As a CIO, risk and compliance management is one of your key performance improvement tools. You should make it part of your everyday routine, whether looking for risks and issues in project steering committees or reviewing the status of your software licence compliance.
You should recognize that Internal and External Audit colleagues are your ‘best friends’ and approach the whole topic on the basis that risk management and audit is a positive force that will help you improve the management of your function, organization, stakeholders and outcomes. In addition, it is a defensive activity that can stop you getting fired and therefore worthy of your upmost attention.
The risks you face fall into three broad categories:
- Internal to IT – typically about service failure (for example, disaster recovery or a supplier going bust), project failure (for example, wasted investment or business performance degradation), security failure (for example, unauthorized access and data loss) or governance failure (for example, overspending the budget).
- Internal to your enterprise – these include business risks that have an IT component, such as business continuity in the event of an earthquake, construction project delays, or fraud risk caused by inadequate segregation of duties or theft of intellectual property.
- External to your enterprise – for example, regulatory or contractual matters such as compliance with Personal Data Protection rules, UK Bribery Act 2010, SOX, licence conditions and the Payment Card Industry Data Security Standards.
Find someone passionate about the subject who will not be afraid to make you personally feel uncomfortable by pointing out where you and your team can improve or are failing.
These risks are important enough for you to appoint a senior IT Manager (we suggest at least a direct report of one of your direct reports) to lead risk and compliance management for your organization. Appoint or hire the best you can. Resist the temptation to appoint someone average – or worse, that below-par employee you are struggling to find a position for. Find someone passionate about the subject who will not be afraid to make you personally feel uncomfortable by pointing out where you and your team can improve or are failing. In a large Enterprise IT organization, this role should be full-time and liaise closely with Internal and External Audit and IT Security.
This is not a primer for technology or data security and I am not covering methodologies or standards here. You can read about them on the web or ask your audit colleagues for help. However, as a starting point I recommend you do at least some of the following on a regular basis:
- Review the top enterprise-wide risks (that is, those risks requiring the non-executive board’s consideration) and consider whether they adequately reflect any inherent IT issues, whether your IT organization is appropriately accounting for and acting on those risks, and whether the list is correct in your opinion as a senior leader in the enterprise. Give your feedback to the owner of the enterprise risk management process.
- Run a workshop with Internal Audit and your direct reports to define the top 10 risks for your organization, its services, sourcing events and its projects. Assess each risk in terms of likelihood and impact on the business and rank them based on the combined score. Create mitigating actions for each risk. Review the results of last year’s mitigating actions and decide if any action should be carried over to this year.
- Agree with Internal Audit and External Audit what their annual audit plans will cover for IT. This is a great opportunity for you to focus them on your top 10 risks and any other weaknesses you see in your organization, processes, services, projects, and so on. Do not avoid difficult issues; rather, embrace an independent view as a way to drive improvement.
- Review your Top 10 to 30 projects and ensure that adequate internal audit or external quality assurance work is planned.
- Review the annual External Audit report findings on IT controls. Ensure that the management comments are sufficient and accurate, and that you plan any corrective action so that identified deficiencies will be eliminated before next year’s audit.
- Review and update your policies to ensure they are up to date and reflect the latest thinking on risk. Make sure they address the required regulatory compliance as well as expectations around security, licence compliance, sourcing methodology, and so on.
Be interested in risk when visiting IT operations in other locations, meeting people for the first time, and reviewing service delivery or projects.
- Be interested in risk when visiting IT operations in other locations, meeting people for the first time, and reviewing service delivery or projects. Ask searching questions to demonstrate your concern but also to ‘test the mettle’ of your team on risk and compliance.
- Review all published audit reports as they come out during the year. Focus on those that score your controls on services, projects, security, and so on, below average. Review them with your direct report responsible and the manager concerned. Ask them to present their understanding of the deficiencies, an action plan to resolve the issue and a final review date.
The CIO has one of the most difficult and loneliest senior leadership roles in the modern enterprise. LEF’s CIO Sounding Board service can help, offering peer-level problem-solving input and strategic advice from experienced CIO Advisors, including Mike Bowden.