CIO Review >> Magazine >> February - 2014 issue

Positioning the CIO for Risk Reporting to the Boardroom


Thursday, February 13, 2014

Sergio Thomson-Flores Founded in 1985 and headquartered in Atlanta, Modulo a provider of Governance, Risk and Compliance (GRC) management solutions to organizations worldwide for IT GRC, ERM, BCM, Vendor, Compliance and Risk Management.

Today's CIO is optimally positioned to lead the path toward standardized and harmonized information risk management within their organization. After capital, information is the single most important commodity upon which an organization relies. An organization's information technology infrastructure underlies absolutely every aspect of daily business and, by extension, impacts reputation management, intellectual property, disaster recovery planning, marketing, legal, human resources, and even finance. Soon, the CIO will necessarily rival the CFO in his/her ability to provide key metrics to the board and shareholders about business performance.

To do this, the CIO will need to incorporate both top-down view of risk typically generated by a Chief Risk Officer (CRO) and CISO's bottom-up approach to risk management. The CRO often helps define company Key Risk Indicators (KRIs) through enterprise risk management techniques. The CISO provides critical visibility into residual and real business risk based on the ability to link assets to lines of business and processes. Combining these approaches gives the CIO a natural foundation to lead the maturity path toward enterprise-wide governance, risk, and compliance (GRC) and performance as well as the harmonization of risks: cyber/IT, third-party supplier, business continuity, operational, and enterprise.

In a recent strategic boardroom discussion with over twenty CIO/CSOs from a variety of industries and moderated by Modulo, we found that many have already started down this maturity path. Key themes that emerged included:

CIO/CSOs are increasingly interacting with the boardroom, and the structure of the board depends on the maturity of the company and the industry: The types of boards range from CEO direct reports to audit committees, enterprise risk councils, IT governance boards and operational risk committees.

Collaboration below the board is the key to success: The CIO/CSO is often the "broker" of relationships between business units, and it is critical that this collaboration happen before getting to the board meeting to ensure everyone is communicating in a language that is relevant to the board.

Cybersecurity working groups are being formed to present a unified front: Some CIOs/CISOs are forming cybersecurity working groups together with their chief council, CEO, PR, etc. to identify significant incidents and decide what is relevant to present to board.

Need for common CIO/CSO boardroom best practices: The lack of a common methodology and process for CIO/CSOs to interact with the board can make it difficult to put together a boardroom discussion, the industry needs best practices and comparisons against peers.

GRC in the boardroom should be a business enabler: GRC is about a culture of risk at every level of the business and should be presented to the board as a business enabler, not a liability.

So how does the CIO put these themes into practice? The job of the CIO increasingly consists of monitoring information assets, transactions, and processes rather than buying and implementing IT infrastructure. This monitoring increasingly is consumed by board-level decision makers. In short, it behooves today's CIOs to think entrepreneurially and nimbly and concentrate on processes related to risk management and less on technology and tools for managing information.

Analysts and market trends also show us that the IT budget will more and more fall outside the purview of the CIO - even if some IT spending remains in security. Spending on IT, a now-essential part of modern business infrastructure, will increase but will fall into the marketing or other departments’ budgets. Information officers will need to adapt to meet the reporting and monitoring needs of an increasingly distributed IT infrastructure.

This means CIOs can position their organizations to successfully implement programs that link disparate IT systems and the governance of policies to manage them. Most importantly, CIOs have to think in terms of processes, people, and technology, which is where the concept of GRC comes into play. GRC management programs help CIOs monitor processes related to information security management, policies, and the risk of non-compliance. They also help tie together data from other risk management technologies. Ultimately, these tools can become the systems that will best report on past performance and provide insight into future performance.

If CIOs are rethinking their own positions vis-a-vis risk, it follows that the role of the tools they implement should also evolve. GRC solutions can help fill the gap here by tying together data from monitoring tools, actions taken by system administrators, and the high-level mandates from the business. But a GRC tool will only be as good as the information you feed it. Ultimately, scalability is key: for CIOs to take on the responsibility of the CRO, they will need a GRC tool that provides both bottom-up, asset risk management as well as top-down visibility on KRIs and other business performance dashboards.

Its important to remember that when the CIO fills the role of the CROs he will be the one integrating risk management information for reporting to the board but financial, operational, and legal data input will remain the purview of those respective C-level executives. Nevertheless, today’s CIOs and CISOs are proactively taking a leadership role within their company by facilitating collaboration throughout the enterprise in order to present a unified front and relevant information to the board.