Manage Learn to apply best practices and optimize your operations.

Enterprise risk management strategies guide for CIOs

Risk management is critical for enterprises embarking on new IT projects and plans. Take a look at these resources for insights and advice on risk management.

Risk management is critical for enterprises embarking on new IT projects and plans. There's the risk of offshore...

outsourcing -- how do you ensure your data is safe in the hands of a worker in another country? There are also risks in managing compliance efforts. These include closing down your company or losing your position if the job isn't done correctly. How do CIOs calculate and manage risk? Take a look at the enterprise risk management strategies in this CIO Briefing for insight and advice on this important topic.

This guide is part of's CIO Briefings series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of the topics covered to date, visit the CIO Briefings section.

Table of contents

  Managing operational risk
  Table of Contents

The news headlines continue: systems failures, data breaches, project delays, troubled products, trading failures, money laundering through mobile networks. These are just some of the sinkholes in operational-risk land related to information technology. The question is, why? Why do they keep coming despite efforts to prevent them?

"Why can't I just get a single view of risk to the business, especially a particular business activity or process? What makes this so difficult?" an exasperated CIO asked me at an executive briefing held by a chapter of the ISACA IT security organization after I discussed IT-related business risk. "One bad business-IT decision killed our company!"

Analyzing IT-related risk in silos leaves gaps and frustrates business leaders. Responding to IT risk in silos increases cost, creates prioritization errors and unleashes other gremlins. Silos can lead to both fundamental errors (such as thinking that IT security equals IT risk management, or that IT compliance equals IT risk management) and more complex errors (such as missing the ways risks in a shared infrastructure affect business processes).

Learn more from contributor Brian Barnier in "All about the business: Critical insights on operational risk.” Also:

  Navigating social media risks
  Table of Contents

Developing corporate social media policies is an ongoing experiment akin to the struggle enterprises endured when the Internet and email were introduced as business tools. Enterprises should not assume, however, that the policies they developed over many years for Internet and email use are a perfect fit for social media.

"Companies are making a mistake when they say social media is the same as email and chat," said Julie E. LeMoine, a collaboration expert who recently codeveloped a large financial services firm's social media policies. "There's enough that is different about social media that you need to be blunt and state the [rules of behavior] again, even if they're the same words [used for older e-communications polices] -- which I doubt they will be."

For starters, e-discovery polices will change, given the free-for-all nature of social networking, according to Stew Sutton, principal scientist for knowledge management at The Aerospace Corp., a federally funded research and development center in El Segundo, Calif. His organization has no limits on email retention, but with "social conversations, wikis, blogs and tweet streams, the mass of data sitting out there becomes a problem," he said. The issues can make e-discovery "extremely costly."

Find out more in "Cost and content of social media policies vary widely by industry.” Also:

  • CIOs weigh use of social media against security concerns
    CIOs are trying to balance the business use of social media with their concerns about security, as policies and security tools fail to keep pace with the adoption of social media.
  • Compliance Briefing: A guide to social media risk management strategy
    Social media is valuable, but it’s also risky. Here are strategies for corporate social media policy, social network monitoring and risk management to protect sensitive information.
  Avoiding cloud computing risks
  Table of Contents

Following the recent downtime and data breaches at top-tier cloud service providers including Amazon Web Services LLC, Sony Corp. and Epsilon Data Management LLC, the risk deck has been shuffled at enterprises looking to move to hybrid cloud computing. Two risks that lurked in the middle of our top 10 list -- liability and identity management -- have floated to the top.

Once again, enterprise executives are talking about the need for cloud insurance, or at least a discussion about who is responsible when the cloud goes down. Presently, public clouds offer standardized service-level agreements, or SLAs, that offer remuneration for time -- but not for potential business -- lost during the downtime. Recent events could be opportunities for providers and CIOs to negotiate premium availability services, according to experts.

Learn more in "Cloud insurance and secure identity management alleviate SLA concerns.” Also:

  • Beware these risks of cloud computing, from no SLAs to vendor lock-in
    In their rush to get services on the market, cloud computing providers are leaving quite a few gaps when it comes to contracts and accountability. Here's what to watch out for.
  • Risk management and agile principles in cloud computing
    To maintain regulatory compliance in adopting cloud computing, apply risk management and agile development principles.
  Overseeing technology risks
  Table of Contents

This is part of a Q&A with Wayne Mekjian, executive vice president and CIO of information services at Wells Fargo & Co., and Martin Davis, executive vice president and head of the company’s technology integration office, about the technology integration of Wells Fargo and Wachovia. In this interview, Mekjian and Davis share advice on avoiding integration pitfalls and explain how they created an “air space analysis” system and methodology to avert integration disasters. In “Wells Fargo and Wachovia: The technology integration of two giants,” Mekjian and Davis explained how they created a blended Wells Fargo/Wachovia technology model to begin converting 70 million banking customers while keeping service interruptions to a minimum.

The Wells Fargo and Wachovia merger creates a financial services organization with $1.3 trillion in assets and 280,000 employees. The technology integration encompasses 80 lines of business and 4,000 application bundles and involves more than a dozen CIOs, as well as integration leaders assigned to each line of business.

Read the interview in "A Wells Fargo roadmap to sidestep technology integration risks.” Also:

  • Supply chain risk management software guide
    This supply chain risk management software guide will help you understand SCRM software and SCRM FAQs, best practices and how spend management fits in.
  • NERC standards pose challenges for IT innovation at power utility
    NERC standards compliance is the law at public utilities. ATC's IT director discusses how to create a framework for IT innovation in that environment.

Dig Deeper on Risk and compliance strategies and best practices