editor's note: Brian Barnier, a frequent contributor to SearchCompliance.com and an Open Compliance and Ethics Group fellow, has recently come out with a book for IT and business leaders, the Operational Risk Handbook for Financial Companies.
The news headlines continue: systems failures, data breaches, project delays, troubled products, trading failures, money laundering through mobile networks. These are just some of the sinkholes in operational-risk land related to information technology. The question is, why? Why do they keep coming despite efforts to prevent them?
"Why can't I just get a single view of risk to the business, especially a particular business activity or process? What makes this so difficult?" an exasperated CIO asked me at an executive briefing held by a chapter of the ISACA IT security organization after I discussed IT-related business risk. "One bad business-IT decision killed our company!"
Analyzing IT-related risk in silos leaves gaps and frustrates business leaders. Responding to IT risk in silos increases cost, creates prioritization errors and unleashes other gremlins. Silos can lead to both fundamental errors (such as thinking that IT security equals IT risk management, or that IT compliance equals IT risk management) and more complex errors (such as missing the ways risks in a shared infrastructure affect business processes).
The CIO really faces two challenges:
- Creating a cross-IT-silo view of risk to business activities.
- Integrating with broader operational or enterprise-wide risk management.
IT risk leaders also face a mountain of challenges. In trying to improve the process of risk management, they ask, "Is there a consistent basis for 'risk appetite?' What information needs to be in a scenario? To what depth do we need to document policies? What key risk indicators [KRIs] matter most? Why do 'heat maps' seem to miss the mark? How can I better engage 'the business'?" Such questions are asked by leaders seeking to do more with less. Increasingly, doing more includes more business value, not just more controls.
The roots of operational risk
Amid these mountains (mountain range is probably a more appropriate term) of challenges, leaders want to know the critical steps needed to climb the mountains and overcome the challenges. In analyzing problems, especially at highly regulated enterprises, such as financial institutions, it turns out there are similar underlying causes for these challenges. This is good news. It suggests there is a potential path through the mountains. In seeking this path, we can turn to lessons learned in overcoming similar challenges from across risk disciplines and industries.
Risk managers are frequently frustrated in their efforts when compliance is the driver of risk management programs. Focusing on compliance has a host of negative effects that structurally leave risk management bogged down in fixing yesterday's problems, excessive paperwork and churn. IT risk managers are left without a clear touchstone for everything from risk appetite to scenarios to KRIs to reporting.
A huge lesson learned from decades of success elsewhere is the need to shift to a more performance-driven approach. Race car drivers don't buckle their seatbelts to avoid a traffic ticket -- they do it to avoid injury or death in pursuit of the prize. In IT land, this shift to performance-driven risk management also been detected in ISACA's 2011 IT Risk/Reward Barometer survey.
Business and IT interdependency in operational risk
IT leaders increasingly want to learn more about "what the business wants." Good news: Drawing on lessons from a range of risk disciplines and industries, clear steps emerge to forge a more integrated, performance-focused approach to IT-related operational risk management. The Operational Risk Handbook for Financial Companies harnesses the cross-industry and cross-discipline knowledge base to provide more practical guidance. Focused on operational risk managers who are trying to improve their programs and better understand business dependencies on IT, it provides IT leaders with an opportunity to see "through the eyes of the business." It tailors these decades of proven lessons to financial companies, simply because of the enormous change and complexity these managers face.
The handbook focuses on shifting risk management from a compliance- to a performance-focused perspective, taking a systems approach, understanding the value of having options to act, and improving business agility. To achieve this shift to performance, lifelike scenario analysis becomes the heart of risk management.
To drive home the business perspective, the book includes views from a panel of six technology-savvy board members. Humphrey Polanen, a board member at Heritage Bank of Commerce in California, is a seasoned tech executive and investor. His comments are very specific:
"First, realize [risk] is not a checklist. There are no quick fixes. [You] need to focus on structural fixes and changes. Try to transform your organization in meaningful ways. Two keys to this are first, understanding deeply the system that is your bank, how that works; and second, the root causes that can hurt your system. If you know this, you can point your analytics at the right data. This is what I expect my risk management leaders to understand -- the business."
For you as an IT leader, shifting to a business performance focus helps you bring more value to your C-suite and enterprise.
Brian Barnier is a principal at ValueBridge Advisors. He can be reached at firstname.lastname@example.org.
This was first published in August 2011