Becoming a “risk intelligent” CIO means you can identify risks, help your organization take them intelligently, and ultimately profit from risks as a whole. Elizabeth Heichler knows what it takes to become risk intelligent, and she shares five things that you need to know if you want to become the CIO who profits from risks. The first tip is, not surprisingly, to get IT’s risk management in order first. Nobody will listen to you if your own house is in disarray, so it’s top priority to make sure that any risk that affects IT directly is handled. Only then can you begin the process of expanding your risk management efforts outside of IT and onto the rest of the organization.
Next, recognize that risk management goes well beyond compliance citing Bill Kobel and Brian Barnier, the article explains that compliance is only part of the puzzle. Furthermore, don’t try to re-invent the wheel when you’re attempting to implement better risk management practices throughout your organization. As Heichler writes:
While no one can save you the hard work of understanding the risks connected to all your technology and business operations, there are multiple frameworks and standards that can put you on the road to good practices. Important ones include Risk-IT from technology governance nonprofit ISACA (the group is best known for COBIT, a more general enterprise IT management framework) and ISO 31000. But be mindful about how you apply those frameworks, Kobel warns. Frequently, specialists in a company understand different domains of a framework – such as security, privacy, business continuity, or compliance – and the framework winds up being used at what he calls a sterile, tactical level of controls and requirements rather than being connected to the way the business really operates.
Finally, understand that the people who want to do you the most harm really do know your business inside and out. They are constantly looking for vulnerabilities and how your products and services can open your organization up to danger. This isn’t limited to those outside of your company: be cognizant of internal threats as well, as they often pose even more of a potential risk than those attempting to scale the walls of your existing risk management architecture.